Re: Re-Post - "the trust relationship between this workstation and



"Al Mulnick" wrote:

You don't happen to work down the hall from me, do you? :)
Lately, while doing some migrations I keep running into a lot of similar
issues. This one is especially telling:

"I also a Kerberos failed message from the workstation NetDiag, is this a
problem here as well?" although you never really know, right?

Here's how I have been going about the troubleshooting:
1) What's in the event log? Are there any kerberos related errors? (Most
of mine are related to token bloat - hard to spot, but easy to remedy)
2) What about time synchronization related issues in there? (this one is
next most prevalent for my environment; long story that I won't bore you
with)
3) If both of the above don't yield any results, are there any third party
firewalls or antivirus programs installed? If so, which ones?


Sometimes it helps greatly to clear the logs and restart the machines to get
a fresh look at the logs. If auditing is not turned up, now's your chance.

Al

Hi Al,

As it turns out the Kerberos error I have isn't causing my trust
relationship problem. Nobody would say if I should even persue the Kerberos
error. Wasted a lot of time there. Wasn't DNS either.

Did you get the problem resolved?






"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85CBBBA3-6A67-4311-8F96-95924C80B26B@xxxxxxxxxxxxxxxx
Hi,

I have a big problem I sure could use some help with!

This was previously posted but the thread got really long. I tried to
repost only the relative info.

When I try to add a new user account at a workstation joined to a
domain, I get an error saying I can't add the user because

"the trust relationship between this workstation and the primary domain
failed ".

This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account on the station. Existing
accounts
on the stations are working fine. If I add an existing account to a
different station, same result. Tried setting up a new account in AD. Same
error when adding account to station.

I get the error when I go to Control panel/Users/Add User/Enter User Name
and Domain, then get "the trust
relationship between this workstation and the primary domain failed "
message

I also a Kerberos failed message from the workstation NetDiag, is this a
problem here as well?

What I have to do to add the user is leave the domain, login as
administrator add the local user and make it a member of the local
administrator group, join the domain.
While this does get the user in the system, I need to make this user a
local
administrator but they only have limited rights eventhough they show as
being
a member of the local administrator group. We have 3rd party software
requireing them to be local administrators.



I'm not sure when the problem first ocurred,but users already on the
workstations are working fine.
This is causing major issues of not being able to setup new accounts on
workstations. Big Problem!

Thanks in advance!!!

====================================

I included:
IPConfig /all for DC/DNS & Workstation
NetDiag for DC/DNS & workstation
NSLookup from workstation
NLTest
====================================

Lan configuration:
Single DC/DNS server Win2k SP4 server 172.20.100.2
Member Win2003 SP1 server 172.20.100.4
50-nodes: 2-W2k SP4 rest are XP-Pro SP2
USR Router used for Internet access 172.20.100.200
DNS Forwarder to 172.20.100.200
"." zone removed from Forwarder
====================================

What I have tried:
Resetting computer object in AD

Removing the computer object from AD, renaming the workstation &
re-joining
but that didn't
help.


C:\>nltest /sc_reset:contoso.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /sc_verify:contoso.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABCc.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully





====================================
NSLookup from Workstation
====================================
C:\Program Files\Support Tools>nslookup server1 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Name: server1.contoso.org
Address: 172.20.100.2

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.200
Server: usr8200.home
Address: 172.20.100.200

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.104, 216.239.37.99
Aliases: www.google.com


C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 209.143.0.10
Server: primary.dns.bright.net
Address: 209.143.0.10

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com


====================================
IPConfig - Workstation
====================================


Windows IP Configuration



Host Name . . . . . . . . . . . . : RM-7-1

Primary Dns Suffix . . . . . . . : contoso.org

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : contoso.org



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet

Physical Address. . . . . . . . . : 00-10-18-07-18-9C

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.20.7.1

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 172.20.100.200

DNS Servers . . . . . . . . . . . : 172.20.100.2


====================================
IPConfig - DC/DNS Server
====================================
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server1
Primary DNS Suffix . . . . . . . : contoso.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.org

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #3
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2


====================================
NetDiag - Workstation
====================================


Gathering the list of Domain Controllers for domain 'contoso'
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain contoso ...

Tests complete.


Computer Name: RM-7-1
DNS Host Name: RM-7-1.contoso.org
DNS Domain Name: contoso.org
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
Hotfixes :
Installed? Name
Yes KB873339
Yes KB885835
Yes KB885836
Yes KB885884
Yes KB886185
Yes KB887742
Yes KB888113
Yes KB888302
Yes KB890046
Yes KB890859
Yes KB891781
Yes KB893756
Yes KB893803v2
Yes KB894391
Yes KB896344
Yes KB896358
Yes KB896422
Yes KB896423
Yes KB896424
Yes KB896428
Yes KB899587
Yes KB899589
Yes KB899591
Yes KB900485
Yes KB900725
Yes KB900930
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB904942
Yes KB905414
Yes KB905749
Yes KB908519
Yes KB908531
Yes KB910437
Yes KB911280
Yes KB911562
Yes KB911564
Yes KB911567
Yes KB911927
Yes KB912919
Yes KB913580
Yes KB914388
Yes KB914389
Yes KB916281
Yes KB916595
Yes KB917344
Yes KB917422
Yes KB917734_WMP9
Yes KB917953
.

Relevant Pages