Trust relationship between this workstation and the primary domain
Server Guy
When I try to add a new user account at a workstation previously joined to a
domain, I get an error saying I can't add the user because
"the trust relationship between this workstation and the primary domain
failed ".
I tried removing the computer object from AD & re-joining but that didn't
help. This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account on the station. Existing accounts
on the stations are working fine. If I add an existing account to a
different station, same result. Tried setting up a new account in AD. Same
error when adding account to station.
I'm not sure when the problem first ocurred, just that is causing issues of
not being able to setup new accounts. Big Problem!
I'm open to suggestions! Is there a security DB or something that's
corrupted or needs to be sync'ed? I've searched and found referrences to the
error message but not one generated from trying to add a user to a station.
Thanks in advance!!!
Server is W2k SP4, DC, DNS
Workstation(s) XP-Pro SP2
Member Win2003 SP1 server
Jorge Silva
Try
Reset the computer account in AD, then re-add it to the domain.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:E273F66A-C6BE-4DCC...@microsoft.com...
Paul Bergson [MVP-DS]
http://support.microsoft.com/kb/216393
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jorge Silva" <jorges...@hotmail.com> wrote in message
news:5343E3CB-678A-4FD9...@microsoft.com...
Server Guy
the results.
Again, many thanks!
Server Guy
I did get 1 error.
I checked services on my DC and Net Logon appears to be started. Not sure
if there is another service not listed that I need.
Any more thoughts?
Thanks again!!!
============================
L:\>nltest /server:MYServer
The command completed successfully
L:\>nltest /sc_query:ABC.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\MYServer.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
L:\>nltest /sc_verify:ABC.org
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
============================
Paul Bergson [MVP-DS]
dc.
http://support.microsoft.com/kb/216393
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:D321C7F7-88D3-4FA3...@microsoft.com...
Server Guy
it remove then rebuild the secure channel for that station only or will it do
that for all stations?
Just trying to see the scope of what it's going to do so I know whether to
to perform a system state backup prior to running this.
I know the importance of backups but just need to schedule it if needed.
Many thanks!
/sc_reset:[ DomainName]
Removes and then rebuilds the secure channel established by the NetLogon
service. Administrative rights are required to perform this command.
Paul Bergson [MVP-DS]
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:97CCD7AB-3DA0-40C1...@microsoft.com...
Jorge Silva
computer and re-add it to the domain.
Simple and fast.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:97CCD7AB-3DA0-40C1...@microsoft.com...
Server Guy
Below are the NLTest commands used. The verify shows no errors now. But
when trying to add a domain user at the workstation I still get the orig
error about the "The Trust relationship between this workstation and the
primary domain failed"
I did try resetting the account at the DC. Also tried removing it then
re-joining the domain, still no luck.
PLEASE HELP!!!
C:\>nltest /sc_reset:ABC.org
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\ServerName.ABC.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
C:\>nltest /sc_verify:ABC.org
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\ServerName.ABCc.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
--------------------------------------------------------------------------------
Paul Bergson [MVP-DS]
If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:8DD4EBC8-E85F-4CA6...@microsoft.com...
Server Guy
The following came from running DCDiag & NetDiag from both the DC and also a
W2k-SP4 station. When I tried to run from an XP Pro SP2 station I get a
NTDSA.dll error saying re-installing the application may help.
Hopefully this will tell what's going on!
Many thanks for your help!
From the DC:
DCDiag:
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [MyServer]:failed with 1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [MyServer]:failed with 1060:
The specified service does not exist as an installed service.
......................... MyServer failed test Services
NetDiag:
Trust relationship test. . . . . . : Skipped
Do Negotiate authenticated LDAP call to 'MyServer.ABC.org'.
Found 1 entries:
Attr: currentTime
Val: 17 20070126020239.0Z
Attr: subschemaSubentry
Val: 57 CN=Aggregate,CN=Schema,CN=Configuration,DC=ABC,DC=org
Attr: dsServiceName
Val: 109 CN=NTDS
Settings,CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
Attr: namingContexts
Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
Val: 34 CN=Configuration,DC=ABC,DC=org
Val: 17 DC=ABC,DC=org
Attr: defaultNamingContext
Val: 17 DC=ABC,DC=org
Attr: schemaNamingContext
Val: 44 CN=Schema,CN=Configuration,DC=ABC,DC=org
Attr: configurationNamingContext
Val: 34 CN=Configuration,DC=ABC,DC=org
Attr: rootDomainNamingContext
Val: 17 DC=ABC,DC=org
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 16 MaxActiveQueries
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Attr: highestCommittedUSN
Val: 6 639883
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Attr: dnsHostName
Val: 19 MyServer.ABC.org
Attr: ldapServiceName
Val: 32 ABC.org:MyServer$@ABC.org
Attr: serverName
Val: 92
CN=MyServer,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ABC,DC=org
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
[WARNING] Failed to query SPN registration on DC 'MyServer.ABC.org'.
