The Security Database on the Server Workstation Trust Relationship

1. Home
2. Windows
3. Windows 7

Turning to the Spiceworks community once again... :-)

I created a problem yesterday when I added an older PC (Windows 7) to my domain network (Win Server 2008) which unfortunately had the same PC name as an existing PC.

I knew going in that they both had the same name so when I logged into the second PC I changed the name to a new name. Everything was fine until the owner at the first PC logged in after a reboot today.

The first PC gets this error. "The security database on the server does not have a computer account for this workstation trust relationship".

Thus far I have removed the duplicate PC's Identity on the domain server in Active Directory. I have tried to log in as the domain admin (Safemode W/O networking) on the 1st PC and tried to put it into a work-group but it wont let me. When I tried to log in as the local admin I got and error telling me that the account has been locked and to contact the administrator.

Kinda stuck at this point. Any ideas?

---

Normally taking it out of the domain, but first the PC, then the AD on the Server to make sure it is out of your computer listing.  this, most 99% of the time will make things happy again.  While taking the PC out, place it in a workgroup named workgroup.  Reboot, then after the reboot, change the name a reboot again.  That way the PC is now renamed.

Next, before you try a join it from the PC itself.  Go to the domain controller of your domain or forest.  Manually add the name of the PC that you want it to be.

Now try and add it from the PC to the domain by adding it there.  See if that makes it work.  If not, then you might have another PC on your network that you imaged from possibly?  If this is the case, you will need a little program called "SID Changer".  http://technet.microsoft.com/en-us/sysinternals/bb897418   With this, it can change the SID of the PC you are having issues with to a new random SID number, which should allow the PC to then connect to the domain.

Those are the steps I've done in my IT history that will get your PC back on the domain.  An by those steps apply the domain trust for the PC you are having problems with.  thus making it become part of your domain again so you can manage it again.

Here is another link to show how its done with windows 7 or server 2008

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep

Where you can download the NewSID app, since MS doesn't offer it anymore.

http://ituploads.com/microsoft/microsoft-sysinternals-new-sid-tool

Link is safe, I downloaded and scanned, files are clean.

11 Replies

This happened to me a few months back.  Took me a few hours to figure out why and how to fix.  I had to remote into the machine from my machine.  I would disjoin the computer from the domain, change name, rejoin and after a restart the name would go back and all problems would happen again.  The final fix was to disjoin domain from local admin, delete computer from AD. Join domain, and then add computer to proper OU after joining AD, not before.

This exact thing happened to me a couple of weeks ago - very frustrating.

This workaround worked for me:  Unplug the network cable and log in as usual - it let me log onto the network.  Once in I plugged the cat5 back into the switch and everything was normal.

I had to do this every time I unlocked until I rebooted the server, which solved the problem for me.

As for the local admin, have you tried going into computer management from your machine?

We had this issue recently, and these two articles were helpful:

http://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship

http://dailytweak.wordpress.com/2010/02/05/the-trust-relationship-between-this-workstation-and-the-primary-domain-failed

I tried about every solution from both sites, and all but one did not work. It turned out our issue was a SPN (Service Principal Name) being tied to multiple computers. I had to have my AD admin do an ADSIEdit fix, and then it worked. If you search the second link for "Tom Blackerby", he is the one who posted what worked for us.

Normally taking it out of the domain, but first the PC, then the AD on the Server to make sure it is out of your computer listing.  this, most 99% of the time will make things happy again.  While taking the PC out, place it in a workgroup named workgroup.  Reboot, then after the reboot, change the name a reboot again.  That way the PC is now renamed.

Next, before you try a join it from the PC itself.  Go to the domain controller of your domain or forest.  Manually add the name of the PC that you want it to be.

Now try and add it from the PC to the domain by adding it there.  See if that makes it work.  If not, then you might have another PC on your network that you imaged from possibly?  If this is the case, you will need a little program called "SID Changer".  http://technet.microsoft.com/en-us/sysinternals/bb897418   With this, it can change the SID of the PC you are having issues with to a new random SID number, which should allow the PC to then connect to the domain.

Those are the steps I've done in my IT history that will get your PC back on the domain.  An by those steps apply the domain trust for the PC you are having problems with.  thus making it become part of your domain again so you can manage it again.

Here is another link to show how its done with windows 7 or server 2008

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep

Where you can download the NewSID app, since MS doesn't offer it anymore.

http://ituploads.com/microsoft/microsoft-sysinternals-new-sid-tool

Link is safe, I downloaded and scanned, files are clean.

Chris W. wrote:

Normally taking it out of the domain, but first the PC, then the AD on the Server to make sure it is out of your computer listing.  this, most 99% of the time will make things happy again.  While taking the PC out, place it in a workgroup named workgroup.  Reboot, then after the reboot, change the name a reboot again.  That way the PC is now renamed.

Next, before you try a join it from the PC itself.  Go to the domain controller of your domain or forest.  Manually add the name of the PC that you want it to be.

Now try and add it from the PC to the domain by adding it there.  See if that makes it work.

When I had tried this, it did not work.  I had to join from the computer before adding to AD.  Once I added to AD I then put computer in appropriate OU.

Jstear wrote:

When I had tried this, it did not work.  I had to join from the computer before adding to AD.  Once I added to AD I then put computer in appropriate OU.

Maybe the difference with Small Business Server, which we are running.  But half the time with it, SMS can be a pain. I can add the computer name of the PC to the domain without joining it first..  Make sure you check mark the windows 2000 or later.  not saying you are right an I am wrong or vice-versa.  Its just the way SMS is allowing me to add them before establishing the PC / domain trust.

R-i-v-e-n

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Feb 22, 2012 at 08:52 UTC

Jamie8398 wrote:

This exact thing happened to me a couple of weeks ago - very frustrating.

This workaround worked for me:  Unplug the network cable and log in as usual - it let me log onto the network.  Once in I plugged the cat5 back into the switch and everything was normal.

I had to do this every time I unlocked until I rebooted the server, which solved the problem for me.

I have done the same thing as Jamie.  I just unplugged the network cable and logged in as the local admin.  After the machine booted up I plugged the network cable back in and waited for the machine to resolve an IP and then I was able to remove it from the domain and set it to a work group.  I then changed the name and added it back to the domain.  Easy Peasy.

Normally the procedure that @Mike741 recommend works fine, as it has always worked for me in the past. But if your computer has the "SPN of Doom" issue in AD, you could end up trying every known way of having the cable in, out, local admin, cached domain account, workgroup fix, or even lighting candles and performing a séance over the misbehaving machine... it can be frustrating.

If it is an SPN issue, you should be able to demote it to a workgroup, and re-add it as a different name, as this is how we determined what our problem child was. So if you had John Smith and Jane Smith and you named the second SMITH and had the problem, try adding it as MICKEYMOUSE or something, and if it works, then it might be an SPN issue.

I would try to log in as the local admin but I am not sure what the password is for that account. I can log in as the network admin but that doesn't seem to work.

You could try looking for some local admin password cracking sofware (I haven't done that in a while, so no help there), but I would at this point probably recommend getting another machine, setting it up under a different name on the network, use an HDD adapter to get all the user's data over to the new machine, and re-install/re-image the problem child. Might be better use of time.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

The Security Database on the Server Workstation Trust Relationship

Source: https://community.spiceworks.com/topic/200655-workstation-trust-relationship

Share this post