Re: Re-Post - "the trust relationship between this workstation and the

You don't happen to work down the hall from me, do you? :)
Lately, while doing some migrations I keep running into a lot of similar
issues. This one is especially telling:

"I also a Kerberos failed message from the workstation NetDiag, is this a
problem here as well?" although you never really know, right?

Here's how I have been going about the troubleshooting:
1) What's in the event log? Are there any kerberos related errors? (Most
of mine are related to token bloat - hard to spot, but easy to remedy)
2) What about time synchronization related issues in there? (this one is
next most prevalent for my environment; long story that I won't bore you
with)
3) If both of the above don't yield any results, are there any third party
firewalls or antivirus programs installed? If so, which ones?


Sometimes it helps greatly to clear the logs and restart the machines to get
a fresh look at the logs. If auditing is not turned up, now's your chance.

Al



"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85CBBBA3-6A67-4311-8F96-95924C80B26B@xxxxxxxxxxxxxxxx
Hi,

I have a big problem I sure could use some help with!

This was previously posted but the thread got really long. I tried to
repost only the relative info.

When I try to add a new user account at a workstation joined to a
domain, I get an error saying I can't add the user because

"the trust relationship between this workstation and the primary domain
failed ".

This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account on the station. Existing
accounts
on the stations are working fine. If I add an existing account to a
different station, same result. Tried setting up a new account in AD. Same
error when adding account to station.

I get the error when I go to Control panel/Users/Add User/Enter User Name
and Domain, then get "the trust
relationship between this workstation and the primary domain failed "
message

I also a Kerberos failed message from the workstation NetDiag, is this a
problem here as well?

What I have to do to add the user is leave the domain, login as
administrator add the local user and make it a member of the local
administrator group, join the domain.
While this does get the user in the system, I need to make this user a
local
administrator but they only have limited rights eventhough they show as
being
a member of the local administrator group. We have 3rd party software
requireing them to be local administrators.



I'm not sure when the problem first ocurred,but users already on the
workstations are working fine.
This is causing major issues of not being able to setup new accounts on
workstations. Big Problem!

Thanks in advance!!!

====================================

I included:
IPConfig /all for DC/DNS & Workstation
NetDiag for DC/DNS & workstation
NSLookup from workstation
NLTest
====================================

Lan configuration:
Single DC/DNS server Win2k SP4 server 172.20.100.2
Member Win2003 SP1 server 172.20.100.4
50-nodes: 2-W2k SP4 rest are XP-Pro SP2
USR Router used for Internet access 172.20.100.200
DNS Forwarder to 172.20.100.200
"." zone removed from Forwarder
====================================

What I have tried:
Resetting computer object in AD

Removing the computer object from AD, renaming the workstation &
re-joining
but that didn't
help.


C:\>nltest /sc_reset:contoso.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /sc_verify:contoso.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABCc.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully





====================================
NSLookup from Workstation
====================================
C:\Program Files\Support Tools>nslookup server1 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Name: server1.contoso.org
Address: 172.20.100.2

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.200
Server: usr8200.home
Address: 172.20.100.200

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.104, 216.239.37.99
Aliases: www.google.com


C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 209.143.0.10
Server: primary.dns.bright.net
Address: 209.143.0.10

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com


====================================
IPConfig - Workstation
====================================


Windows IP Configuration



Host Name . . . . . . . . . . . . : RM-7-1

Primary Dns Suffix . . . . . . . : contoso.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : contoso.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet

Physical Address. . . . . . . . . : 00-10-18-07-18-9C

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.7.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

DNS Servers . . . . . . . . . . . : 172.20.100.2


====================================
IPConfig - DC/DNS Server
====================================
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server1
Primary DNS Suffix . . . . . . . : contoso.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.org

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #3
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2


====================================
NetDiag - Workstation
====================================


Gathering the list of Domain Controllers for domain 'contoso'
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain contoso ...

Tests complete.


Computer Name: RM-7-1
DNS Host Name: RM-7-1.contoso.org
DNS Domain Name: contoso.org
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
Hotfixes :
Installed? Name
Yes KB873339
Yes KB885835
Yes KB885836
Yes KB885884
Yes KB886185
Yes KB887742
Yes KB888113
Yes KB888302
Yes KB890046
Yes KB890859
Yes KB891781
Yes KB893756
Yes KB893803v2
Yes KB894391
Yes KB896344
Yes KB896358
Yes KB896422
Yes KB896423
Yes KB896424
Yes KB896428
Yes KB899587
Yes KB899589
Yes KB899591
Yes KB900485
Yes KB900725
Yes KB900930
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB904942
Yes KB905414
Yes KB905749
Yes KB908519
Yes KB908531
Yes KB910437
Yes KB911280
Yes KB911562
Yes KB911564
Yes KB911567
Yes KB911927
Yes KB912919
Yes KB913580
Yes KB914388
Yes KB914389
Yes KB916281
Yes KB916595
Yes KB917344
Yes KB917422
Yes KB917734_WMP9
Yes KB917953
Yes KB918439
Yes KB919007
Yes KB920213
Yes KB920670
Yes KB920683
Yes KB920685
Yes KB920872
Yes KB922582
Yes KB922616
Yes KB922819
Yes KB923191
Yes KB923414
Yes KB923689
Yes KB923694
Yes KB923980
Yes KB924496
Yes KB925398_WMP64
Yes KB925454
Yes KB925486
Yes KB925876
Yes KB926255
Yes KB928388
Yes KB929120
Yes Q147222


Default gateway test . . . : Passed
Pinging gateway 172.20.100.200 - reachable
At least one gateway reachable for this adapter.