---------------------------
Workstation
DCDiag
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
Could not open IISADMIN Service on [MyServer]:failed with 1060:
The specified service does not exist as an installed service.
* Checking Service: NtFrs
Could not open SMTPSVC Service on [MyServer]:failed with 1060:
The specified service does not exist as an installed service.
......................... MyServer failed test Services
Netdiag:
Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'HHWP' is correct.
Secure channel for domain 'HHWP' is to '\\MyServer.ABC.org'.
Secure channel for domain 'HHWP' was successfully set to DC
'\\MyServer.ABC.org'.
Kerberos test. . . . . . . . . . . : Failed
Server: ldap/MyServer.ABC.org/ABC.org
End Time: 1/28/2007 1:38:43
Renew Time: 2/3/2007 15:38:43
[FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.
Server Guy
I did try that. ALso tried leaving the domain, renaming the station &
rebooting, then joining the domain. Same issue. Seems to be something
deeper wrong here.
Thanks for trying! I appreciate any thoughts or help!
Herb Martin
> Hi,
>
> I did try that. ALso tried leaving the domain, renaming the station &
> rebooting, then joining the domain. Same issue. Seems to be something
> deeper wrong here.
>
> Thanks for trying! I appreciate any thoughts or help!
The other main reason for things like this is incorrect DNS settings.
Client computers (actually ALL internal computers) must use STRICTLY
the INTERNAL DNS servers which can resolve your DCs and other
internal services -- they cannot mix in the ISP or firewall/gateway DNS
on the NIC->IP Properties.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Server Guy
I currently have an ISP router listed as the default gateway. I have a
forwarder from the DC/DNS pointing to it and a route back from the router.
All has been working well as far as this issue goes for some time now.
Something has changed that but I don't have a clue at this point what it is.
Are you saying I should remove the default GW from the NIC > IP Properties?
I'm willing to try that to see what happens.
Should I have routing and remote acces setup? This would then eliminate the
ISP router being listed as the default GW for the stations and also the
DC/DNS box.
In the pat, I've had issues with a remote site via a T1 and Cisco 2620
routers. That issue is about to take care of itself soon. The other site is
dropping the T1 and we will have VPN access if needed.
Many thanks!
Herb Martin
> Thanks for the information. I'm looking at any and all causes/soultions.
>
> I currently have an ISP router listed as the default gateway. I have a
> forwarder from the DC/DNS pointing to it and a route back from the router.
> All has been working well as far as this issue goes for some time now.
> Something has changed that but I don't have a clue at this point what it
> is.
Setting external routers is a VERY common mistaked, exacerbated by the
fact that it SEEMS to work, and will work intermittently but never reliably.
> Are you saying I should remove the default GW from the NIC > IP
> Properties?
> I'm willing to try that to see what happens.
Yes, and it isn't a matter of trying it -- this is a problem, even if not
your only (or main) problem.
DNS clients must NEVER have a DNS server listed that cannot resolve
the internal resources, especially the DCs (i.e., must not have a DNS
server listed that bypasses the DNS zone.)
Putting it in as the alternated is NOT sufficient to getting reliably
results
since machines will occasionally "latch onto it" and stay latched for
unpredicatable times.
> Should I have routing and remote acces setup? This would then eliminate
> the
> ISP router being listed as the default GW for the stations and also the
> DC/DNS box.
No, that isn't necessar (from what you are telling me) and using the gateway
DNS as your FORWARD is a VERY GOOD practice.
> In the pat, I've had issues with a remote site via a T1 and Cisco 2620
> routers. That issue is about to take care of itself soon. The other site
> is
> dropping the T1 and we will have VPN access if needed.
--
Paul Bergson [MVP-DS]
Make the AD DNS server the only DNS server and forward all requests to your
ISP.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:257F6CE5-FAC0-497D...@microsoft.com...
Server Guy
workstation and DC only have the DC/DNS server listed, no alternet DNS
servers anywhere in AD.
I agree with Herb that I need to do a few more things to make DNS more
stable. But does this cause the Kerberos failed message?
