Unable to log on workstation machine

I am an IT volunteer for a charity organization. We have a windows 2000 server and 8 XP Pro workstations, recently the workstations were upgraded to Windows Vista Business.  A workstation was renamed.  The next day the user was not able to log on the machine, the message appeared: “The security database on the server does not have a computer account for this workstation trust relationship”, I’ve managed resolve the issue by restarting the Server and the workstation. However, the following day, the user had same problem, so I restarted the server again and it worked. How do I solve this issue permanently.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
remove from the domain and add again

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi faysal,

The best way and to prevent future problems the best way is to remove and rejoin the computer clients(Vista Clients) account.

For that do the following:
1.Right-click the computer, choose Properties

2.Under “Computer name, domain, and workgroup settings”, click “Change Settings”

3.In the system properties dialog that pops up, click the “Change” button after “To rename this
 computer or change its domain or workgroup click Change

4.Toggle the radio button for Workgroup, then enter any name (we will be changing this back in a few steps anyway)

5.Click OK to save the change, then reboot the computer

6.Repeat steps one through three

7.Toggle the radio button for Domain, then enter the domain name

8.Click OK to save the changes (When prompted for a user name, use a user that has domain administrative privileges)

9.Reboot the computer

Let us know if this helped.

faysal_ahmedAuthor Commented:
would the user lose their work, by doing this way...
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Seth SimmonsSr. Systems AdministratorCommented:
it removes the computer account from the domain and adds again; does not do anything to user files
The user should not lose anything as you are not changing the SID of the user.  You are simply readding the account for the computer to the domain.

Asif BacchusI.T. ConsultantCommented:
Sounds like the trust-relationship between the machines is broken.  The simplest fix would be to remove the workstation from the domain, remove BOTH the old and new machine accounts (i.e. old name and current name) from the server's AD and then re-join the workstation to the domain.  If you need help with those steps, please let me know.

***Sorry, posted before refreshing!  Good advice given by other experts,  please disregard my comment as it's the same thing! ***
faysal_ahmedAuthor Commented:
I am trying to change the computer name settings, it's prompting me for Administrator's credentials, when I type the credentials, the  message appears: “The security database on the server does not have a computer account for this workstation trust relationship”,
David Paris VicenteSystems and Comunications  Administrator Commented:
After you remove the computer from the domain, you can go to the computer object and do the reset computer account, but I cant remember if this option is available in windows 2000 Server.

But you could try.
After remove the computer client from the domain you can go to:
Open AD -> right click the in the computer name object an check if the option reset account is available, if it is available you can do the reset account and then you can add the computer client with the same name.

This will help you not changing all the computer clients names or to deleted the computer accounts.

Hope it helps.


Just disregard the message.  You do not have to provide domain credentials to remove the computer.  Provide the local administrator credentials.

Once it is removed, then remove the computer account from Active Directory Users and Computers.Capture.JPG
David Paris VicenteSystems and Comunications  Administrator Commented:
That is because no trust relation is in place.

Do what you have done in first place when the problem start, reboot the server and the client.
If charity is non-profit you should look into techsoup.org it would allow you to get the organization's network more up to date than what you currently have, besides software they may be able to help with hardware also.
Try on one of the vista machines gpedit.msc Computer Configuration\Windows Settings\Security Settings\Public Key Policies node (figure 4). Right click the Autoenrollment Settings entry in the right pane of the console and click the Properties command and disable autoenrollment.  But if I recall if this is the issue then there should be an indicator of the autoenrollment failure in the workstation eventlogs.
faysal_ahmedAuthor Commented:
Hi guys,

I have setup local Administrator’s and user’s credentials, so the user can access the machine all the time.

I have tried the steps what David had suggested.

However, when I tried to rejoin the domain there was an error.

Please see error message:

An Active Directory Domain Controller for the domain wen.local could not be contacted.

Ensure that the domain is typed correctly.

If the name is correct.  Click Details…..


Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain wen.local:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.wen.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

- One or more of the following zones do not include delegation to its child zone:

. (the root zone)

For information about correcting this problem, click Help.
Seth SimmonsSr. Systems AdministratorCommented:
is one of the dns servers?
if not, that needs to be corrected
David Paris VicenteSystems and Comunications  Administrator Commented:
Please confirm what Seth said.
Are you using DHCP server for your clients?

