Solved

Lost trust on a domain controller

Posted on 2011-09-21
8
1,599 Views
Last Modified: 2012-05-12
I renamed a DC using netdom. The command completed successfully, but after I rebooted and tried to login, I get:

The security database on the server does not have a computer account for this workstation trust relationship

I know that this can be resolved by removing the server from the domain and re-adding it, but how do I fix the error on a domain controller?
0
Comment
Question by:CorinneSpears
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 36577058
0
 

Author Comment

by:CorinneSpears
ID: 36577200
Yes, I'm at step 4 and it failed. I renamed 3 DC's over the last week allowing 24 hours between each rename. This is the last DC, and of course, the problematic one.
0
 
LVL 4

Accepted Solution

by:
Felicia King earned 500 total points
ID: 36577850
Why not just demote the server and then repromote it using DCPromo.exe?
I know it sounds extreme, but what will you lose in the process if you do it off hours?
netdom.exe doesn't always work, but if you haven't tried that, then please do.
0
 

Author Comment

by:CorinneSpears
ID: 36583472
The problem is I can't log onto the server anymore. Since it lost it's trust, domain accounts don't work, and by default server 2008 disabled the local admin account.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 4

Expert Comment

by:Felicia King
ID: 36583565
If the server is a domain controller, it doesn't require trust to logon. You should be able to pull the network cable and logon with any of the domain admin accounts. Remember that domain accounts on a domain controller ARE local accounts as far as the server is concerned. The AD database on a DC is just like the local SAM database on a member server or workstation. It may be checking with the other DCs if the network cable is in though. If you pull the network cable, you might be able to trick it and let you logon with cached credentials.
0
 

Author Comment

by:CorinneSpears
ID: 36583719
With the cable unplugged, if I try to login with a domain account (one that has logged in before or not) I get:

The security database on the server does not have a computer account for this workstation trust relationship.

If I try to login with the administrator account and the password from before I dcpromo'd it, I get:

Your account has been disabled. Please see your system administrator.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 36583756
I regularly use Active Boot Pro to reset and/or enable local admin accounts.
http://www.ntfs.com/bootdisk_quest_proversions.htm
However, I have never tried it on a server with RAID. It very well might not be able to see the drives that are attached to the RAID controller as it might not have the RAID drivers necessary. Otherwise, the product works like a champ.
Is there possibility of booting into DS restore mode and trying a non-authoritative restore of AD? Not sure if that would do anything, but I would try it before rebuilding the server from scratch.
0
 

Author Closing Comment

by:CorinneSpears
ID: 36600964
To gain access to the server, I logged into another domain controller and manually created a computer account with the same name as the new name I had added to the server, the one I was trying to change to. I had to wait 4 hours for replication, but then I was able to log into the domain controller. Then, I dcpromo'd it, removed all the additional netbios names, and re-promoted it.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now