Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1743
  • Last Modified:

Lost trust on a domain controller

I renamed a DC using netdom. The command completed successfully, but after I rebooted and tried to login, I get:

The security database on the server does not have a computer account for this workstation trust relationship

I know that this can be resolved by removing the server from the domain and re-adding it, but how do I fix the error on a domain controller?
0
CorinneSpears
Asked:
CorinneSpears
  • 4
  • 3
1 Solution
 
KCTSCommented:
0
 
CorinneSpearsAuthor Commented:
Yes, I'm at step 4 and it failed. I renamed 3 DC's over the last week allowing 24 hours between each rename. This is the last DC, and of course, the problematic one.
0
 
Felicia KingCommented:
Why not just demote the server and then repromote it using DCPromo.exe?
I know it sounds extreme, but what will you lose in the process if you do it off hours?
netdom.exe doesn't always work, but if you haven't tried that, then please do.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
CorinneSpearsAuthor Commented:
The problem is I can't log onto the server anymore. Since it lost it's trust, domain accounts don't work, and by default server 2008 disabled the local admin account.
0
 
Felicia KingCommented:
If the server is a domain controller, it doesn't require trust to logon. You should be able to pull the network cable and logon with any of the domain admin accounts. Remember that domain accounts on a domain controller ARE local accounts as far as the server is concerned. The AD database on a DC is just like the local SAM database on a member server or workstation. It may be checking with the other DCs if the network cable is in though. If you pull the network cable, you might be able to trick it and let you logon with cached credentials.
0
 
CorinneSpearsAuthor Commented:
With the cable unplugged, if I try to login with a domain account (one that has logged in before or not) I get:

The security database on the server does not have a computer account for this workstation trust relationship.

If I try to login with the administrator account and the password from before I dcpromo'd it, I get:

Your account has been disabled. Please see your system administrator.
0
 
Felicia KingCommented:
I regularly use Active Boot Pro to reset and/or enable local admin accounts.
http://www.ntfs.com/bootdisk_quest_proversions.htm
However, I have never tried it on a server with RAID. It very well might not be able to see the drives that are attached to the RAID controller as it might not have the RAID drivers necessary. Otherwise, the product works like a champ.
Is there possibility of booting into DS restore mode and trying a non-authoritative restore of AD? Not sure if that would do anything, but I would try it before rebuilding the server from scratch.
0
 
CorinneSpearsAuthor Commented:
To gain access to the server, I logged into another domain controller and manually created a computer account with the same name as the new name I had added to the server, the one I was trying to change to. I had to wait 4 hours for replication, but then I was able to log into the domain controller. Then, I dcpromo'd it, removed all the additional netbios names, and re-promoted it.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now