I'm just trying to make sure I'm tracking down the right thing and not
breaking something else in the process by me experimenting. I would like to
fix the "trust Issue" first then move to the DNS side like Herb mentioned
unless you guys think they are related and both need to be addressed at the
same time.
Thanks again Paul & Herb for your time on this very complex issue!!!
Server Guy
"Herb Martin" wrote:
>
> "Server Guy" <Serv...@discussions.microsoft.com> wrote in message
> news:32045171-732E-430E...@microsoft.com...
> > Thanks for the information. I'm looking at any and all causes/soultions.
> >
> > I currently have an ISP router listed as the default gateway. I have a
> > forwarder from the DC/DNS pointing to it and a route back from the router.
> > All has been working well as far as this issue goes for some time now.
> > Something has changed that but I don't have a clue at this point what it
> > is.
>
> Setting external routers is a VERY common mistaked, exacerbated by the
> fact that it SEEMS to work, and will work intermittently but never reliably.
>
> > Are you saying I should remove the default GW from the NIC > IP
> > Properties?
> > I'm willing to try that to see what happens.
>
> Yes, and it isn't a matter of trying it -- this is a problem, even if not
> your only (or main) problem.
If I remove the ISP router from the Default Gateway, I lose access to the
Internet. Not sure why that is if everything else seems to be ok. I do have
a forwarder to the ISP router & a route from the ISP router back. Maybe one
of those are a problem? If you are saying that should be blank, then I must
need a change in there.
Herb Martin
>
>
>> Setting external routers is a VERY common mistaked, exacerbated by the
>> fact that it SEEMS to work, and will work intermittently but never
>> reliably.
>>
>> > Are you saying I should remove the default GW from the NIC > IP
>> > Properties?
>> > I'm willing to try that to see what happens.
>>
>> Yes, and it isn't a matter of trying it -- this is a problem, even if not
>> your only (or main) problem.
>
> If I remove the ISP router from the Default Gateway, I lose access to the
> Internet.
No one wants you to remove the "default gateway" entry; you have conflated
the GATEWAY function with using this machine DIRECTLY as a DNS
server by the clients.
To repeat:
"Client computers (actually ALL internal computers) must use STRICTLY
the INTERNAL DNS servers which can resolve your DCs and other
internal services -- they cannot mix in the ISP or firewall/gateway DNS
on the NIC->IP Properties."
> Not sure why that is if everything else seems to be ok. I do have
> a forwarder to the ISP router & a route from the ISP router back. Maybe
> one
> of those are a problem? If you are saying that should be blank, then I
> must
> need a change in there.
Can you route by IP address? (You can always try tracert 4.2.2.1 or
tracert ISP.DNS.Server.Address)
If you can ping and tracert then ROUTING is not your problem. It
is trivial to distinguish between name resolution and routing: Just try
something by NAME and then NUMBER, if number works and name
fails then you have a routing problem.
>> DNS clients must NEVER have a DNS server listed that cannot resolve
>> the internal resources, especially the DCs (i.e., must not have a DNS
>> server listed that bypasses the DNS zone.)
>> Putting it in as the alternated is NOT sufficient to getting reliably
>> results
>> since machines will occasionally "latch onto it" and stay latched for
>> unpredicatable times.
Paul Bergson [MVP-DS]
then see what else might be wrong.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:D4881C6E-99BC-4278...@microsoft.com...
Server Guy
and a workstation, do an ipconfig /flushdns then ipconfig /registerdns on
both, would you say that would rule out DNS as being the issue for the orig
problem of not being able to add a domain user account at a workstation
because of the trust relationship error?
Paul Bergson [MVP-DS]
Once you have configured your dns then what are the errors? Or haven't they
changed?
Can you post the ipconfig /all for both the client and the dc/dns server?
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:1C08C24F-4DC9-44FE...@microsoft.com...
Herb Martin
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%238Oo4KJ...@TK2MSFTNGP05.phx.gbl...
> Why do you want to remove the gateway? There is no value to that.
I am pretty sure that when we told him (elsewhere in the thread) to remove
the gateway *DNS* server from the client configuration he interpreted this
as removing the "Default Gateway" setting.
Paul Bergson [MVP-DS]
Thanks I was confused.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Herb Martin" <ne...@learnquick.com> wrote in message
news:Odk9BiJR...@TK2MSFTNGP05.phx.gbl...
