Solved

Unable to log on workstation machine

Posted on 2014-10-30
28
129 Views
Last Modified: 2015-03-16
Hi,
I am an IT volunteer for a charity organization. We have a windows 2000 server and 8 XP Pro workstations, recently the workstations were upgraded to Windows Vista Business.  A workstation was renamed.  The next day the user was not able to log on the machine, the message appeared: “The security database on the server does not have a computer account for this workstation trust relationship”, I’ve managed resolve the issue by restarting the Server and the workstation. However, the following day, the user had same problem, so I restarted the server again and it worked. How do I solve this issue permanently.
0
Comment
Question by:faysal_ahmed
  • 10
  • 5
  • 5
  • +3
28 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 100 total points
Comment Utility
remove from the domain and add again
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 200 total points
Comment Utility
Hi faysal,

The best way and to prevent future problems the best way is to remove and rejoin the computer clients(Vista Clients) account.

For that do the following:
1.Right-click the computer, choose Properties

2.Under “Computer name, domain, and workgroup settings”, click “Change Settings”

3.In the system properties dialog that pops up, click the “Change” button after “To rename this
 computer or change its domain or workgroup click Change

4.Toggle the radio button for Workgroup, then enter any name (we will be changing this back in a few steps anyway)

5.Click OK to save the change, then reboot the computer

6.Repeat steps one through three

7.Toggle the radio button for Domain, then enter the domain name

8.Click OK to save the changes (When prompted for a user name, use a user that has domain administrative privileges)

9.Reboot the computer


Let us know if this helped.

Regards
David
0
 

Author Comment

by:faysal_ahmed
Comment Utility
would the user lose their work, by doing this way...
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 100 total points
Comment Utility
no
it removes the computer account from the domain and adds again; does not do anything to user files
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
The user should not lose anything as you are not changing the SID of the user.  You are simply readding the account for the computer to the domain.

-saige-
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Sounds like the trust-relationship between the machines is broken.  The simplest fix would be to remove the workstation from the domain, remove BOTH the old and new machine accounts (i.e. old name and current name) from the server's AD and then re-join the workstation to the domain.  If you need help with those steps, please let me know.

***Sorry, posted before refreshing!  Good advice given by other experts,  please disregard my comment as it's the same thing! ***
0
 

Author Comment

by:faysal_ahmed
Comment Utility
I am trying to change the computer name settings, it's prompting me for Administrator's credentials, when I type the credentials, the  message appears: “The security database on the server does not have a computer account for this workstation trust relationship”,
0
 
LVL 12

Expert Comment

by:David Paris Vicente
Comment Utility
After you remove the computer from the domain, you can go to the computer object and do the reset computer account, but I cant remember if this option is available in windows 2000 Server.

But you could try.
After remove the computer client from the domain you can go to:
Open AD -> right click the in the computer name object an check if the option reset account is available, if it is available you can do the reset account and then you can add the computer client with the same name.

This will help you not changing all the computer clients names or to deleted the computer accounts.

Hope it helps.

Regards

David
0
 
LVL 32

Assisted Solution

by:it_saige
it_saige earned 50 total points
Comment Utility
Just disregard the message.  You do not have to provide domain credentials to remove the computer.  Provide the local administrator credentials.

Once it is removed, then remove the computer account from Active Directory Users and Computers.Capture.JPG
-saige-
0
 
LVL 12

Expert Comment

by:David Paris Vicente
Comment Utility
That is because no trust relation is in place.

Do what you have done in first place when the problem start, reboot the server and the client.
0
 
LVL 10

Expert Comment

by:tmoore1962
Comment Utility
If charity is non-profit you should look into techsoup.org it would allow you to get the organization's network more up to date than what you currently have, besides software they may be able to help with hardware also.
0
 
LVL 10

Expert Comment

by:tmoore1962
Comment Utility
Try on one of the vista machines gpedit.msc Computer Configuration\Windows Settings\Security Settings\Public Key Policies node (figure 4). Right click the Autoenrollment Settings entry in the right pane of the console and click the Properties command and disable autoenrollment.  But if I recall if this is the issue then there should be an indicator of the autoenrollment failure in the workstation eventlogs.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Hi guys,

I have setup local Administrator’s and user’s credentials, so the user can access the machine all the time.

I have tried the steps what David had suggested.

However, when I tried to rejoin the domain there was an error.

Please see error message:

An Active Directory Domain Controller for the domain wen.local could not be contacted.

Ensure that the domain is typed correctly.

If the name is correct.  Click Details…..



Details:

Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain wen.local:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.wen.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.0.1

- One or more of the following zones do not include delegation to its child zone:

wen.local
local
. (the root zone)

For information about correcting this problem, click Help.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
is 192.168.0.1 one of the dns servers?
if not, that needs to be corrected
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 200 total points
Comment Utility
Please confirm what Seth said.
Are you using DHCP server for your clients?

