[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Lost trust on a domain controller

Posted on 2011-09-21
8
Medium Priority
?
1,717 Views
Last Modified: 2012-05-12
I renamed a DC using netdom. The command completed successfully, but after I rebooted and tried to login, I get:

The security database on the server does not have a computer account for this workstation trust relationship

I know that this can be resolved by removing the server from the domain and re-adding it, but how do I fix the error on a domain controller?
0
Comment
Question by:CorinneSpears
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 36577058
0
 

Author Comment

by:CorinneSpears
ID: 36577200
Yes, I'm at step 4 and it failed. I renamed 3 DC's over the last week allowing 24 hours between each rename. This is the last DC, and of course, the problematic one.
0
 
LVL 4

Accepted Solution

by:
Felicia King earned 2000 total points
ID: 36577850
Why not just demote the server and then repromote it using DCPromo.exe?
I know it sounds extreme, but what will you lose in the process if you do it off hours?
netdom.exe doesn't always work, but if you haven't tried that, then please do.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:CorinneSpears
ID: 36583472
The problem is I can't log onto the server anymore. Since it lost it's trust, domain accounts don't work, and by default server 2008 disabled the local admin account.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 36583565
If the server is a domain controller, it doesn't require trust to logon. You should be able to pull the network cable and logon with any of the domain admin accounts. Remember that domain accounts on a domain controller ARE local accounts as far as the server is concerned. The AD database on a DC is just like the local SAM database on a member server or workstation. It may be checking with the other DCs if the network cable is in though. If you pull the network cable, you might be able to trick it and let you logon with cached credentials.
0
 

Author Comment

by:CorinneSpears
ID: 36583719
With the cable unplugged, if I try to login with a domain account (one that has logged in before or not) I get:

The security database on the server does not have a computer account for this workstation trust relationship.

If I try to login with the administrator account and the password from before I dcpromo'd it, I get:

Your account has been disabled. Please see your system administrator.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 36583756
I regularly use Active Boot Pro to reset and/or enable local admin accounts.
http://www.ntfs.com/bootdisk_quest_proversions.htm
However, I have never tried it on a server with RAID. It very well might not be able to see the drives that are attached to the RAID controller as it might not have the RAID drivers necessary. Otherwise, the product works like a champ.
Is there possibility of booting into DS restore mode and trying a non-authoritative restore of AD? Not sure if that would do anything, but I would try it before rebuilding the server from scratch.
0
 

Author Closing Comment

by:CorinneSpears
ID: 36600964
To gain access to the server, I logged into another domain controller and manually created a computer account with the same name as the new name I had added to the server, the one I was trying to change to. I had to wait 4 hours for replication, but then I was able to log into the domain controller. Then, I dcpromo'd it, removed all the additional netbios names, and re-promoted it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question