Paul Bergson [MVP-DS]
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Herb Martin" <ne...@learnquick.com> wrote in message
news:Odk9BiJR...@TK2MSFTNGP05.phx.gbl...
>
Herb Martin
> You going to the summit?
No, I think I am (almost) broke. <Grin>
Might should go to look for a (new) job. <sigh>
Win2007/8 Longhorn delays are going to cost me a lot of money so I
probably have to start actively consulting for a while.
Server Guy
change but will do whatever you suggest.
Again thanks for the help!
DC/DNS Server:
Host Name . . . . . . . . . . . . : MyServer
Primary DNS Suffix . . . . . . . : ABC.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ABC.org
Ethernet adapter Local Area Connection 5:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #3
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2
Workstation:
Host Name . . . . . . . . . . . . : ROOM-M3
Primary Dns Suffix . . . . . . . : ABC.org
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ABC.org
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-03-47-F3-AE-80
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.50.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 172.20.100.2
Herb Martin
> Hi Guys, Yep, I think I am confused as to exactly I am to remove and/or
> change but will do whatever you suggest.
>
> Again thanks for the help!
>
>
>
>
> DC/DNS Server:
> Host Name . . . . . . . . . . . . : MyServer
> DNS Servers . . . . . . . . . . . : 172.20.100.2
>
>
> Workstation:
> Host Name . . . . . . . . . . . . : ROOM-M3
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 0.0.0.0
Put the default gateway 172.20.100.200 back.
> DNS Servers . . . . . . . . . . . : 172.20.100.2
This is (likely) NOW correct.
Before you had (I am pretty sure) another DNS server here that didn't
belong.
Do you still have problems (after re-entering the default gateway)?
If so, how are your complete DCDiags? (/c)
Server Guy
trying to add a domain user to the station.
One odd thing is when I look at the logs from netdiag & dcdiag, they show
1-1-1985 as the file creation & modify dates. Dates on DC and all servers
show correct time. Dont know if that is relevant or not but wanted to
mention it in-case something is calculating wrong because of some invalid
date.
Thanks Again!
NetDiag from the DC doesn't show any kerberos errors like the NetDiag from
the station
Netdiag from the station is:
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'ABC' is correct.
Secure channel for domain 'ABC' is to '\\MyServer.ABC.org'.
Secure channel for domain 'ABC' was successfully set to DC
'\\MyServer.ABC.org'.
Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/ABC.org
End Time: 2/1/2007 4:06:41
Renew Time: 2/7/2007 18:06:41
Server: krbtgt/ABC.org
End Time: 2/1/2007 4:06:41
Renew Time: 2/7/2007 18:06:41
Server: MyServer$
End Time: 2/1/2007 4:06:41
Renew Time: 2/7/2007 18:06:41
Server: ABCNT2$
End Time: 2/1/2007 4:06:41
Renew Time: 2/7/2007 18:06:41
Server: ldap/MyServer.ABC.org/ABC.org
End Time: 2/1/2007 4:06:41
Renew Time: 2/7/2007 18:06:41
[FATAL] Kerberos does not have a ticket for MIPTEMPORARY$.
Herb Martin
> Hi, Yes, the same problem is still there. Still get the trust error when
> trying to add a domain user to the station.
Which problem? (You have had several by now.)
What specifically are the current symptoms since after changing various
things you might have different, but still even similar issues.
> One odd thing is when I look at the logs from netdiag & dcdiag, they show
> 1-1-1985 as the file creation & modify dates. Dates on DC and all servers
> show correct time. Dont know if that is relevant or not but wanted to
> mention it in-case something is calculating wrong because of some invalid
> date.
Show us your CURRENT, UNEDITED text output from "ipconfig /all" of the
problem DC and the CURRENT, UNEDITED text output from "DCDiag /c"
for the problem DC.
Nice to have the same from a working DC also.
If you have "client problems" then CURRENT, UNEDITED text output
from "IPConfig /all" of the client.
Server Guy
I cant add a new domain user account at a workstation.
I included the orig post below.
I only have one DC/DNS server
I only had one problem (at least that was causing issues) which I included
below. The only actual change I made was to remove a gateway entry from the
DC/DNS server from the NIC config. It was there as a test from trying to get
communications setup with a remote subnet via a T1. That's not there now.
Everything else was working fine anyway for many months with that entry there.
Thanks!
===========================================
Orig post stating problem:
When I try to add a new user account at a workstation previously joined to a
domain, I get an error saying I can't add the user because
"the trust relationship between this workstation and the primary domain
failed ".
