Re: Re-Post - "the trust relationship between this workstation and

Did you get this fixed yet?
It is most likely a problem with kerberos although it's not yet clear if
that's a symptom or a root cause.

What stands out to me is this:

[WARNING] Failed to query SPN registration on DC 'server1.contoso.org'.

And This:
WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.

And this:
Ipx configration
Network Number . . . . : 2b3fe51f
Node . . . . . . . . . : 00036d181c76
Frame type . . . . . . : 802.3

Do you have IPX running or is that a leftover?


And this:
[FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.

These seem to indicate that troubleshooting this as a kerberos issue is the
right path. If that means that fixing the spn issue first (that's an easy
one) and checking into the netbios resolution next, then it might be worth
your time to find out about that. What is bothersome is how come
miptemporary$ (your workstation you tested from correct?) doesn't have a
ticket. Can you also run netdom and verify that the workstation has a valid
account and that it checks out ok?

Al


"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F2744A4C-53F9-4EE3-BC68-2D139463D3CE@xxxxxxxxxxxxxxxx
I posted what looked appropriate from the NetDiag & DCDiag from both the
DC/DNS & workstation

There were no logged events in either the DC or workstation.

I answered what I could below.

Any thoughts are appreciated!

Thanks!!!

====================================
DC/DNS Server - DCDiag
====================================
DC Diagnosis

Doing primary tests
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [server1]:failed with 1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [server1]:failed with 1060:
The specified service does not exist as an installed service.
......................... server1 failed test Services
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC0002715
Time Generated: 02/17/2007 16:16:31
Event String: DCOM got error "%1058" attempting to start the

service wuauserv with arguments "" in order to

run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
An Error Event occured. EventID: 0xC0002715
Time Generated: 02/17/2007 16:17:22
Event String: DCOM got error "%1058" attempting to start the

service wuauserv with arguments "" in order to

run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
An Error Event occured. EventID: 0xC0002715
Time Generated: 02/17/2007 16:17:22
Event String: DCOM got error "%1058" attempting to start the

service wuauserv with arguments "" in order to

run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
......................... server1 failed test systemlog

====================================
DC/DNS Server - NetDiag
====================================
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{E5AD19E7-130D-49F4-8E59-48CB1DBE2A84}
server1 <00> UNIQUE REGISTERED
contoso <00> GROUP REGISTERED
contoso <1C> GROUP REGISTERED
server1 <20> UNIQUE REGISTERED
contoso <1B> UNIQUE REGISTERED
contoso <1E> GROUP REGISTERED
contoso <1D> UNIQUE REGISTERED
..__MSBROWSE__.<01> GROUP REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.


WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.

NetBT name test. . . . . . . . . . : Passed
No NetBT scope defined
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.




Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed
Cached Tickets:
Server: krbtgt/contoso.org
End Time: 2/17/2007 21:54:32
Renew Time: 2/24/2007 11:54:32
Server: krbtgt/contoso.org
End Time: 2/17/2007 21:54:32
Renew Time: 2/24/2007 11:54:32
Server: server1$
End Time: 2/17/2007 21:54:32
Renew Time: 2/24/2007 11:54:32
Server: server2$
End Time: 2/17/2007 21:54:32
Renew Time: 2/24/2007 11:54:32
Server: ldap/server1.contoso.org/contoso.org
End Time: 2/17/2007 21:54:32
Renew Time: 2/24/2007 11:54:32



Do Negotiate authenticated LDAP call to 'server1.contoso.org'.
Found 1 entries:
Attr: currentTime
Val: 17 20070217212438.0Z
Attr: subschemaSubentry
Val: 57
CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: dsServiceName
Val: 109 CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: namingContexts
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Val: 34 CN=Configuration,DC=contoso,DC=org
Val: 17 DC=contoso,DC=org
Attr: defaultNamingContext
Val: 17 DC=contoso,DC=org
Attr: schemaNamingContext
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: configurationNamingContext
Val: 34 CN=Configuration,DC=contoso,DC=org
Attr: rootDomainNamingContext
Val: 17 DC=contoso,DC=org
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 16 MaxActiveQueries
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Attr: highestCommittedUSN
Val: 6 653319
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Attr: dnsHostName
Val: 19 server1.contoso.org
Attr: ldapServiceName
Val: 32 contoso.org:server1$@contoso.org
Attr: serverName
Val: 92
CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
[WARNING] Failed to query SPN registration on DC 'server1.contoso.org'.



====================================
Workstation - DCDiag
====================================

DC Diagnosis

Doing primary tests

Testing server: Default-First-Site-Name\server1
Starting test: Replications
......................... server1 passed test Replications
Starting test: Topology
......................... server1 passed test Topology
Starting test: CutoffServers
......................... server1 passed test CutoffServers
Starting test: NCSecDesc
......................... server1 passed test NCSecDesc
Starting test: NetLogons
......................... server1 passed test NetLogons
Starting test: Advertising
......................... server1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... server1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... server1 passed test RidManager
Starting test: MachineAccount
......................... server1 passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [server1]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [server1]:failed with 1060:
The specified service does not exist as an installed service.
......................... server1 failed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... server1 passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
......................... server1 passed test ObjectsReplicated
Starting test: frssysvol
...........




