locked
trust relationship between this workstation and the primary domain failed RRS feed

  • Question

  • Dear all,

    We have windows 2008 server with domain controller . our client pc windows 2003 server member of domain . some time i have changed  my gateway ip address after that i got error msg like trust relationship between this workstation and the primary domain failed why ? then  i had rejoin to domain it's working fine.

    Regards

    Subash

     

    Monday, June 20, 2011 4:51 PM

Answers

All replies

  • Only happening on this particular server?  Do you see any DNS or name resolution issues?

    Anyway, verify the SPN using the following method:

    http://portal.sivarajan.com/2010/05/workstation-trust-relationship-issue.html


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:10 AM
    Monday, June 20, 2011 5:26 PM
  • Hello,

    changing the default should not have any effect to the domain machines. It sounds for me that your DG is also used as DNS server. Please post an unedited ipconfig /all from the DC/DNS servers and the problem machine.

    Are any of the problem machines created from a not sysprepped image or restored from a backup, DCs must be AD aware backed up/restored?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:10 AM
    Monday, June 20, 2011 5:45 PM
  • Santhos

    HAve any Idea why its happening , some time we also face this issue...

     


    Microsoft TechNet Forum Bandara
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:10 AM
    Monday, June 20, 2011 6:42 PM
  • Mainly because of DNS or name resolution issues. 

    I have seen this issues due to directory synchronization (third party or native) also..


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:10 AM
    Monday, June 20, 2011 7:00 PM
  • Have you changed again the gateway to join again the computer? Are you sure that the DC was reachable?

    Looks like that the DNS server was not reachable.

    Please try changing again the gateway and use nslookup to check that all is okay with DNS records.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:10 AM
    Monday, June 20, 2011 8:49 PM
  • Dear Santhosh,

    Thanks for posted .

    MY branch we have Two 2003 servers like a pc .  windows 2003 server just member of domain ( Not like a child domain ) and we are using SQl server 2005 .

    my Another one 2003 pc there is no problem . particularly when i change the the gateway address from LAN device the problem happing \\192.168.58.2. file not sharing from my client pc  and also i unable to login through domain . whenever the problem was happening i have to login through local then rejoin to the domain then restart the pc windows 2003 pc it is login perfectly to the domain and also \\ XXXXXX sharing very good.

     

    Regards

    Subash.

    Monday, June 20, 2011 8:59 PM
  • Dear boss,

    Have you changed and Gateway IP from your PC ?

     

    Regards

    Subash

     

    Monday, June 20, 2011 9:00 PM
  • As I mentioned, It could be due to name resolution issue.  How often you change the gateway and why?

    Verify the SPN when you experience this issue again. 

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:11 AM
    Monday, June 20, 2011 9:04 PM
  • What do you mean by “changing the gateway IP”?  Gateway IP address on the server remotely?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:11 AM
    Monday, June 20, 2011 9:05 PM
  • boss

    Gateway IP he have changed windows 2003 server through by phone . make a call to branch users they can login to local administrator then change the new gateway Ip . then rejoin the domain .

    Our branch pc working two line ADSl and ISDN         like ADSL Gate way IP address 192.168.58.1 another ISDN Line Gateway IP 192.168.58.100

    incase our ADSl line will  disconnect we had change to ISDN through Gateway 100. after that i have problem like trust relationship will be disconnect to primary domain . then rejoin to the domain i will be all right . 

     

    Regards

    Subash

     

    Monday, June 20, 2011 10:06 PM
  • Boss pls canu explain to me where can i go how can i change the SPN .

     

    Regards

    Subash

    Monday, June 20, 2011 10:07 PM
  • It sounds like server can’t talk to you DC using the new default gateway.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:11 AM
    Tuesday, June 21, 2011 12:12 AM
  • Trust relationship between this workstation and the primary domain failed

    The above error is seen normally, when secure channel between DC & client system is broken & domain systems are not able to refresh the machine account passwords.This can be due to more of connectivity issues,faulty cable misconfiguration of ports in firewall or issues with NIC/switches etc.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

    http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

    I would make sure DC's & client systems are updated with latest SP & patches along with NIC/Firmware/BIOS is updated with latest, if not you should be planning to implement it.

    Secure channel is also broken, where there is similar hostname exists for multiple system in domain or if aging/scavenging is not enabled or enabled,but not working in DNS servers.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 3:53 AM
  • Exactly boss

    When i change the default gateway to another gateway number . the problem will happening .

     

    Regards

    Subash 

    Tuesday, June 21, 2011 5:49 PM
  • Sounds like a networking issue.  Make sure you have proper route for that IP address. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    • Marked as answer by Suriya Subash Tuesday, June 21, 2011 6:41 PM
    Tuesday, June 21, 2011 5:57 PM
  • Thanks boss, Are u from Tamilnadu ?

    I will say to my network Dept.

     

    Boss i have another two doubt . 

    1. our office three person of server administrator . another two server admin something changed my GPO group policy object .after that he said i don't know. also they said i don't change anything from GPO . How can i follow-up they are activate.

    2. we have 22 servers . i want to login some users only my servers another i want to restrict . how can i do it boss pls help me  

     

    Regards

    Subash ( Yemen )

    00967-777212783

     

    Tuesday, June 21, 2011 6:46 PM
  • You can track group policy related changes by enabling auditing.

    http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

    For your second question, you can create a security groups, add the user whom you want to allow to login locally,create a new GPO,link to the servers OU  & configure below gpo settings

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

    Log on locally & Allow logon through Terminal Services

    By default domain user can't login to server locally or remotely, if they are part of domain admin group they can login to any server/users machine including DC. The user whom you want to deny, you can put them into deny logon locally list of GPO.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:11 AM
    Wednesday, June 22, 2011 3:42 AM
  • Dear Boss,

    My domain users have some permission like member of  domain users and Domain Admin . how can i restrict this user to login my servers .

     

    Regards

    Subash

    Wednesday, June 22, 2011 6:17 AM
  • Dear Boss,

    My domain users have some permission like member of  domain users and Domain Admin . how can i restrict this user to login my servers .

     

    Regards

    Subash


    Hello,

    you can't restrict domain admins from anything. All settings you configure they can revert as they are domain admin. Make only people domain admin if they know what they are doing. Why do you have so many domain admins?

    Domain users by default are not able to logon to servers.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:12 AM
    Wednesday, June 22, 2011 6:22 AM
  • In single forest/domain, Domain admin have complete right & they can be part of any groups like administrators or schema admins. This is strange why domain users got permission of domain admin, if they are using from long, you need to evaluate & implement domain users to be just domain users & Jr admin should be delegated.Domain admin id should not be used, because normal task can be managed by delegations.

    How to Delegate Basic Server Administration To Junior Administrators.

    http://support.microsoft.com/kb/555986


    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:12 AM
    Wednesday, June 22, 2011 7:34 AM
  • Boss.

    Why i had added Domain Admins beans , some branch employ want to change there PC default Gateway and . Add new printers them self . so i have added Domain Admin . pls boss i want to solve it.

     

    Regards

    Subash

    Wednesday, June 22, 2011 7:48 AM
  • For adding/changing PC default gateway, you don't want domain admin rights, you can achieve it with local PC administrator rights.

    http://blogs.technet.com/b/askperf/archive/2010/03/19/delegating-printer-management-tasks-in-windows-server-2003.aspx

    http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/58cc3cf6-825e-43ad-8e7f-3772b35d61c1/

    Please refer & read the links posted my previous links.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Suriya Subash Friday, June 24, 2011 9:12 AM
    Wednesday, June 22, 2011 10:37 AM