I tried removing the computer object from AD & re-joining but that didn't
help. This is ocurring on stations that are working fine otherwise. The
only problem is adding a new user account on the station. Existing accounts
on the stations are working fine. If I add an existing account to a
different station, same result. Tried setting up a new account in AD. Same
error when adding account to station.
===========================================
DC-DCDiag:
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\HHWPNT1
Starting test: Connectivity
......................... HHWPNT1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\HHWPNT1
Starting test: Replications
......................... HHWPNT1 passed test Replications
Starting test: Topology
......................... HHWPNT1 passed test Topology
Starting test: CutoffServers
......................... HHWPNT1 passed test CutoffServers
Starting test: NCSecDesc
......................... HHWPNT1 passed test NCSecDesc
Starting test: NetLogons
......................... HHWPNT1 passed test NetLogons
Starting test: Advertising
......................... HHWPNT1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... HHWPNT1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... HHWPNT1 passed test RidManager
Starting test: MachineAccount
......................... HHWPNT1 passed test MachineAccount
Starting test: Services
Could not open IISADMIN Service on [HHWPNT1]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [HHWPNT1]:failed with 1060:
The specified service does not exist as an installed service.
......................... HHWPNT1 failed test Services
Starting test: OutboundSecureChannels
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... HHWPNT1 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
......................... HHWPNT1 passed test ObjectsReplicated
Starting test: frssysvol
......................... HHWPNT1 passed test frssysvol
Starting test: kccevent
......................... HHWPNT1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/01/2007 09:55:51
Event String: Driver Microsoft Shared Fax Driver required for
An Error Event occured. EventID: 0x00000452
Time Generated: 02/01/2007 09:55:51
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/01/2007 09:55:51
Event String: Driver
An Error Event occured. EventID: 0x00000452
Time Generated: 02/01/2007 09:55:51
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x00000457
Time Generated: 02/01/2007 09:55:51
Event String: Driver hp psc 2100 series required for printer
An Error Event occured. EventID: 0x00000452
Time Generated: 02/01/2007 09:55:51
Event String: The printer could not be installed.
......................... HHWPNT1 failed test systemlog
Running enterprise tests on : hhwpcac.org
Starting test: Intersite
......................... hhwpcac.org passed test Intersite
Starting test: FsmoCheck
......................... hhwpcac.org passed test FsmoCheck
===========================================
DC-IPConfig:
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : hhwpnt1
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hhwpcac.org
Ethernet adapter Local Area Connection 5:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit
Network Adapter #3
Physical Address. . . . . . . . . : 00-0C-41-EB-CB-13
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.100.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2
===========================================
Workstation IPConfig:
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : MIPTemporary
Primary DNS Suffix . . . . . . . : hhwpcac.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hhwpcac.org
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet
Adapter(LNE100TX v4)
Physical Address. . . . . . . . . : 00-03-6D-18-1C-76
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.32.3
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.20.100.200
DNS Servers . . . . . . . . . . . : 172.20.100.2
===========================================
Herb Martin
> I'm still having the same issue when I first posted.
> I cant add a new domain user account at a workstation.
What specically do you mean by "at a workstation"? Do you
mean to the workstation accounts database (that would NOT
be a domain user), or do you mean using tools from the workstation
(e.g., AD Users and Computers)? Or something else?
> I included the orig post below.
> When I try to add a new user account at a workstation previously joined to
> a
> domain, I get an error saying I can't add the user because
What does "previously joined to a domain" mean? Is it in the domain or not?
(It must be to do anything with domain accounts.)
If it is in the domain trying to use AD Users/Computers, what errors do you
get? Exact wording. When? What are you doing explicitly?
Where did you get the tools for the workstation? XP or Win2000?
(AdminPak.msi from Win2003 DC is the right tool pak for XP.)
> "the trust relationship between this workstation and the primary domain
> failed ".
Then we need the IPConfig /all from this machine too.
> I tried removing the computer object from AD & re-joining but that didn't
> help.
Generally a poor idea, reset should be your first step for such things.
> This is ocurring on stations that are working fine otherwise. The
How many workstations are being used to manage the domain?
> only problem is adding a new user account on the station.
"On the station"? Domain users are not added "on the station."
Server Guy
Paul Bergson [MVP-DS]
your clients only pointing to the ad dns server.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Server Guy" <Serv...@discussions.microsoft.com> wrote in message
news:4D797A47-34C0-478B...@microsoft.com...
Server Guy
DC/NS points to itself. It has a forwarder to the Internet router.