====================================
Workstation - NetDiag
====================================

Testing the WINS server
Local Area Connection
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
Testing Kerberos authentication... Failed


WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.

Ipx configration
Network Number . . . . : 2b3fe51f
Node . . . . . . . . . : 00036d181c76
Frame type . . . . . . : 802.3





Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'contoso' is correct.
Secure channel for domain 'contoso' is to '\\server1.contoso.org'.
Secure channel for domain 'contoso' was successfully set to DC
'\\server1.contoso.org'.


Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/contoso.org
End Time: 2/18/2007 3:12:49
Renew Time: 2/24/2007 17:12:49
Server: krbtgt/contoso.org
End Time: 2/18/2007 3:12:49
Renew Time: 2/24/2007 17:12:49
Server: server1$
End Time: 2/18/2007 3:12:49
Renew Time: 2/24/2007 17:12:49
Server: server2$
End Time: 2/18/2007 3:12:49
Renew Time: 2/24/2007 17:12:49
Server: ldap/server1.contoso.org/contoso.org
End Time: 2/18/2007 3:12:49
Renew Time: 2/24/2007 17:12:49
[FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.


LDAP test. . . . . . . . . . . . . : Passed


====================================









=================


"Herb Martin" wrote:

"Server Guy" <ServerGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85CBBBA3-6A67-4311-8F96-95924C80B26B@xxxxxxxxxxxxxxxx
Hi,

I have a big problem I sure could use some help with!
This was previously posted but the thread got really long. I tried to
repost only the relative info.

When I try to add a new user account at a workstation joined to a
domain, I get an error saying I can't add the user because

"the trust relationship between this workstation and the primary domain
failed ".

This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account on the station. Existing
accounts
on the stations are working fine.

Ok, let's straighten out the terminology before you spend another 20
messages just getting the details set: You don't add a DOMAIN account
"on the station", that would be a local computer account. So if you are
adding an account locally then you must be a LOCAL ADMINISTRATOR.



I also dont want to waste anyones time including my own posting another 20
messages. I'll post answers to questions posed back to me the best I can.
What I said is that I was adding a new user account at a workstation
joined
to a domain, not adding a domain account at a workstation. Just wanted
to
show that the account was already in AD.


If this is really * the case then perhaps you are logged on with a domain
account
that is in the Domain Admins and thereby getting Administrator privileges
on
the
local machine -- but that authentication is failing? Otherwise the
DOMAIN
has
nothing to do with adding an account LOCALLY to that machine.

Yes, I am logged in as Administrator at the workstation. Administrator is
the only user able to login with administrator priv. Users in the
administrator group in AD and also showing as being in the administrator
group on the workstation to not actually have administrator priv.




You may add a domain account FROM a station IF you have installed the
AD management tools, i.e., AdminPak.MSI there.

For adding DOMAIN accounts to work OR for using a domain account
with local admin privileges a few things must be true:

1) Your User account must be authenticated with the domain, and that
means you are authenticating the computer account there
correctly
as well.

2) Your user account must have sufficient privileges, e.g., be an
Domain
Admin, or have the Explicit RIGHT to add users (e.g., Account
Operators),
or have enough PERMISSIONS in some specific OU.

3) Name resolution must succeed so you can find the DC to which you
connect

4) Your account on that DC must be fully replicated from the DC where
you
authenticated (OR your password/credentials might not be
accepted.)

5) The tools must be the correct version for the workstation (XP
needs
2003
AdminPak, 2000 needs 2000 AdminPak -- the last I checked -- and
you
might need to update these with current service pack
versions.

6) RPCs must not be filtered by firewalls -- either the built-in
firewalls, or
add-ons like ZoneAlarm, or intermediate firewalls on routers
between
the machines.

7) Other protocols (DNS, DS, etc) must not be filtered but #6 RPCs
were
mentioned separately since you indicate most things are working
correctly.

8) Any trusts involved must work, but here I am generally assuming a
single
domain.

Yes, single domain, single DC/DNS server


9) The computer account is hosed in AD, but you have already reset
the
computer account.

Yes


10) The DNS Zone for your AD Domain must be DYNAMIC, with the
DC(s) properly registered on all DNS servers which hold the
zone.
This would be on the DNS server 172.20.100.2

All of the above are things to check explicitly; some are elaboted below.

For #1, the computer & user accounts to authenticate the DCs must be
findable
(fully) in DNS, this means it must be fully registered (DCDiag /c wiith
no
FAIL
or WARN should do).

Client computer must use STRICTLY the INTERNAL DNS server which can
resolve the DC. DC is a DNS client too, and this rule applies to it too.

