Windows Client TechCenter > Windows 7 Forums > Windows 7 Security > Windows 7 Pro in Windows AD 2000 native forest/domain getting "The trust relationship between this workstation and the primary domain failed." and accessing to domain resource failed with Access Denied.

Ask a question

Windows 7 Pro in Windows AD 2000 native forest/domain getting "The trust relationship between this workstation and the primary domain failed." and accessing to domain resource failed with Access Denied.

Thursday, October 29, 2009 8:40 AMSCHT

0
Sign In to Vote
Steps Taken so far:
C:\PsTools>psgetsid

PsGetSid v1.43 - Translates SIDs to names and vice versa
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \\******:
S-1-5-21-1620753259-4084368910-2385565570

C:\PsTools>psgetsid account

PsGetSid v1.43 - Translates SIDs to names and vice versa
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Error querying account:
The trust relationship between this workstation and the primary domain failed.

-------------------------------------------------------
Net View and Net use to Domain Controller = OK
-------------------------------------------------------

Windows Login and Map Drive = Okay.

-------------------------------------------------------

Test Effective Permissions using Domain User Account = Windows can't calculate the effective permissions for ************* <AD Account>
- Reply
- Quote

All Replies

Friday, October 30, 2009 6:40 AMArthur XieMSFT, Moderator

0
Sign In to Vote
It seems that the computer is not joined domain properly. Please exit domain, remove the computer unit from the Active Directory. Then re-join the computer to domain.
Arthur Xie - MSFT
- Reply
- Quote
Friday, October 30, 2009 7:17 AMSCHT

0
Sign In to Vote
Hi Arthur,

I have attempt the step above for countless times and the result is the same.

I however read something about NTLMv2 and NTLM and LM communications.
That certain version of client is not compactiable with older NTLM communications.

Just for your info my Domain has 2 DC, Windows 2000 AD/GC server and a windows 2003 AD/GC.

Could this be the possible issue with the incompactiable between Windows 7 and older Computer when attempting to do a NTLM/NTLMv2 communication?
if possible also provide me the link to Technet acticle on the NTLM version different for all the OS.
Also if this is the cause, could you provide me some information on the work about.
- Reply
- Quote
Tuesday, November 03, 2009 1:34 PMnsijtsma

0
Sign In to Vote
Hi,

I think I have the same problem as you.

I get this error when i want to add a user to the local Administrators group (or any other) on the windows 7 machine.
"The trust relationship between this workstation and the primary domain failed."

this is my 4th clean install of windows 7 on which i try this. 4 different machines. All are back to Vista / XP Now.
on those i have tried to rejoin the domain with different names multiple times.
now i have Windows 7 installed in Virtual Machine and have the same problem.

i Install Win7, Join to domain as DOMAIN\Administrator (select "Do not add a user at this time", otherwise i get the error about relationship)
Reboot and login as DOMAIN\Administrator. All works fine, my login script runs, i can access network drives.
But when i try to add a new user to the local administrators group i get the trust relationship popup.

Also it cant resolve 1 SID showed in the Local Administrators (i think DOMAIN\Administrators)

Let me know if you have a Solution for this.
- Reply
- Quote
Tuesday, November 03, 2009 2:10 PMSCHT

0
Sign In to Vote
I read somewhere it could also due to older OS like Windows 2000 not able to understand kerboses. and Windows 7/2008 r2 blocking older NTLMv1

but so far no1 has reply officially to my query. i will have to remove my Windows 2000 DC and test further.
- Reply
- Quote
Wednesday, November 04, 2009 9:32 AMnsijtsma

0
Sign In to Vote
My problem seems to be solved ! :D

thanks to this topic.

http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/7d0bb953-3514-4475-8f00-5f624f5f6b00

Adding the user as an Local administrator only works if you first logon as that user, than use elevated privileges to add that user.
you have to do this for every user you want to add :( so it seems its not possible to add multiple users on forehand. you have to ask every user to logon for you so you can add them as administrator for future use.

Hope i dont run into more problems.
- Reply
- Quote
Thursday, November 05, 2009 6:37 AMArthur XieMSFT, Moderator

0
Sign In to Vote
Hi,

There should not be Kerberos authentication problems between Windows systems. When did you get "The trust relationship between this workstation and the primary domain failed" and “Access Denied” error messages?

The default NTLM authentication level is different in Windows 7. I suggest that you change the level to Send LM & NTLM - use NTLMv2 session security if negotiated

Please refer:

Network security: LAN Manager authentication level
Arthur Xie - MSFT
- Reply
- Quote
Wednesday, November 11, 2009 4:42 AMSCHT

0
Sign In to Vote
Hi Arther,

1. I get "The trust relationship between this workstation and the primary domain failed" when my Logon script /Scriptlogic tries to detect the local admin level of the logon account.

2. I do get access denied during accessing to File Share on 2003r2 file server. (this happens on Windows 7 x64 however same setup on Windows 7 x86 failes to replicate the same error.)

I will take ur suggestion on LAN Manager Authentication level and will feedback once i get any results.
- Reply
- Quote
Thursday, November 12, 2009 8:48 AMArthur XieMSFT, Moderator

0
Sign In to Vote
Hi SCHT,

Does the solution help?
Arthur Xie - MSFT
- Reply
- Quote