Server Guy
"Herb Martin" wrote:
>
> "Server Guy" <Serv...@discussions.microsoft.com> wrote in message
> news:4B29840C-B744-4998...@microsoft.com...
> >
> >
> >> Setting external routers is a VERY common mistaked, exacerbated by the
> >> fact that it SEEMS to work, and will work intermittently but never
> >> reliably.
> >>
> >> > Are you saying I should remove the default GW from the NIC > IP
> >> > Properties?
> >> > I'm willing to try that to see what happens.
> >>
> >> Yes, and it isn't a matter of trying it -- this is a problem, even if not
> >> your only (or main) problem.
> >
> > If I remove the ISP router from the Default Gateway, I lose access to the
> > Internet.
>
> No one wants you to remove the "default gateway" entry; you have conflated
> the GATEWAY function with using this machine DIRECTLY as a DNS
> server by the clients.
Can you clarify in simple terms then what if anything is to be in the
NIC/Default GW entry on the DC/DNS and also the workstations? I seem to be
getting conflicting things to do.
All of the notes including the server only point to the DC/DNS server in the
NIC/DNS Server.
>
> To repeat:
> "Client computers (actually ALL internal computers) must use STRICTLY
> the INTERNAL DNS servers which can resolve your DCs and other
> internal services -- they cannot mix in the ISP or firewall/gateway DNS
> on the NIC->IP Properties."
>
> > Not sure why that is if everything else seems to be ok. I do have
> > a forwarder to the ISP router & a route from the ISP router back. Maybe
> > one
> > of those are a problem? If you are saying that should be blank, then I
> > must
> > need a change in there.
>
> Can you route by IP address? (You can always try tracert 4.2.2.1 or
> tracert ISP.DNS.Server.Address)
>
> If you can ping and tracert then ROUTING is not your problem. It
> is trivial to distinguish between name resolution and routing: Just try
> something by NAME and then NUMBER, if number works and name
> fails then you have a routing problem.
Pinging and tracert by either IP or name works fine. No issues there at all.
Herb Martin
>
>
> "Herb Martin" wrote:
>
>>
>> "Server Guy" <Serv...@discussions.microsoft.com> wrote in message
>> news:4B29840C-B744-4998...@microsoft.com...
>> >
>> >
>> >> Setting external routers is a VERY common mistaked, exacerbated by the
>> >> fact that it SEEMS to work, and will work intermittently but never
>> >> reliably.
>> >>
>> >> > Are you saying I should remove the default GW from the NIC > IP
>> >> > Properties?
>> >> > I'm willing to try that to see what happens.
>> >>
>> >> Yes, and it isn't a matter of trying it -- this is a problem, even if
>> >> not
>> >> your only (or main) problem.
>> >
>> > If I remove the ISP router from the Default Gateway, I lose access to
>> > the
>> > Internet.
>>
>> No one wants you to remove the "default gateway" entry; you have
>> conflated
>> the GATEWAY function with using this machine DIRECTLY as a DNS
>> server by the clients.
>
>
>
> Can you clarify in simple terms then what if anything is to be in the
> NIC/Default GW entry on the DC/DNS and also the workstations? I seem to
> be
> getting conflicting things to do.
Just what it always was for both -- the Default Gateway should be the
router* that can forward packets from the local subnet (broadcast domain)
to the "rest of the network" (or "rest of the world".)
* This would be an address on the NEAR or ADJACENT side of an
router IMMEDIATELY on the same subnet or broadcast domain.
> All of the notes including the server only point to the DC/DNS server in
> the
> NIC/DNS Server.
The DNS server must NOT be this** or any other externally DNS server --
i.e,. it must NOT be a DNS server that cannot resolve all of the INTERNAL
names (and external names) needed by the internal clients.
Internal clients must use an INTERNAL DNS server (set) only. The internal
DNS server may (usually should) resolve the external world or forward to
a DNS server which can do so.
** Usually routers/gateways are not able to resolve the internal network
names
used by AD etc, but if they can then this will then become part of the
"internal
DNS Server set" which can resolve those internal names -- and can then be
used
directly by the clients.
The KEY is that the internal clients may not use any DNS servers on their
NIC->
IP Properties which cannot resolve ALL names they will ever legitimately
need.
> Pinging and tracert by either IP or name works fine. No issues there at
> all.
Then likely routing is alright.
Server Guy
"Herb Martin" wrote:
=============
If routing is likely alright, any thoughts on what I should look at next?
