Solved

The trust relationship between the workstation and the primary domain failed

Posted on 2013-11-06
10
2,027 Views
Last Modified: 2013-11-28
I just added a 3rd domain controller to location 3 as a BDC but now I have a user that is running windows 7 that can't login to there Windows computer at location 1. Location 2 is the PDC and location 1 and 3 are the BDC.

I am running Windows 2008 as the primary DC, Location one has 2003 Small Business server and location 3 has Windows 2008

The user is receiving the following error message: the trust relationship between the workstation and the primary domain failed.

Please help me to resolve this issue.

Thanks
0
Comment
Question by:csciarro
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 26

Expert Comment

by:DrDave242
ID: 39628117
I am running Windows 2008 as the primary DC, Location one has 2003 Small Business server and location 3 has Windows 2008
What do you mean when you say "primary" DC? There's no technical definition of that term in an Active Directory domain, and it tends to mean different things to different people. The reason I'm asking is that you mentioned Small Business Server, which is quite picky about what functions it must perform in a domain. Any other configuration will cause it to throw a fit.

Regarding the specific problem you're having, if only one client is getting the error, the quickest fix will likely be to remove the affected client machine from the domain and re-join it.
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 39628161
Agree with DrDave, let me explain what exactly he is trying to tell you. You say primary DC, does it holds PDCe role or is it the first installed DC in the domain. When you say Small Businness Server, I assume that you are talking about SBS2003. In your scenario if there is an SBS server it should hold all FSMO roles no other DC shall have any roles other than DNS. correct this first and then run repadmin /replsum to know any AD replication issues. if there is no errors, correct Windows Time Server configuration using below link. Once everything is fixed at server end, then restart Windows 7 client to log in. If this doesn't fix client issue, then Unjoin and rejoin it to domain.

Authoritative Time Server

Hope this helps you.
0
 

Author Comment

by:csciarro
ID: 39628193
Ok. Recently a technician upgraded the domain controller at location 2 to be the primary and then made the SBS2003 a backup domain controller. Today I added another domain controller at location 3, which is running Windows Server 2008 so location 2 and 3 are fine but as you mentioned the SBS2003 is a pain.

What server do I run the repadmin /replsum? Which server do I run the Authoritative Time Server on?

I have 3 computers at location 1, which is running off of SBS2003 and are all having the same issues.

Thanks for your help guys!
0
 

Author Comment

by:csciarro
ID: 39628197
Also, when I was setting up the domain controller at location 3 it mentioned I needed to create a parent zone for DNS so where would I complete this and on what server?
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39628236
Recently a technician upgraded the domain controller at location 2 to be the primary and then made the SBS2003 a backup domain controller.
You should find out exactly what he did. If he moved any FSMO roles off of the SBS server to another DC, the SBS server isn't going to like this. It will place errors in its event logs for a while and will eventually start shutting itself down.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 9

Expert Comment

by:Zenvenky
ID: 39628262
You can run repadmin in any DC, preferably on SBS. Also Make SBS as authoritative Time Server as it should hold PDCe role and rest of 2 DCs shall point to SBS for authoritative time sync.
0
 

Author Comment

by:csciarro
ID: 39628472
Based on what I know he made location 2 the primary and moved the FSMO roles to the second location. He also disabled that feature that shuts down the SBS2003. I don't want to run something on the SBS2003 server that will cause all Domain Controllers to fail.

Would it be simple to just unjoin and rejoin the 2 computers at location 1 to resolve this issue or will this not fix the issue?
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39628491
Based on what I know he made location 2 the primary and moved the FSMO roles to the second location. He also disabled that feature that shuts down the SBS2003.
That doesn't sound good. Any change that circumvents the normal SBS requirements (it must be a DC in the root domain, must have all the FSMO roles, etc.) puts it in an unsupported configuration.

Normally, I'd say go ahead and remove/rejoin the affected clients (and possibly reset their computer accounts in AD), but with SBS in that state, I'm really not sure whether that's going to fix the issue.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39629306
It seems to be dns name resolution issue.The error message "'The trust relationship between this workstation and the primary domain failed'indicates that secure channel between the client server and DC is broken.

(1) Check the DNS entries?
DNS configuration on clients and member servers:
-----------------------------------
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of WS.


(2) Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

(3) Check the status of the Browser service?
It should be started.

(4) Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the same.

(5) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
http://support.microsoft.com/kb/260575

(6)Also check the DNS console for duplicate record for the host machine and remove the same.


Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer(if applicable install):http://support.microsoft.com/kb/979495


Note: Ensure you point the dns setting to online DC.Rejoining the client computer to domain should fix the issue.
0
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 500 total points
ID: 39629905
Disjoin/rejoin the computers (Delete the computer object once you remove it from domain and then join it back to domain)

Move all the FSMO's to SBS Server till its there in network even if your replication is healthy and users are less than 500 it doesnt matter where you keep the FSMO roles

If you are doing any trick to avoid shutdown of the SBS server i would higly recommend to refrain from it because then you will be violating SBS EULA

Follow the DNS recommendations provided by sandesh
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now