Re: Trust relationship between this workstation and the primary do

Tech-Archive recommends: Speed Up your PC by fixing your registry

Why do you want to remove the gateway? There is no value to that.

Once you have configured your dns then what are the errors? Or haven't they
changed?

Can you post the ipconfig /all for both the client and the dc/dns server?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1C08C24F-4DC9-44FE-BBED-C33EFCABD623@xxxxxxxxxxxxxxxx
I only have a single DC/DNS. If I remove the default GW on both the server
and a workstation, do an ipconfig /flushdns then ipconfig /registerdns on
both, would you say that would rule out DNS as being the issue for the
orig
problem of not being able to add a domain user account at a workstation
because of the trust relationship error?



"Paul Bergson [MVP-DS]" wrote:

If you have dns issues, you can have all kinds of problems. Fix DNS and
then see what else might be wrong.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D4881C6E-99BC-4278-931C-BC024E644BBB@xxxxxxxxxxxxxxxx
I may have more than one issue here, not quite sure yet. Both the
workstation and DC only have the DC/DNS server listed, no alternet DNS
servers anywhere in AD.

I agree with Herb that I need to do a few more things to make DNS more
stable. But does this cause the Kerberos failed message?

I'm just trying to make sure I'm tracking down the right thing and not
breaking something else in the process by me experimenting. I would
like
to
fix the "trust Issue" first then move to the DNS side like Herb
mentioned
unless you guys think they are related and both need to be addressed at
the
same time.

Thanks again Paul & Herb for your time on this very complex issue!!!



"Paul Bergson [MVP-DS]" wrote:

From reading th reply to Herb, you should have the problem found.

Make the AD DNS server the only DNS server and forward all requests to
your
ISP.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:257F6CE5-FAC0-497D-A8F8-96B9159B6AC2@xxxxxxxxxxxxxxxx
Hi,

The following came from running DCDiag & NetDiag from both the DC
and
also
a
W2k-SP4 station. When I tried to run from an XP Pro SP2 station I
get
a
NTDSA.dll error saying re-installing the application may help.

Hopefully this will tell what's going on!

Many thanks for your help!




From the DC:

DCDiag:
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [MyServer]:failed with
1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [MyServer]:failed with
1060:
The specified service does not exist as an installed service.
......................... MyServer failed test Services



NetDiag:
Trust relationship test. . . . . . : Skipped

Do Negotiate authenticated LDAP call to 'MyServer.ABC.org'.
Found 1 entries:
Attr: currentTime
Val: 17 20070126020239.0Z
Attr: subschemaSubentry
Val: 57
CN=Aggregate,CN=Schema,CN=Configuration,DC=ABC,DC=org
Attr: dsServiceName
Val: 109 CN=NTDS
Settings,CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
Attr: namingContexts
Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
Val: 34 CN=Configuration,DC=ABC,DC=org
Val: 17 DC=ABC,DC=org
Attr: defaultNamingContext
Val: 17 DC=ABC,DC=org
Attr: schemaNamingContext
Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
Attr: configurationNamingContext
Val: 34 CN=Configuration,DC=ABC,DC=org
Attr: rootDomainNamingContext
Val: 17 DC=ABC,DC=org
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 16 MaxActiveQueries
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Attr: highestCommittedUSN
Val: 6 639883
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Attr: dnsHostName
Val: 19 MyServer.ABC.org
Attr: ldapServiceName
Val: 32 ABC.org:MyServer$@ABC.org
Attr: serverName
Val: 92
CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
[WARNING] Failed to query SPN registration on DC
'MyServer.ABC.org'.
---------------------------


Workstation
DCDiag
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [MyServer]:failed with
1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [MyServer]:failed with
1060:
The specified service does not exist as an installed service.
......................... MyServer failed test Services




Netdiag:
Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'HHWP' is correct.
Secure channel for domain 'HHWP' is to '\\MyServer.ABC.org'.
Secure channel for domain 'HHWP' was successfully set to DC
'\\MyServer.ABC.org'.


Kerberos test. . . . . . . . . . . : Failed
Server: ldap/MyServer.ABC.org/ABC.org
End Time: 1/28/2007 1:38:43
Renew Time: 2/3/2007 15:38:43
[FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.


"Paul Bergson [MVP-DS]" wrote:

Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your
server
install
disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite >
c:\repl.txt

If you download a gui script I wrote it should be simple to set and
run
(DCDiag and NetDiag). It also has the option to run individual
tests
without having to learn all the switch options. The details will
be
output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set.
(Leave
the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8DD4EBC8-E85F-4CA6-A22A-41FD92C85BE6@xxxxxxxxxxxxxxxx
Still no luck, still have the orig. error message when trying to
add
a
user.

Below are the NLTest commands used. The verify shows no errors
now.
But
when trying to add a domain user at the workstation I still get
the
orig
error about the "The Trust relationship between this workstation
and
the
primary domain failed"

I did try resetting the account at the DC. Also tried removing
it
then
re-joining the domain, still no luck.

PLEASE HELP!!!


C:\>nltest /sc_reset:ABC.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\ServerName.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /sc_verify:ABC.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\ServerName.ABCc.org


.

Relevant Pages