Link to home
Start Free TrialLog in
Avatar of syssolut
syssolutFlag for United States of America

asked on

Trust relationship between the workstation and the Domain Controller failed

I have gotten this error a few times with different computers on the domain.   This time I did the same thing as always,   I sign in under local admin, change domain to workgroup and reboot.  Sign back in under local admin and connect to domain.   But then I reboot this one workstation and it still comes up with same error.   Even if I try to sign in under domain administrator.   Any ideas?   Workstation Win 7 Pro.   DC - Server 2012
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image

Have you checked AD to see if there is a computer account still there even after the remove.
Is the time correct on the workstations?
if he has AD then the PDC Emulator would set the time on the domain
If workstations fail to get time from DC (which gets time from PDC) the workstation will get Access Denied and OP might have policy to point devices to a network NTP
which doesn't happen, but ok, lets just say that it didn't get it, leave it for 30 seconds and it'll poll the DC.

actually, it's more likely to be the BIOS battery has failed and the BIOS time is completely out rather than the time within windows.
When a computer cannot establish a trust relationship everything will be Access Denied.

As for the most common causes, look at http://serverfault.com/questions/774583/what-causes-a-workstation-to-lose-trust-with-the-domain-controller

Katherine Villyard

Restoring from backup/snapshot.
Being powered off long enough for the password to expire, followed by network issues.
General intermittent network issues with poor timing.
Viruses, malware, etc.
Jim B
Time sync issues can also cause problems with schannel, and in most cases you can evaluate what happened (if you are so inclined) by enabling netlogon logging (https://support.microsoft.com/en-us/kb/109626)
This could also happen if two machines have the same SID which is caused if you are deploying your machines using an image.  In this case, you must run sysprep before deploying computers.
Try this, logon as admin and run in powershell

Reset-ComputerMachinePassword [-Credential <PSCredential>] [-Server <String>]

for example

Reset-ComputerMachinePassword -Server DC01 -Credential Get-Credential
What you could also do is go to computer properties and change the domain name (i.e. if the domain name is FQDN such as mydomiain.local then change it to NetBIOS domain name such as mydomain).  This way, you are not removing the computer from the domain and you will be required to reboot only once.
Avatar of syssolut

ASKER

Bryant Schaper, I cannot log onto domain with the admin password, so are you saying login with local password?

AlexGreen312.  Yes the computer name is still in the AD.
yes, local admin is fine, you can use your creds during the reset
If you cannot log in with domain account are you sure DNS is set correctly on the PC?  Incorrect DNS can cause file access and logons to fail, and errors like no domain controller available.  The PC weather set statically or through DHCP must point ONLY to your internal DNS server/s.  You cannot even have an alternate / secondary set to pint to a router or ISP.  Also the domain suffix, yourdomain.local, needs to be assigned to the NIC again through DHCP or statically under advanced | DNS | "DNS suffix for this connection".
Now I am getting the error "There are currently no logon servers available to service the logon request".   But I can ping the PDC.
As mentioned, that error is usually due to DNS pointing to at least one external server. It can ONLY point to your internal servers.
I cleared the last error because the workstation somehow got changed to a public instead of a work network.  

Rob Williams, I can ping the server from the workstation, but cannot ping the workstation from the server.   I ran ipconfig, release - renew,  and flushdns and put the PDC ip as only DNS IP under properties.
I tried to connect to the domain and when it was booting up, I got a "server initiation failed error 0xExxxxxxxxxx
The server should point ONLY to itself for DNS.
The ISP or other external DNS servers can be added as forwarders in the DNS management console.

If you do an ipconfig  /all from the workstation do you see:
Primary Dns Suffix  . . . . . . . : yourdomain.local

Also if you run  nslookup  servername,  or nslookup  yourdomain.local,  you should see
Server:  server.yourdomain.local
Address:  192.168.123.123

Name:    server.yourdomain.local
Address:  192.168.123.123

If so and still having issues, based on your commends, see if you can disable the firewall on the PC.
Under IPconfig /all, I got the correct Primary DNS suffix

When I did NSLOOKUP servername,  I got "Server:   Unknown"     but the correct address.   Then the "Name" was correct. with the correct IP.
>>" I got "Server:   Unknown"
Something wrong then.

Try running the same nslookup command s on the server itself.
And, you are sure there is no secondary DNS server in the NIC configuration?
Where is the "NIC" configuration located?  Through Device Manager?
Under IPv4 everything is automatic except the one address typed in for the preferred DNS server which is the one PDC.
God no,

go into control panel, then network and sharing, then click change adapter settings on the left and then look on your active network card.

So right click the network card

then properties

then TCP/IP

then properties agani

then it's in there
Again, under IPV4 only DNS server address is typed in.   Under Alternative Coonfiguration it is listed as all automatic.   Under Advanced, only the PDC address is listed and under WINS Enable LMHOSTS lookup is checked and NetBIOS setting is "default"
Did you run nslookup as mentioned above on the server?

On the server you could also run DCdiag and see if it reports any errors.
DCdiag passed all tests on server.  
 NSlookup for machine appears to not have found it.  at bottom" *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for XXX.XXX.XXX.XXX"  (the workstation).

I can pinf the workstation from the server by IP and DNS
Not sure I understand your comment.  On the server run NSlookup servername (not workstation), and then nslookup yourdomain.local
Perhaps you did and I did not understand.

As for ping; ping is a connectivity test, not a DNS test.  It will try to resolve the name using DNS but if it fails it will use NetBIOS and name caches to try to resolve. Ping is resolving the name, but not necessarily by using DNS.

NSlookup is a DNS test tool, but unfortunately it is not all that informative.  There is an app called DIG (part of BIND) but if not familiar with it can be a learning curve to install and use.

One other thought is NSLookup can fail if there is no reverse DNS record for the server.  In the DNS management console, under the server name, look in Reverse Lookup Zones and see if your zone (network ID / Subnet) is present and if so, within it, is there a PTR record for the server name?
When I did NSLOOKUP servername,  I got "Server:   Unknown" but the correct address.
This doesn't indicate a problem, just that there's no reverse lookup zone to resolve that address back to a name.
There is nothing in the Reverse Lookup Zones under the server.  It asks me if I want to add a new Zone
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I did reset the account, but I also made a mistake by doing something else at the same time.  THere was an AVG screen that would come up when you signed in.   AVG was uninstalled a while ago.  I went out on the web and found an AVG remover tool.  I had to run it twice to get rid of that AVG re-enter license screen.  But when I finally went back to connect to the domain, it connected quickly.  Rob Williams, I appreciate the things you made me think about looking at.   I appreciate all the suggestions from everyone.
Glad you were able to resolve, I am sure you were getting frustrated.
Thanks syssolut !