Solved

The trust relationship between the workstation and the primary domain failed

Posted on 2013-11-06
10
2,020 Views
Last Modified: 2013-11-28
I just added a 3rd domain controller to location 3 as a BDC but now I have a user that is running windows 7 that can't login to there Windows computer at location 1. Location 2 is the PDC and location 1 and 3 are the BDC.

I am running Windows 2008 as the primary DC, Location one has 2003 Small Business server and location 3 has Windows 2008

The user is receiving the following error message: the trust relationship between the workstation and the primary domain failed.

Please help me to resolve this issue.

Thanks
0
Comment
Question by:csciarro
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 25

Expert Comment

by:DrDave242
ID: 39628117
I am running Windows 2008 as the primary DC, Location one has 2003 Small Business server and location 3 has Windows 2008
What do you mean when you say "primary" DC? There's no technical definition of that term in an Active Directory domain, and it tends to mean different things to different people. The reason I'm asking is that you mentioned Small Business Server, which is quite picky about what functions it must perform in a domain. Any other configuration will cause it to throw a fit.

Regarding the specific problem you're having, if only one client is getting the error, the quickest fix will likely be to remove the affected client machine from the domain and re-join it.
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 39628161
Agree with DrDave, let me explain what exactly he is trying to tell you. You say primary DC, does it holds PDCe role or is it the first installed DC in the domain. When you say Small Businness Server, I assume that you are talking about SBS2003. In your scenario if there is an SBS server it should hold all FSMO roles no other DC shall have any roles other than DNS. correct this first and then run repadmin /replsum to know any AD replication issues. if there is no errors, correct Windows Time Server configuration using below link. Once everything is fixed at server end, then restart Windows 7 client to log in. If this doesn't fix client issue, then Unjoin and rejoin it to domain.

Authoritative Time Server

Hope this helps you.
0
 

Author Comment

by:csciarro
ID: 39628193
Ok. Recently a technician upgraded the domain controller at location 2 to be the primary and then made the SBS2003 a backup domain controller. Today I added another domain controller at location 3, which is running Windows Server 2008 so location 2 and 3 are fine but as you mentioned the SBS2003 is a pain.

What server do I run the repadmin /replsum? Which server do I run the Authoritative Time Server on?

I have 3 computers at location 1, which is running off of SBS2003 and are all having the same issues.

Thanks for your help guys!
0
 

Author Comment

by:csciarro
ID: 39628197
Also, when I was setting up the domain controller at location 3 it mentioned I needed to create a parent zone for DNS so where would I complete this and on what server?
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39628236
Recently a technician upgraded the domain controller at location 2 to be the primary and then made the SBS2003 a backup domain controller.
You should find out exactly what he did. If he moved any FSMO roles off of the SBS server to another DC, the SBS server isn't going to like this. It will place errors in its event logs for a while and will eventually start shutting itself down.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:Zenvenky
ID: 39628262
You can run repadmin in any DC, preferably on SBS. Also Make SBS as authoritative Time Server as it should hold PDCe role and rest of 2 DCs shall point to SBS for authoritative time sync.
0
 

Author Comment

by:csciarro
ID: 39628472
Based on what I know he made location 2 the primary and moved the FSMO roles to the second location. He also disabled that feature that shuts down the SBS2003. I don't want to run something on the SBS2003 server that will cause all Domain Controllers to fail.

Would it be simple to just unjoin and rejoin the 2 computers at location 1 to resolve this issue or will this not fix the issue?
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39628491
Based on what I know he made location 2 the primary and moved the FSMO roles to the second location. He also disabled that feature that shuts down the SBS2003.
That doesn't sound good. Any change that circumvents the normal SBS requirements (it must be a DC in the root domain, must have all the FSMO roles, etc.) puts it in an unsupported configuration.

Normally, I'd say go ahead and remove/rejoin the affected clients (and possibly reset their computer accounts in AD), but with SBS in that state, I'm really not sure whether that's going to fix the issue.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39629306
It seems to be dns name resolution issue.The error message "'The trust relationship between this workstation and the primary domain failed'indicates that secure channel between the client server and DC is broken.

(1) Check the DNS entries?
DNS configuration on clients and member servers:
-----------------------------------
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of WS.


(2) Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

(3) Check the status of the Browser service?
It should be started.

(4) Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the same.

(5) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
http://support.microsoft.com/kb/260575

(6)Also check the DNS console for duplicate record for the host machine and remove the same.


Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer(if applicable install):http://support.microsoft.com/kb/979495


Note: Ensure you point the dns setting to online DC.Rejoining the client computer to domain should fix the issue.
0
 
LVL 18

Accepted Solution

by:
sarang_tinguria earned 500 total points
ID: 39629905
Disjoin/rejoin the computers (Delete the computer object once you remove it from domain and then join it back to domain)

Move all the FSMO's to SBS Server till its there in network even if your replication is healthy and users are less than 500 it doesnt matter where you keep the FSMO roles

If you are doing any trick to avoid shutdown of the SBS server i would higly recommend to refrain from it because then you will be violating SBS EULA

Follow the DNS recommendations provided by sandesh
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now