If true, confirm that DHCP server is started, if not Go to the network settings -> Properties Of the Network Interface -> IPv4-> Then confirm the preferred DNS settings is configured for your DNS server ( 192.168.0.1).

Let us know if helped.

Regards
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Hi,

Yes, 192.168.0.1 is one of the dns servers (Router).  The DHCP is enabled automatically,

Please see the attachment.

Is there anything I need to do on the server?

Many thanks.
Attachment.docx
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
Yes, 192.168.0.1 is one of the dns servers (Router).

there is your problem
you should be using one of the domain controllers for DNS; your router doesn't know about your AD domain
0
 
LVL 12

Expert Comment

by:David Paris Vicente
Comment Utility
Ok, you aren´t using Windows DNS integrated with Active Directory.

Because you are using the DHCP and DNS Router, the router don´t know where the name of your Domain Controller, and the domain name.

Can you check in your Domain Controller what roles are installed? Such as DHCP,DNS, AD and others.

If you have the DNS server role installed in your Domain Controller, you need to point your clients to the IP domain controller as a preferred DNS server.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Hi,

I have checked other workstation machines that are joined with the domain; they are configured in a similar way using DNS and DHCP router, they seem to be working.

How do I point clients to the IP Domain controller as a preferred DNS server? If you could give me guidelines steps that would be great.  

I have checked in DC this is what I have founded please see both of the attachments.

Thank you.
DNS-part-1.pdf
DNS-part-2.pdf
0
 
LVL 6

Assisted Solution

by:Asif Bacchus
Asif Bacchus earned 150 total points
Comment Utility
Your DNS setup looks a little odd, but I'm not really seeing any major problems.  Your server is medusa with IP 192.168.0.2, correct?  If so, then that has to be set as the primary DNS on your clients.  The gateway for your clients can then be set to your router at 192.168.0.1.

Do you have DHCP installed on your server?  If so, can you please check your scope/server options and let us know what is being pushed to the clients for 003 Router, 006 DNS Servers and 015 Domain Name?  If these options are set properly, then your client should receive the proper configuration automatically and you should have no problems joining the domain.  If these values are incorrect, then that is your problem.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Yes, the server is Medusa with IP address 192.168.0.2.  

We do have DHCP installed on our server.  I have taken snapshots of the DHCP scopes options.  Please see the attachment.  

Many thanks
DHCP-SCOPES.pdf
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Please change the 006 DNS Servers option to read 192.168.0.2 instead of .7 as it does right now.  Your DNS must point to your server.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Thanks for your advice I am out of office now and will do those steps next week.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Hi I am in the office today for a short while.

I have changed the DNS Servers option to read 192.168.0.2, I have released and renewed the DHCP, still no luck.
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Please verify, using ipconfig /all, what your client is receiving from the DHCP server.  It should list your server as the only DNS entry and your internet router/modem as the gateway.  If those entries are correct, please try pinging by name and IP the server and see if those both work.  Finally, try manually opening the root share on the server (ie. \\servername) and see if it prompts for credentials.  Asssuming it does, can you browse the server using the appropriate credentials?

Let me know if any of these things fail.
0
 

Author Comment

by:faysal_ahmed
Comment Utility
I have checked the user’s machine.

It’s still using the same setting as before (settings from the router).

Default gateway:  192.168.0.1
DHCP Server:    192.168.0.1
DNS Server:      192.168.01

I’ve checked other users’ machines and it’s configured the same way, including the Medusa server, and the users are able to log on to the domain from other machines.
0
 
LVL 6

Assisted Solution

by:Asif Bacchus
Asif Bacchus earned 150 total points
Comment Utility
Based on your ipconfig, the problem is what everyone here has been saying all along.  Your computers, including your server, should be using the server as the DHCP and DNS server.  In this case, 192.168.0.2.  Based on your ipconfig, everything is pointing to the ROUTER (192.168.0.1) and that is providing DHCP and DNS.

Using this setup, you have a few issues:

1)  You cannot have 2 DHCP servers in the same subnet.  Either use your router or your server.  Your server will shut down its internal DHCP service if it detects another DHCP server, in this case the router.
2)  Unless your router is configured to point to your server as the DNS server, it has no idea about your AD and DNS (only your server does) so that is the root of your DNS issues.

I guess the question now has to be, is your router configured to use your server as its DNS?
0
 

Author Comment

by:faysal_ahmed
Comment Utility
Hi Everyone

I just want to say the problem has not yet been resolved because there are other underlying problems, which we will get it checked by IT specialists onsite.

I want to say thank you to everyone and give credits for assisting me.

Regards

Faysal
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now