tmendez2
asked on
The security database on the server does not have a computer account for this workstation trust relationship.
Ok. So I am getting the following error message when I try to log into one of our Windows 7 client PC's:
After reading through some of the other posts, I'm pretty sure disjoining the PC from the domain and then rejoining it should solve the issue. However, how can I disjoin the PC from the domain by switching the computer to use a workgroup if I can't log in? I tried logging in as COMUPTERNAME\Administrator , but I get the following error message:
Note that the PC has been removed from the AD on our SBS 2011 machine.
The security database on the server does not have a computer account for this workstation trust relationship.
After reading through some of the other posts, I'm pretty sure disjoining the PC from the domain and then rejoining it should solve the issue. However, how can I disjoin the PC from the domain by switching the computer to use a workgroup if I can't log in? I tried logging in as COMUPTERNAME\Administrator
Your account has been disabled. Please see your system administrator.
Note that the PC has been removed from the AD on our SBS 2011 machine.
BTW. Administrator is disabled by default, you must use the administrative user you created at the first setup. Safe mode might help you find this user and login to continue the other steps.
ASKER
Hmmm. I thought I knew which user/password I created at the first setup, but I guess I was wrong. I was going to try and use safe mode to try and find this user and login to continue, but every time I try to start in safe mode, the computer reboots ten seconds after I get to the login screen. Any explanations, suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. I was able to use the bootable CD to reset the localadmin password. I then removed the computer from the domain. I then rejoined the computer to the domain using http://connect. I'm still getting the same error message when I try to log in as a user of the domain. Also, in the SBS console the PC has "Unknown - No Computer is mapped to this computer account (dnsHostName is empty)." under "Status". Any idea why I still might be getting this error?
At this point it sounds as if you have bigger problems. I would suggest running Active Directory Diagnostics on the server.
Please open a command prompt and type dcdiag /v and post the output to this thread.
Please open a command prompt and type dcdiag /v and post the output to this thread.
When you removed the computer from the domain did you delete the computer account form the SBS console, or AD?
Best bet when rejoing a domain is to rename the computer to avoid any conflicts, even if it is just adding a letter or number to the end of the computer name. If no other computers are having issues I suspect rejoining again would be a good idea. When doing so it is also a good idea on the PC, after disjoining the domain, to remove the C:\Program Files\Windows Small Business server folder and the following registry key: HKLM\software\Microsoft\Sm allBusines sServer
Best bet when rejoing a domain is to rename the computer to avoid any conflicts, even if it is just adding a letter or number to the end of the computer name. If no other computers are having issues I suspect rejoining again would be a good idea. When doing so it is also a good idea on the PC, after disjoining the domain, to remove the C:\Program Files\Windows Small Business server folder and the following registry key: HKLM\software\Microsoft\Sm
Your best bet to log on to this PC is to disconnect it from the network and then log in using a domain user account that has logged onto that PC before - ideally Domain Admin. This will let you log in with cached credentials and sidestep the problem of the computer account not being trusted / not existing in AD.
If you would like to test to ensure that the secure channel communication is the issue without removing and rejoining the domain you can use NLtest from the DC.
http://support.microsoft.com/kb/158148
Example Output from Nltest.exe
As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain.
NLTEST can be used to show this trust relationship.
C:\>nltest /trusted_domains
Trusted domain list:
ESS
The command completed successfully
To determine the domain controllers in the TESTD domain:
C:\>nltest /dclist:testd
List of DCs in Domain testd
\\TEST2 (PDC)
\\TEST1
The command completed successfully
To determine the domain controllers in the ESS domain:
C:\>nltest /dclist:ess
List of DCs in Domain ess
\\NET1 (PDC)
The command completed successfully
Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain.
C:\>nltest /server:test1 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>nltest /server:test2 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
The workstation that is a member of the TESTD domain has an implicit trust with a domain controller.
C:\>nltest /server:test3 /sc_query:testd
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\TEST2
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
To determine if a domain controller can authenticate a user account:
C:\>nltest /whowill:ESS bob
[20:58:55] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found)
The command completed successfully
C:\>nltest /whowill:testd test
[21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found)
[21:26:15] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC295)
The command completed successfully
NLTEST can be used to find a trusted domain that has a given user account.
C:\>nltest /finduser:sweppler
Domain Name: ESS
Trusted DC Name \\NET1
The command completed successfully
To verify the status of BDC synchronization:
C:\>nltest /bdc_query:testd
Server : \\TEST1
SyncState : IN_SYNC
ConnectionState : Status = 0 0x0 NERR_Success
The command completed successfully
http://support.microsoft.com/kb/158148
Example Output from Nltest.exe
As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain.
NLTEST can be used to show this trust relationship.
C:\>nltest /trusted_domains
Trusted domain list:
ESS
The command completed successfully
To determine the domain controllers in the TESTD domain:
C:\>nltest /dclist:testd
List of DCs in Domain testd
\\TEST2 (PDC)
\\TEST1
The command completed successfully
To determine the domain controllers in the ESS domain:
C:\>nltest /dclist:ess
List of DCs in Domain ess
\\NET1 (PDC)
The command completed successfully
Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain.
C:\>nltest /server:test1 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>nltest /server:test2 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
The workstation that is a member of the TESTD domain has an implicit trust with a domain controller.
C:\>nltest /server:test3 /sc_query:testd
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\TEST2
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
To determine if a domain controller can authenticate a user account:
C:\>nltest /whowill:ESS bob
[20:58:55] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found)
The command completed successfully
C:\>nltest /whowill:testd test
[21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found)
[21:26:15] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC295)
The command completed successfully
NLTEST can be used to find a trusted domain that has a given user account.
C:\>nltest /finduser:sweppler
Domain Name: ESS
Trusted DC Name \\NET1
The command completed successfully
To verify the status of BDC synchronization:
C:\>nltest /bdc_query:testd
Server : \\TEST1
SyncState : IN_SYNC
ConnectionState : Status = 0 0x0 NERR_Success
The command completed successfully
2. right click "computer" -> properties -> advanced system settings (on the left) -> computer name (tab) -> "change" button and switch to workgroup.
3. run the domain connection wizard from http://connect/
Good luck!