Solved

Lost trust on a domain controller

Posted on 2011-09-21
8
1,654 Views
Last Modified: 2012-05-12
I renamed a DC using netdom. The command completed successfully, but after I rebooted and tried to login, I get:

The security database on the server does not have a computer account for this workstation trust relationship

I know that this can be resolved by removing the server from the domain and re-adding it, but how do I fix the error on a domain controller?
0
Comment
Question by:CorinneSpears
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 36577058
0
 

Author Comment

by:CorinneSpears
ID: 36577200
Yes, I'm at step 4 and it failed. I renamed 3 DC's over the last week allowing 24 hours between each rename. This is the last DC, and of course, the problematic one.
0
 
LVL 4

Accepted Solution

by:
Felicia King earned 500 total points
ID: 36577850
Why not just demote the server and then repromote it using DCPromo.exe?
I know it sounds extreme, but what will you lose in the process if you do it off hours?
netdom.exe doesn't always work, but if you haven't tried that, then please do.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:CorinneSpears
ID: 36583472
The problem is I can't log onto the server anymore. Since it lost it's trust, domain accounts don't work, and by default server 2008 disabled the local admin account.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 36583565
If the server is a domain controller, it doesn't require trust to logon. You should be able to pull the network cable and logon with any of the domain admin accounts. Remember that domain accounts on a domain controller ARE local accounts as far as the server is concerned. The AD database on a DC is just like the local SAM database on a member server or workstation. It may be checking with the other DCs if the network cable is in though. If you pull the network cable, you might be able to trick it and let you logon with cached credentials.
0
 

Author Comment

by:CorinneSpears
ID: 36583719
With the cable unplugged, if I try to login with a domain account (one that has logged in before or not) I get:

The security database on the server does not have a computer account for this workstation trust relationship.

If I try to login with the administrator account and the password from before I dcpromo'd it, I get:

Your account has been disabled. Please see your system administrator.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 36583756
I regularly use Active Boot Pro to reset and/or enable local admin accounts.
http://www.ntfs.com/bootdisk_quest_proversions.htm
However, I have never tried it on a server with RAID. It very well might not be able to see the drives that are attached to the RAID controller as it might not have the RAID drivers necessary. Otherwise, the product works like a champ.
Is there possibility of booting into DS restore mode and trying a non-authoritative restore of AD? Not sure if that would do anything, but I would try it before rebuilding the server from scratch.
0
 

Author Closing Comment

by:CorinneSpears
ID: 36600964
To gain access to the server, I logged into another domain controller and manually created a computer account with the same name as the new name I had added to the server, the one I was trying to change to. I had to wait 4 hours for replication, but then I was able to log into the domain controller. Then, I dcpromo'd it, removed all the additional netbios names, and re-promoted it.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question