trust relationship between workstation and the primary domain fail

I have a big problem I sure could use some help with!

I tried posting this in the Active Directory but so far havent resolved the
issue.

When I am at a workstation attached to the domain and try to add a local
user to the workstation, I get an error saying I can't add the user because:

"the trust relationship between this workstation and the primary domain
failed ".

This is an existing user already in AD. I can login as this person and
everything authinticates ok. What I want to do is login as the user into the
domain with their limited priv but give them Admin rights on the local
workstation. This previously worked and am not sure why it doesnt now.

What I end up with is a local user account on the workstation saying they
are in the administrator group but they in fact do not have administrator
rights. They do need local admin rights for a 3rd party program (long story).

The time between the DC and workstations is also ok.

This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account to the local workstation(they are
already in AD). Existing accounts previously added to the workstations are
working fine. This affects all workstations on the domain.

I also get a Kerberos failed message from the workstation NetDiag, is this a
problem here as well? I have the NetDiag listed further down. NetDiag on
the DC is clean.

What I have to do to add the user is leave the domain, login as
administrator add the local user and make it a member of the local
administrator group, join the domain. While this does get the user in the
local workstation, I need to make this user a local administrator but they
only have limited rights eventhough they show as being a member of the local
administrator group. We have 3rd party software requireing them to be local
administrators.

The same error happens when the workstation is joined to the domain and I am
logged in as Administrator.

I'm not sure when the problem first ocurred,but users already on the
workstations are working fine.
This is causing major issues of not being able to setup new accounts on
workstations. Big Problem!

Thanks in advance!!!

====================================

I included:
IPConfig /all for DC/DNS & Workstation
NetDiag for DC/DNS & workstation
NSLookup from workstation
NLTest
====================================

Lan configuration:
Single DC/DNS server Win2k SP4 server 172.20.100.2
Member Win2003 SP1 server 172.20.100.4
50-nodes: 2-W2k SP4 rest are XP-Pro SP2
USR Router used for Internet access 172.20.100.200
DNS Forwarder to 172.20.100.200
"." zone removed from Forwarder
====================================

What I have tried:
Resetting computer object in AD

Removing the computer object from AD, renaming the workstation & re-joining
but that didn't help.


C:\>nltest /sc_reset:contoso.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /sc_verify:contoso.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\server1.ABCc.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
====================================
NSLookup from Workstation
====================================
C:\Program Files\Support Tools>nslookup server1 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Name: server1.contoso.org
Address: 172.20.100.2

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.2
Server: server1.contoso.org
Address: 172.20.100.2

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com

C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 172.20.100.200
Server: usr8200.home
Address: 172.20.100.200

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.104, 216.239.37.99
Aliases: www.google.com


C:\Program Files\Support Tools>
C:\Program Files\Support Tools>nslookup www.google.com 209.143.0.10
Server: primary.dns.bright.net
Address: 209.143.0.10

Non-authoritative answer:
Name: www.l.google.com
Addresses: 216.239.37.99, 216.239.37.104
Aliases: www.google.com


====================================
IPConfig - Workstation
====================================


Windows IP Configuration

Host Name . . . . . . . . . . . . : RM-7-1
Primary Dns Suffix . . . . . . . : contoso.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.org
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet

Physical Address. . . . . . . . . : 00-10-18-07-18-9C
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.7.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2
====================================
IPConfig - DC/DNS Server
====================================
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server1
Primary DNS Suffix . . . . . . . : contoso.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.org

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #3
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2

====================================
NetDiag - Workstation
====================================
Gathering the list of Domain Controllers for domain 'contoso'
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain contoso ...

Tests complete.


Computer Name: RM-7-1
DNS Host Name: RM-7-1.contoso.org
DNS Domain Name: contoso.org
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
Hotfixes :
Installed? Name
Yes KB873339
Yes KB885835
Yes KB885836
Yes KB885884
Yes KB886185
Yes KB887742
Yes KB888113
Yes KB888302
Yes KB890046
Yes KB890859
Yes KB891781
Yes KB893756
Yes KB893803v2
Yes KB894391
Yes KB896344
Yes KB896358
Yes KB896422
Yes KB896423
Yes KB896424
Yes KB896428
Yes KB899587
Yes KB899589
Yes KB899591
Yes KB900485
Yes KB900725
Yes KB900930
Yes KB901017
Yes KB901214
Yes KB902400
Yes KB904706
Yes KB904942
Yes KB905414
Yes KB905749
Yes KB908519
Yes KB908531
Yes KB910437
Yes KB911280
Yes KB911562
Yes KB911564
Yes KB911567
Yes KB911927
Yes KB912919
Yes KB913580
Yes KB914388
Yes KB914389
Yes KB916281
Yes KB916595
Yes KB917344
Yes KB917422
Yes KB917734_WMP9
Yes KB917953
Yes KB918439
Yes KB919007
Yes KB920213
Yes KB920670
Yes KB920683
Yes KB920685
Yes KB920872
Yes KB922582
Yes KB922616
Yes KB922819
Yes KB923191
Yes KB923414
Yes KB923689
Yes KB923694
Yes KB923980
Yes KB924496
Yes KB925398_WMP64
Yes KB925454
Yes KB925486
Yes KB925876
Yes KB926255
Yes KB928388
Yes KB929120
Yes Q147222

Default gateway test . . . : Passed
Pinging gateway 172.20.100.200 - reachable
At least one gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{7723A855-721E-4C55-B595-814BDDE90AE5}
RM-7-1 <00> UNIQUE REGISTERED
contoso <00> GROUP REGISTERED
RM-7-1 <20> UNIQUE REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.

