Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2301
  • Last Modified:

The security database on the server does not have a computer account for this workstation trust relationship.

Ok. So I am getting the following error message when I try to log into one of our Windows 7 client PC's:

The security database on the server does not have a computer account for this workstation trust relationship.

After reading through some of the other posts, I'm pretty sure disjoining the PC from the domain and then rejoining it should solve the issue.  However, how can I disjoin the PC from the domain by switching the computer to use a workgroup if I can't log in?  I tried logging in as COMUPTERNAME\Administrator, but I get the following error message:

Your account has been disabled.  Please see your system administrator.

Note that the PC has been removed from the AD on our SBS 2011 machine.
0
tmendez2
Asked:
tmendez2
  • 3
  • 2
  • 2
  • +2
1 Solution
 
V4705Commented:
1.login screen-> "switch user" -> "other user", in the username field use "computername\localadmin" when the computername is your computername, and localadmin is a user with administrative privileges.

2. right click "computer" -> properties -> advanced system settings (on the left) -> computer name (tab) -> "change" button and switch to workgroup.

3. run the domain connection wizard from http://connect/

Good luck!
0
 
V4705Commented:
BTW. Administrator is disabled by default, you must use the administrative user you created at the first setup. Safe mode might help you find this user and login to continue the other steps.

0
 
tmendez2Author Commented:
Hmmm.  I thought I knew which user/password I created at the first setup, but I guess I was wrong.  I was going to try and use safe mode to try and find this user and login to continue, but every time I try to start in safe mode, the computer reboots ten seconds after I get to the login screen.  Any explanations, suggestions?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
itguy565Commented:
Please try the following..

http://pogostick.net/~pnh/ntpasswd/

This link gives you the steps to create a bootable CD/ DVD that will allow you to reset the administrator password by booting off the CD / DVD
0
 
tmendez2Author Commented:
Ok.  I was able to use the bootable CD to reset the localadmin password.  I then removed the computer from the domain.  I then rejoined the computer to the domain using http://connect.  I'm still getting the same error message when I try to log in as a user of the domain. Also, in the SBS console the PC has "Unknown - No Computer is mapped to this computer account (dnsHostName is empty)." under "Status".  Any idea why I still might be getting this error?
0
 
itguy565Commented:
At this point it sounds as if you have bigger problems. I would suggest running Active Directory Diagnostics on the server.


Please open a command prompt and type dcdiag /v and post the output to this thread.

0
 
Rob WilliamsCommented:
When you removed the computer from the domain did you delete the computer account form the SBS console, or AD?
Best bet when rejoing a domain is to rename the computer to avoid any conflicts, even if it is just adding a letter or number to the end of the computer name. If no other computers are having issues I suspect rejoining again would be a good idea. When doing so it is also a good idea on the PC, after disjoining the domain, to remove the C:\Program Files\Windows Small Business server folder and the following registry key: HKLM\software\Microsoft\SmallBusinessServer
0
 
marcustechCommented:
Your best bet to log on to this PC is to disconnect it from the network and then log in using a domain user account that has logged onto that PC before - ideally Domain Admin.  This will let you log in with cached credentials and sidestep the problem of the computer account not being trusted / not existing in AD.
0
 
itguy565Commented:
If you would like to test to ensure that the secure channel communication is the issue without removing and rejoining the domain you can use NLtest from the DC.

http://support.microsoft.com/kb/158148


Example Output from Nltest.exe
As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain.

NLTEST can be used to show this trust relationship.
   C:\>nltest /trusted_domains
   Trusted domain list:
      ESS
   The command completed successfully
                        

To determine the domain controllers in the TESTD domain:
   C:\>nltest /dclist:testd
   List of DCs in Domain testd
      \\TEST2 (PDC)
      \\TEST1
   The command completed successfully
                        

To determine the domain controllers in the ESS domain:
   C:\>nltest /dclist:ess
   List of DCs in Domain ess
      \\NET1 (PDC)
   The command completed successfully
                        

Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain.
   C:\>nltest /server:test1 /sc_query:ess
   Flags: 0
   Connection Status = 0 0x0 NERR_Success
   Trusted DC Name \\NET1
   Trusted DC Connection Status Status = 0 0x0 NERR_Success
   The command completed successfully

   C:\>nltest /server:test2 /sc_query:ess
   Flags: 0
   Connection Status = 0 0x0 NERR_Success
   Trusted DC Name \\NET1
   Trusted DC Connection Status Status = 0 0x0 NERR_Success
   The command completed successfully
                        

The workstation that is a member of the TESTD domain has an implicit trust with a domain controller.
   C:\>nltest /server:test3 /sc_query:testd
   Flags: 0
   Connection Status = 0 0x0 NERR_Success
   Trusted DC Name \\TEST2
   Trusted DC Connection Status Status = 0 0x0 NERR_Success
   The command completed successfully
                        

To determine if a domain controller can authenticate a user account:
   C:\>nltest /whowill:ESS bob
   [20:58:55] Mail message 0 sent successfully
   (\MAILSLOT\NET\GETDC939)
   [20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found)
   The command completed successfully

   C:\>nltest /whowill:testd test
   [21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found)
   [21:26:15] Mail message 0 sent successfully
   (\MAILSLOT\NET\GETDC295)
   The command completed successfully
                        

NLTEST can be used to find a trusted domain that has a given user account.
   C:\>nltest /finduser:sweppler
   Domain Name: ESS
   Trusted DC Name \\NET1
   The command completed successfully
                        

To verify the status of BDC synchronization:
   C:\>nltest /bdc_query:testd
   Server : \\TEST1
      SyncState : IN_SYNC
      ConnectionState : Status = 0 0x0 NERR_Success
   The command completed successfully
                        

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now