If true, confirm that DHCP server is started, if not Go to the network settings -> Properties Of the Network Interface -> IPv4-> Then confirm the preferred DNS settings is configured for your DNS server (

Let us know if helped.

faysal_ahmedAuthor Commented:

Yes, is one of the dns servers (Router).  The DHCP is enabled automatically,

Please see the attachment.

Is there anything I need to do on the server?

Many thanks.
Seth SimmonsSr. Systems AdministratorCommented:
Yes, is one of the dns servers (Router).

there is your problem
you should be using one of the domain controllers for DNS; your router doesn't know about your AD domain
David Paris VicenteSystems and Comunications  Administrator Commented:
Ok, you aren´t using Windows DNS integrated with Active Directory.

Because you are using the DHCP and DNS Router, the router don´t know where the name of your Domain Controller, and the domain name.

Can you check in your Domain Controller what roles are installed? Such as DHCP,DNS, AD and others.

If you have the DNS server role installed in your Domain Controller, you need to point your clients to the IP domain controller as a preferred DNS server.
faysal_ahmedAuthor Commented:

I have checked other workstation machines that are joined with the domain; they are configured in a similar way using DNS and DHCP router, they seem to be working.

How do I point clients to the IP Domain controller as a preferred DNS server? If you could give me guidelines steps that would be great.  

I have checked in DC this is what I have founded please see both of the attachments.

Thank you.
Asif BacchusI.T. ConsultantCommented:
Your DNS setup looks a little odd, but I'm not really seeing any major problems.  Your server is medusa with IP, correct?  If so, then that has to be set as the primary DNS on your clients.  The gateway for your clients can then be set to your router at

Do you have DHCP installed on your server?  If so, can you please check your scope/server options and let us know what is being pushed to the clients for 003 Router, 006 DNS Servers and 015 Domain Name?  If these options are set properly, then your client should receive the proper configuration automatically and you should have no problems joining the domain.  If these values are incorrect, then that is your problem.
faysal_ahmedAuthor Commented:
Yes, the server is Medusa with IP address  

We do have DHCP installed on our server.  I have taken snapshots of the DHCP scopes options.  Please see the attachment.  

Many thanks
Asif BacchusI.T. ConsultantCommented:
Please change the 006 DNS Servers option to read instead of .7 as it does right now.  Your DNS must point to your server.
faysal_ahmedAuthor Commented:
Thanks for your advice I am out of office now and will do those steps next week.
faysal_ahmedAuthor Commented:
Hi I am in the office today for a short while.

I have changed the DNS Servers option to read, I have released and renewed the DHCP, still no luck.
Asif BacchusI.T. ConsultantCommented:
Please verify, using ipconfig /all, what your client is receiving from the DHCP server.  It should list your server as the only DNS entry and your internet router/modem as the gateway.  If those entries are correct, please try pinging by name and IP the server and see if those both work.  Finally, try manually opening the root share on the server (ie. \\servername) and see if it prompts for credentials.  Asssuming it does, can you browse the server using the appropriate credentials?

Let me know if any of these things fail.
faysal_ahmedAuthor Commented:
I have checked the user’s machine.

It’s still using the same setting as before (settings from the router).

Default gateway:
DHCP Server:
DNS Server:      192.168.01

I’ve checked other users’ machines and it’s configured the same way, including the Medusa server, and the users are able to log on to the domain from other machines.
Asif BacchusI.T. ConsultantCommented:
Based on your ipconfig, the problem is what everyone here has been saying all along.  Your computers, including your server, should be using the server as the DHCP and DNS server.  In this case,  Based on your ipconfig, everything is pointing to the ROUTER ( and that is providing DHCP and DNS.

Using this setup, you have a few issues:

1)  You cannot have 2 DHCP servers in the same subnet.  Either use your router or your server.  Your server will shut down its internal DHCP service if it detects another DHCP server, in this case the router.
2)  Unless your router is configured to point to your server as the DNS server, it has no idea about your AD and DNS (only your server does) so that is the root of your DNS issues.

I guess the question now has to be, is your router configured to use your server as its DNS?
faysal_ahmedAuthor Commented:
Hi Everyone

I just want to say the problem has not yet been resolved because there are other underlying problems, which we will get it checked by IT specialists onsite.

I want to say thank you to everyone and give credits for assisting me.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.