The time on the local computer and DC must be WITHIN 5 minutes (by
default)
in Universal time. So check time AND make sure both DC and station
TIMEZONE
are correct set, otherwise the time may look right but be an hour or
hours
off.

Workstation time was off by about 13minutes between the DC/DNS and the
workstation. Fixed that, rebooted DC and workstation - Time is ok but
same
orig prob.

Workstations are getting time from a Novell server (no funny comments
please, it's on it's way out but has been rock solid) which has been set.
I
even powered down the Novell box to take it out of the mix, no change.



If I add an existing account to a different station, same result.
Tried setting up a new account in AD. Same error when adding account
to
station.

* Why do you keep saying "at" a different station, or "to" a local
machine?
Are you really adding LOCAL accounts?

At a different workstation, none work. Yes, trying to add a local account
to get administrator priv on workstation but limited in AD.

If so, you should test that by trying to logon as the LOCAL ADMIN and see
if it then works. If so, you have a problem (perhaps) with the domain
authentication,
if not, you have a local problem and might need to do a REPAIR install or
otherwise
correct the local machine -- the domain is not then involve AT ALL.


I get the error when I go to Control panel/Users/Add User/Enter User
Name
and Domain, then get "the trust
relationship between this workstation and the primary domain failed "
message

I also a Kerberos failed message from the workstation NetDiag, is this
a
problem here as well?

Yes, check TIME and ESPECIALLY TIMEZONE. Say timezone is set
1 zone away; and DC and workstation LOOK correct, they are really out
of sync by an ENTIRE hour.

Corrected time diff but didnt help.


What I have to do to add the user is leave the domain, login as
administrator add the local user and make it a member of the local
administrator group, join the domain.

Ok, you really are trying to add to the WORKSTATION -- I doubt that
has ever been really clear in your posts.

Thought I was but sounds like we are on the same page now.



While this does get the user in the system, I need to make this user a
local
administrator but they only have limited rights eventhough they show as
being
a member of the local administrator group. We have 3rd party software
requireing them to be local administrators.

That software should be replaced OR the reason tracked down and explicit
rights or permission to files or registry keys granted.

Not my call on that one. Want to concentrate on the immediate issue.


I'm not sure when the problem first ocurred,but users already on the
workstations are working fine.
This is causing major issues of not being able to setup new accounts on
workstations. Big Problem!

--END OF COMMENTS--

Thanks in advance!!!

====================================

I included:
IPConfig /all for DC/DNS & Workstation
NetDiag for DC/DNS & workstation
NSLookup from workstation
NLTest
====================================

Lan configuration:
Single DC/DNS server Win2k SP4 server 172.20.100.2
Member Win2003 SP1 server 172.20.100.4
50-nodes: 2-W2k SP4 rest are XP-Pro SP2
USR Router used for Internet access 172.20.100.200
DNS Forwarder to 172.20.100.200
"." zone removed from Forwarder
====================================

What I have tried:
Resetting computer object in AD

Removing the computer object from AD, renaming the workstation &
re-joining
but that didn't
help.


C:\>nltest /sc_reset:contoso.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /sc_verify:contoso.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABCc.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully





====================================
NSLookup from Workstation
====================================
C:\Program Files\Support Tools>nslookup server1 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Name: server1.contoso.org
Address: 172.20.100.2

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.200
Server: usr8200.home
Address: 172.20.100.200

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.104, 216.239.37.99
Aliases: www.google.com


C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 209.143.0.10
Server: primary.dns.bright.net
Address: 209.143.0.10

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com


====================================
IPConfig - Workstation
====================================
Windows IP Configuration
Host Name . . . . . . . . . . . . : RM-7-1
Primary Dns Suffix . . . . . . . : contoso.org
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.20.7.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2


====================================
IPConfig - DC/DNS Server
====================================
Host Name . . . . . . . . . . . . : server1
Primary DNS Suffix . . . . . . . : contoso.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.org

IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2



====================================
NetDiag - Workstation
====================================


Gathering the list of Domain Controllers for domain 'contoso'
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain contoso ...

Tests complete.
Default gateway test . . . : Passed
Pinging gateway 172.20.100.200 - reachable
At least one gateway reachable for this adapter.

Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Member Workstation
Netbios Domain name. . . . . . : contoso
Dns domain name. . . . . . . . : contoso.org
Dns forest name. . . . . . . . : contoso.org
Domain Guid. . . . . . . . . . :
{437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Sid . . . . . . . . . . :
S-1-5-21-1838114092-1579624115-538272213
Logon User . . . . . . . . . . : Administrator
Logon Domain . . . . . . . . . : contoso
Logon Server . . . . . . . . . : \\server1

DNS test . . . . . . . . . . . . . : Passed
Interface {7723A855-721E-4C55-B595-814BDDE90AE5}
DNS Domain:
DNS Servers: 172.20.100.2
IP Address: 172.20.7.1


.

Relevant Pages
Loading