locked
Trust relationship between workstation and primary domain failed RRS feed

  • Question

  • Hi, 

    we have a huge problem yesterday. it started like at mid of the day...

    clients facing problem while trying to login on the domain they get the error "Trust relationship between workstation and primary domain failed" and "Currently no logon server available to service this request".

    we have 3 DC on Root and 4 DC on Domain Level. after troubleshooting we found that the replication between one of the Root DC is failing. but after sorting the issue with replication does not help in the issue faced by clients.

     

    the number of the machines on domain are increasing with the same error. for resolving the machine we are doing some manual task of disjoin and join the machine to domain. 

     

    but the number increasing are also affecting the machines at remote areas.

     

    Need an Urgent Help to sort this issue ... 

    Tuesday, July 12, 2011 9:13 AM

Answers

All replies

  • Is this machine is prepared from cloning/imaging/snapshots, if yes, did you use NewSid/Sysprep tool to change their SID. Is DNS aging/scavenge is configured properly.

    http://awinish.wordpress.com/2011/02/08/dns-scavenging-auditing-concepts/

    Is there any connectivity issues. The reason can be hostname conflict or DC is not available during machine account password refresh & due to this secure channel between DC & machine breaks where system starts rejecting login requests. Also, is all your system is running latest SP & patches.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/


    Regards


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Tuesday, July 12, 2011 10:28 AM
    Tuesday, July 12, 2011 9:43 AM
  • Hi,

    use below command to check the computer account, due to replication issue new secure channel password of computer account not replicated to other DC (if DC replication failed more then 30 days)

    net view //computername

    or

    net use //computername

    If you receive access denied error then it’s confirm computer account issue, to resolve this issue, you have to reset the computer account

    netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password


    More info: http://support.microsoft.com/kb/288167

    Regards

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in
    Tuesday, July 12, 2011 10:01 AM
  • Dear Awinish, 

    no i have not used NewSid/Sysprep, but the scaveng/aging is not configured in my scenario. in my condition we have Domain Controllers on Domain level and 3 DC on Root level.

    i have checked the connectivity issue, its fine.

     

    Dear Ganesamoorthy,

    the command you have provided for resetting, does it resets the remote computer account or the Domain Controller Computer account.

    Tuesday, July 12, 2011 12:41 PM
  • Can you verify the SPN on one of the problem workstation?

    http://portal.sivarajan.com/2010/05/workstation-trust-relationship-issue.html

    Do you use any type of computer synchronization in AD or between domains?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, July 12, 2011 1:40 PM
  • What I would suggest you is to reset the computer account from DSA.MSC. (Just right click the computer account and reset it).

    In my case the issue has been resolved.


    Regards Rahul A
    Tuesday, July 12, 2011 6:08 PM
  • if that doesnt fix your issue you may follow the article and as you have already did, you would need to rejoin the machine to domain

     

    http://support.microsoft.com/kb/162797

     

    Take the PC out of the domain. Delete the workstation object from the domain, if it remains. Add the PC back into the domain.


    Regards Rahul A
    Tuesday, July 12, 2011 6:13 PM
  • I am facing the same problem of  "Trust relationship between workstation and primary domain failed". We have couple of client getting this error when they log on to the domain. Clients computer successfully login to the domain after removed the network cable after login plug the network cable in NW card. I removed and add the computers account frequently into the domain but after few days i got the same error. Also check SPN but the no duplicate entry found. 

    Kindly advise.

    Jigs


    • Edited by IT-Jigs Saturday, March 10, 2012 12:37 AM
    Saturday, March 10, 2012 12:36 AM