=============
Herb Martin
> If routing is likely alright, any thoughts on what I should look at next?
By now I have lost context, what are your precise current symptoms?
Which are your DNS servers? What zones does each hold? Where
do they forward? Which DNS servers do your client machines use?
If you have a replication, an authentication or resource access problem:
What happens when you do a complete (/C) DCDiag (post the unedited
text).
If you have DNS problems still, post the unedited text from a client,
a DC, and if some machines work from both one that works and one
that doesn't.
If you still have a DNS problem, post the results from the command line
of both a client with trouble and the DNS server (it uses).
Test explicitly each of: The direct (internal) DNS Servers, each forwarder,
and each other (ISP) forwarder in use:
For internal names:
nslookup Internal.Server.name IP.Internal.DNS.Server
For external names:
nslookup www.google.com IP.Internal.DNS.Server
nslookup www.google.com IP.Forwarder.DNS.Server
nslookup www.google.com IP.ISP.DNS.Server
--
Herb
Steve
I've properly set up the DNS server on my DC. Specifically, the
relationship (if any) b/t the default gateway and DNS forwarders.
I have 3 boxes:
192.168.0.1 -- my Netgear Router w/ISP connection
192.168.0.2 -- my desktop
192.168.0.5 -- my DC & domain DNS server
No confusion about configuring the DNS server in NIC properties, but
the default gateway for both server and desktop should be my router's
address, right? Like ServerGuy, if I don't put my router address in
there then I got no internet connectivity, regardless of what
forwarder address I put in DNS server config. Forwarder would also be
router's address? Or maybe ISP DNS server like 4.2.2.2? Doesn't seem
to matter what I put in there or if I put nothing for forwarder, no
internet w/o default gateway.
Paul Bergson [MVP-DS]
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Steve" <steveri...@gmail.com> wrote in message
news:1170756428....@k78g2000cwa.googlegroups.com...
Herb Martin
> I've properly set up the DNS server on my DC. Specifically, the
> relationship (if any) b/t the default gateway and DNS forwarders.
There is no (formal) relationship. The Default Gateway is however
also frequently holding the caching only DNS server used by internal
DNS as a forwarder.
These two jobs (DNS and Default Gateway) are entirely independent
except in that they are placed on this particular machine because it is
the "connection" to the "rest of the network -- or the Internet."
> I have 3 boxes:
> 192.168.0.1 -- my Netgear Router w/ISP connection
> 192.168.0.2 -- my desktop
> 192.168.0.5 -- my DC & domain DNS server
>
> No confusion about configuring the DNS server in NIC properties, but
> the default gateway for both server and desktop should be my router's
> address, right?
Right.
> Like ServerGuy, if I don't put my router address in
> there then I got no internet connectivity, regardless of what
> forwarder address I put in DNS server config.
Yes, that is correct. How else would your machines "get out" or
"off" the local network?
> Forwarder would also be router's address?
Yes, it the router is also a (cachine only) DNS server that is normal.
> Or maybe ISP DNS server like 4.2.2.2?
Yes, but you should NOT use 4.2.2.2 for anything other than VERY
temporary purposes. These folks are nice enough to leave this doing
recursion but if the load from the Internet becomes intrusive they may
cease -- also this DNS is not optimally placed for YOUR network.
Use your ISP for this, or just have your forwarder (on the firewall)
do the actual recursion.
> Doesn't seem
> to matter what I put in there or if I put nothing for forwarder, no
> internet w/o default gateway.
On you Internal DNS they COULD do the actual recursion but that
would expose them (at least for DNS) to the ENTIRE Internet,
including "EvilHackersRus.com", and would not be as safe.
Steve
-- I deleted it out of my DC/DNS server, cleared DNS server cache, and
restarted the service. I'm on my client box now, which *only* points
to the DC/DNS server for DNS in NIC props and does not use the DNS
client service (no nothing to flush). On the DC/DNS server box, the
only reference to my router (which does forward DNS queries to my
ISP's DNS) is in default gateway in NIC props. Yet, I can still
browse and ping away just fine?
Server Guy
"Herb Martin" wrote:
>
> "Server Guy" <Serv...@discussions.microsoft.com> wrote in message
> news:9A6585EE-B053-42A9...@microsoft.com...
> > Hi,
> >
> > I did try that. ALso tried leaving the domain, renaming the station &
> > rebooting, then joining the domain. Same issue. Seems to be something
> > deeper wrong here.
> >
> > Thanks for trying! I appreciate any thoughts or help!