NetBios Resolution : via DHCP

Netbios Remote Cache Table
Name Type HostAddress Life [sec]
---------------------------------------------------------------
server1 <00> UNIQUE 172.20.100.2 490
contoso <1C> GROUP 172.20.100.2 487
server2 <20> UNIQUE 172.20.100.4 255
contoso <1B> UNIQUE 172.20.100.2 255
server1 <20> UNIQUE 172.20.100.2 205
server1.contoso<2E> UNIQUE 172.20.100.2 487

WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.

Ipx configration
Network Number . . . . : 2b3fe51f
Node . . . . . . . . . : 00101807189c
Frame type . . . . . . : 802.3
Global results:
IP General configuration
LMHOSTS Enabled. . . . . . . . : Yes
DNS for WINS resolution. . . . : Enabled
Node Type. . . . . . . . . . . : Hybrid
NBT Scope ID . . . . . . . . . :
Routing Enabled. . . . . . . . : No
WINS Proxy Enabled . . . . . . : No
DNS resolution for NETBIOS . . : No

Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Member Workstation
Netbios Domain name. . . . . . : contoso
Dns domain name. . . . . . . . : contoso.org
Dns forest name. . . . . . . . : contoso.org
Domain Guid. . . . . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Sid . . . . . . . . . . : S-1-5-21-1838114092-1579624115-538272213
Logon User . . . . . . . . . . : Administrator
Logon Domain . . . . . . . . . : contoso
Logon Server . . . . . . . . . : \\server1

DNS test . . . . . . . . . . . . . : Passed
Interface {7723A855-721E-4C55-B595-814BDDE90AE5}
DNS Domain:
DNS Servers: 172.20.100.2
IP Address: 172.20.7.1
Expected registration with PDN (primary DNS domain name):
Hostname: RM-7-1.contoso.org.
Authoritative zone: contoso.org.
Primary DNS server: server1.contoso.org 172.20.100.2
Authoritative NS:172.20.100.2
Verify DNS registration:
Name: RM-7-1.contoso.org
Expected IP: 172.20.7.1
Server 172.20.100.2: NO_ERROR
The DNS registration for RM-7-1.contoso.org is correct on all DNS servers

DC discovery test. . . . . . . . . : Passed
Find DC in domain 'contoso':
Found this DC in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Find PDC emulator in domain 'contoso':
Found this PDC emulator in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8

Find Windows 2000 DC in domain 'contoso':
Found this Windows 2000 DC in domain 'contoso':
DC. . . . . . . . . . . : \\server1.contoso.org
Address . . . . . . . . : \\172.20.100.2
Domain Guid . . . . . . : {437C8357-82E5-44BB-87EC-FB3DE7E91058}
Domain Name . . . . . . : contoso.org
Forest Name . . . . . . : contoso.org
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE
DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8


DC list test . . . . . . . . . . . : Passed
List of DCs in Domain 'contoso':
server1.contoso.org


Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'contoso' is correct.
Secure channel for domain 'contoso' is to '\\server1.contoso.org'.
Secure channel for domain 'contoso' was successfully set to DC
'\\server1.contoso.org'.


Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: krbtgt/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: cifs/server1.contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: ldap/server1.contoso.org/contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: LDAP/server1.contoso.org
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12
Server: cifs/server1
End Time: 2/8/2007 4:29:12
Renew Time: 2/14/2007 18:29:12

[FATAL] Kerberos does not have a ticket for host/RM-7-1.contoso.org.

Do Negotiate authenticated LDAP call to 'server1.contoso.org'.
Found 1 entries:
Attr: currentTime
Val: 17 20070207233554.0Z
Attr: subschemaSubentry
Val: 57 CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: dsServiceName
Val: 109 CN=NTDS
Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: namingContexts
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Val: 34 CN=Configuration,DC=contoso,DC=org
Val: 17 DC=contoso,DC=org
Attr: defaultNamingContext
Val: 17 DC=contoso,DC=org
Attr: schemaNamingContext
Val: 44 CN=Schema,CN=Configuration,DC=contoso,DC=org
Attr: configurationNamingContext
Val: 34 CN=Configuration,DC=contoso,DC=org
Attr: rootDomainNamingContext
Val: 17 DC=contoso,DC=org
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 16 MaxActiveQueries
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Attr: highestCommittedUSN
Val: 6 648273
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Attr: dnsHostName
Val: 19 server1.contoso.org
Attr: ldapServiceName
Val: 32 contoso.org:server1$@contoso.org
Attr: serverName
Val: 92
CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=org
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE


[WARNING] Failed to query SPN registration on DC 'server1.contoso.org'.



Routing table test . . . . . . . . : Passed
Active Routes :
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.100.200 172.20.7.1 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.0.0 255.255.0.0 172.20.7.1 172.20.7.1 10
172.20.7.1 255.255.255.255 127.0.0.1 127.0.0.1 10
172.20.255.255 255.255.255.255 172.20.7.1 172.20.7.1 10
224.0.0.0 240.0.0.0 172.20.7.1 172.20.7.1 10
255.255.255.255 255.255.255.255 172.20.7.1 172.20.7.1 1
No persistent route entries.
Netstat information test . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information

The command completed successfully
=====================================================
.

Relevant Pages