NetBT name test. . . . . . : Passed
NetBT_Tcpip_{7723A855-721E-4C55-B595-814BDDE90AE5}
RM-7-1 <00> UNIQUE REGISTERED
contoso <00> GROUP REGISTERED
RM-7-1 <20> UNIQUE REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.

NetBios Resolution : via DHCP

Netbios Remote Cache Table
Name Type HostAddress Life [sec]
---------------------------------------------------------------
server1 <00> UNIQUE 172.20.100.2 490
contoso <1C> GROUP 172.20.100.2 487
server2 <20> UNIQUE 172.20.100.4 255
contoso <1B> UNIQUE 172.20.100.2 255
server1 <20> UNIQUE 172.20.100.2 205
server1.contoso<2E> UNIQUE 172.20.100.2 487


WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.

Ipx configration
Network Number . . . . : 2b3fe51f
Node . . . . . . . . . : 00101807189c
Frame type . . . . . . : 802.3



Global results:


IP General configuration
LMHOSTS Enabled. . . . . . . . : Yes
DNS for WINS resolution. . . . : Enabled
Node Type. . . . . . . . . . . : Hybrid
NBT Scope ID . . . . . . . . . :
Routing Enabled. . . . . . . . : No
WINS Proxy Enabled . . . . . . : No
DNS resolution for NETBIOS . . : No



Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Member Workstation
Netbios Domain name. . . . . . : contoso
Dns domain name. . . . . . . . : contoso.org
Dns forest name. . . . . . . . : contoso.org
Domain Guid. . . . . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Sid . . . . . . . . . . :
S-1-5-21-1838114092-1579624115-538272213
Logon User . . . . . . . . . . : Administrator
Logon Domain . . . . . . . . . : contoso
Logon Server . . . . . . . . . : \\server1




DNS test . . . . . . . . . . . . . : Passed
Interface {7723A855-721E-4C55-B595-814BDDE90AE5}
DNS Domain:
DNS Servers: 172.20.100.2
IP Address: 172.20.7.1
Expected registration with PDN (primary DNS domain name):
Hostname: RM-7-1.contoso.org.
Authoritative zone: contoso.org.
Primary DNS server: server1.contoso.org 172.20.100.2
Authoritative NS:172.20.100.2
Verify DNS registration:
Name: RM-7-1.contoso.org
Expected IP: 172.20.7.1
Server 172.20.100.2: NO_ERROR
The DNS registration for RM-7-1.contoso.org is correct on all DNS
servers




DC discovery test. . . . . . . . . : Passed

Find DC in domain 'contoso':
Found this DC in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8

Find PDC emulator in domain 'contoso':
Found this PDC emulator in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8

Find Windows 2000 DC in domain 'contoso':
Found this Windows 2000 DC in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8


DC list test . . . . . . . . . . . : Passed
List of DCs in Domain 'contoso':
server1.contoso.org


Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'contoso' is correct.
Secure channel for domain 'contoso' is to '\\server1.contoso.org'.
Secure channel for domain 'contoso' was successfully set to DC
'\\server1.contoso.org'.


Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: krbtgt/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: cifs/server1.contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: ldap/server1.contoso.org/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: LDAP/server1.contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: cifs/server1
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
[FATAL] Kerberos does not have a ticket for
host/RM-7-1.contoso.org.



Do Negotiate authenticated LDAP call to 'server1.contoso.org'.
Found 1 entries:
Attr: currentTime
Val: 17 20070207233554.0Z
Attr: subschemaSubentry
Val: 57
CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: dsServiceName
Val: 109 CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: namingContexts
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Val: 34 CN=Configuration,DC=contoso,DC=org
Val: 17 DC=contoso,DC=org
Attr: defaultNamingContext
Val: 17 DC=contoso,DC=org
Attr: schemaNamingContext
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: configurationNamingContext
Val: 34 CN=Configuration,DC=contoso,DC=org
Attr: rootDomainNamingContext
Val: 17 DC=contoso,DC=org
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 16 MaxActiveQueries
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Attr: highestCommittedUSN
Val: 6 648273
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Attr: dnsHostName
Val: 19 server1.contoso.org
Attr: ldapServiceName
Val: 32 contoso.org:server1$@contoso.org
Attr: serverName
Val: 92
CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
[WARNING] Failed to query SPN registration on DC 'server1.contoso.org'.


Routing table test . . . . . . . . : Passed
Active Routes :
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 172.20.100.200 172.20.7.1
10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
172.20.0.0 255.255.0.0 172.20.7.1 172.20.7.1
10
172.20.7.1 255.255.255.255 127.0.0.1 127.0.0.1
10
172.20.255.255 255.255.255.255 172.20.7.1 172.20.7.1
10
224.0.0.0 240.0.0.0 172.20.7.1 172.20.7.1
10
255.255.255.255 255.255.255.255 172.20.7.1 172.20.7.1
1
No persistent route entries.


Netstat information test . . . . . : Passed


IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information


The command completed successfully

==========================================================================


.

Relevant Pages