none
"the security database on the server does not have a computer account for this workstation trust relationship"

    Question

  • I am terrifically inexperienced with running a network. The error mentioned in the title occurred today out of the blue. When I came in this morning I was able to log in fine. When I left for about 3 hours and came back to find my computer locked as usual I attempted to log back in. Instead of logging in I got the aforementioned security database error. I read through other articles on the matter but they talk of forests and such which means nothing to me due to my inexperience. The server is in our office, my workstation is separated from the server by only a switch. The server is running Windows Server 2008, my workstation is running Windows 7 professional. Can anyone please offer a lamen's explanation of what I should do here? Thanks in advance for anyone's consideration on the matter!

    Sunday, December 18, 2011 9:30 PM

Answers

  • Try removing the PC from the domain and re-adding it.  For various reasons, computers can lose their trust relationship with the domain and need to be reconnected.
    Rich Prescott | Infrastructure Architect, Windows Engineer and PowerShell blogger | MCITP, MCTS, MCP

    Engineering Efficiency
    @Rich_Prescott
    Client System Administration tool
    AD User Creation tool
    Sunday, December 18, 2011 9:41 PM
  • The error message indicates that secure channel between the client server and DC is broken.

    (1) Check the DNS & WINS entries?
     
    IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    (2) Check whether the Firewall service is ON of OFF?
    Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    (3) Check the status of the Browser service?
    It should be started.

    (4) Check the status of the machines account in the AD?(It may be disabled)
    If the Machine account is disable enable the same.

    (5) Remove the PC  from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
    http://support.microsoft.com/kb/260575

    (6)Also check the DNS console for duplicate record for the host machine and remove the same.


    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, December 19, 2011 12:46 AM
  • Hello,

    Are you sure that no one had deleted the computer account? Please perform a full scan on your DC to check if there is a virus that did that.

    For the computer, unjoining it and joining to the domain should solve the problem.

    As I see you have one DC so that should not be an AD replication problem.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, December 18, 2011 10:42 PM

All replies

  • Try removing the PC from the domain and re-adding it.  For various reasons, computers can lose their trust relationship with the domain and need to be reconnected.
    Rich Prescott | Infrastructure Architect, Windows Engineer and PowerShell blogger | MCITP, MCTS, MCP

    Engineering Efficiency
    @Rich_Prescott
    Client System Administration tool
    AD User Creation tool
    Sunday, December 18, 2011 9:41 PM
  • Hello,

    Are you sure that no one had deleted the computer account? Please perform a full scan on your DC to check if there is a virus that did that.

    For the computer, unjoining it and joining to the domain should solve the problem.

    As I see you have one DC so that should not be an AD replication problem.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, December 18, 2011 10:42 PM
  • The error message indicates that secure channel between the client server and DC is broken.

    (1) Check the DNS & WINS entries?
     
    IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    (2) Check whether the Firewall service is ON of OFF?
    Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    (3) Check the status of the Browser service?
    It should be started.

    (4) Check the status of the machines account in the AD?(It may be disabled)
    If the Machine account is disable enable the same.

    (5) Remove the PC  from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
    http://support.microsoft.com/kb/260575

    (6)Also check the DNS console for duplicate record for the host machine and remove the same.


    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, December 19, 2011 12:46 AM
  • Check Service ple Name (SPN) and DnsHost Names are present in computer account attribute.

    If they are not present please add them to the attribute.

    Below is the link which you can refer to

    http://clintboessen.blogspot.in/2011/06/security-database-on-server-does-not.html

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com

    Wednesday, February 15, 2012 7:37 AM
  • Thanks Rich your suggestion worked in my case. I removed my VM from the domain and re added it. It all worked fine. Only thing is I need to restart twice.

    Thanks,

    Krishna.


    Krishna

    Thursday, July 05, 2012 10:17 AM
  • We get this error on our workstations every so often. The recommended solution of removing the workstation from the domain and adding it back does not "work for us," meaning yes, it *does* work, but not in a manner that we believe to be satisfactory. The reason it isn't satisfactory for us is because when you log onto the workstation after adding the workstation back to the domain, it typically creates a new user name on the workstation and you have to copy your desktop and other settings and documents from the old user name to the new user name. For example, if my network user ID were "Domain\User1," it would set up a new user on the workstation named "Domain\User1.000," with a new desktop, new My Documents folder, new everything. It's a bit of a hassle to have to copy everything from the old user name folders to the new user name folders, especially since it really doesn't fix the actual problem-- it's like fixing the symptom instead of the cause-- so you just end up getting a repeat of the whole scenario a few months later.

    What we do is restart the workstation (bye bye anything you hadn't saved!), log on locally to the workstation itself, do a system restore to the most recent system restore point, and then everything is hunky dory-- at least until the next time it happens a few months later. But at least you don't have to leave the domain and rejoin the domain, then have to copy everything to your new user name folders on the workstation.

    I have been trying to keep track of when this happens to me and what had changed. What it looks like is that it's caused by some update being applied to the workstation while I'm logged onto the workstation/domain but my session became inactive. For instance, today it happened again and when I went to my system restore points the last restore point was from today at just a few hours earlier-- shortly after I'd left my office and gone to a meeting in my boss's office for a few hours. And what had created the restore point? Why, a "critical update" from Microsoft, of course. As soon as I restore my system to just before that update was applied, everything is hunky dory. So I check for new updates-- since I just wiped out the one that had been automatically applied-- and it was a definitions update for Windows Defender. Oddly enough, I applied the update myself and was able to log off and on without any problems afterward, so the only thing I can figure is maybe the issue occurred because the update had been applied while I was logged on but my session had been idle for too long? I have now changed all of my update settings to "download updates as they become available but let me decide my own dang self when to apply those suckers," so I can make sure that the updates will be applied *only* while I am logged on and my session is active. Note, the automatic updates is fine if I'm *not* logged in at the time the update is applied (like 2AM at night); the problem has only occurred (as far as I can tell) when an update is applied while I'm logged in but my session has become inactive. I'm hoping this changing my update settings will keep me from having to do another system restore a few months from now, but I'll just have to wait and see.

    Tuesday, September 04, 2012 6:13 PM
  • true.

    removing the PC from the Domain and connecting it back works.  thanks

    Thursday, July 18, 2013 7:20 AM
  • I had the same experience today. I move from one snapshot to another while still  uninstall some  SQL Server 2008 features. When I tried to log on again into domain I was unable to log. My problem is that my VM name was modified from myvmtest2-vm to myvmtest2. 

    I was logging in with local user account and I changed my VM name and I was capable to log back into domain.

    It seems that this error ocurres when system changes are taking place or unexpected shutdown/move to another snapshot is done.

    Friday, September 20, 2013 3:16 PM
  • Some of the various reasons may be:

    -incomplete installation of updates;

    -moving from one snapshot to another while making changes to system(on VM)

    -unexpected power off

    (Last two happened to me. The solution  was to rejoin the domain [I was on VM])



    • Edited by Cerbu21 Sunday, July 13, 2014 4:52 PM grammar mistakes
    Friday, September 20, 2013 3:24 PM
  • Hi You can just unplug the network cable sign in as usual and plug the cable back - temp fix

    Do the same as above remove the computer from the domain and add it back

    Problem solved

    Tuesday, March 04, 2014 7:28 PM