>
> The other main reason for things like this is incorrect DNS settings.
>
> Client computers (actually ALL internal computers) must use STRICTLY
> the INTERNAL DNS servers which can resolve your DCs and other
> internal services -- they cannot mix in the ISP or firewall/gateway DNS
> on the NIC->IP Properties.
Herb, this had absoutly nothing to do with DNS as I thought from the
beginning. Everything was resolving both internally and externally. Perhaps
if you had read the information fully and not got caught up in picking at
terminology, We could have solved it here. I would tell you what it was but
you wouldnt believe it anyway and still have me chasing DNS problems that are
not there.
Herb Martin
>> Client computers (actually ALL internal computers) must use STRICTLY
>> the INTERNAL DNS servers which can resolve your DCs and other
>> internal services -- they cannot mix in the ISP or firewall/gateway DNS
>> on the NIC->IP Properties.
>
> Herb, this had absoutly nothing to do with DNS as I thought from the
> beginning. Everything was resolving both internally and externally.
Which we have been trying to tell you is INSUFFICIENT as a test of
DNS.
Were you to grasp that, prove your DNS working, we could move on
to something that has a lower chance of being the problem.
Of course, we have been giving you other ideas but mostly you avoid
doing the tests and answering the questions but keep posting difficult
to understand, vague, or unclear messages.
State your actual problem clearly -- that is your job if YOU want help.
Work the problem logically, we'll help you with that but you are the one
who must actually do it.
> Perhaps
> if you had read the information fully and not got caught up in picking at
> terminology,
No, but if you cannot learn to state you problem accurately we don't know
for sure what you want OR what you are doing to fix it.
> We could have solved it here. I would tell you what it was but
> you wouldnt believe it anyway and still have me chasing DNS problems that
> are
> not there.
Look at ALL of YOUR posts -- you have had a lot of people offer you
help and you are still flailing around without a solution.
That should help you to realize you aren't stating you problem clearly,
following the testing strategy we give you, or working logically.
You admitted in your last post that you "don't have a clue" what the
problem is and yet you argue with those trying to help you.
Notice that you bother to complain that WE aren't solving your problem,
but you still don't state explicitly HOW you have proven that you DNS
or your DC is well.
Were you doing that you would post "IPConfig /all" and "DCDiag /c"
outputs or just simply state: "DCDiag /c completes with no FAIL or
WARN messages."
Server Guy
"Herb Martin" wrote:
>
> "Server Guy" <Serv...@discussions.microsoft.com> wrote in message
> news:5EE604E2-11C7-47FF...@microsoft.com...
> >> Client computers (actually ALL internal computers) must use STRICTLY
> >> the INTERNAL DNS servers which can resolve your DCs and other
> >> internal services -- they cannot mix in the ISP or firewall/gateway DNS
> >> on the NIC->IP Properties.
> >
> > Herb, this had absoutly nothing to do with DNS as I thought from the
> > beginning. Everything was resolving both internally and externally.
>
> Which we have been trying to tell you is INSUFFICIENT as a test of
> DNS.
As it turns out it was SUFFICIENT to test it.
>
> Were you to grasp that, prove your DNS working, we could move on
> to something that has a lower chance of being the problem.
I grasp things just fine. Your posts asking for things already posted didnt
show to me you were fully reading or understanding what you read. Yeah, you
say its not clear what I was saying but it shouldnt have been that hard to
grasp for you.
>
> Of course, we have been giving you other ideas but mostly you avoid
> doing the tests and answering the questions but keep posting difficult
> to understand, vague, or unclear messages.
Yeah, it's all my fault for you not understanding a simple situation.
>
> State your actual problem clearly -- that is your job if YOU want help.
I did state the problem clearly and gave details as I could. This site is a
2hr drive each way (my problem) but that makes it difficult to keep running
back and fourth.
You as an MCSE should be able to understand what us non-certified folks are
talking about without shooting cracks back.
>
> Work the problem logically, we'll help you with that but you are the one
> who must actually do it.
I understand that I must do and am responsible for the work. I have no
problem with that at all.
>
> > Perhaps
> > if you had read the information fully and not got caught up in picking at
> > terminology,
>
> No, but if you cannot learn to state you problem accurately we don't know
> for sure what you want OR what you are doing to fix it.
Again you as an MCSE should be able to understand what we are saying and not
blame others because you didnt have the right answers.
Well, if I was a MCSE I would be able to state things like you are used to
seeing out of a text book. But then I wouldnt be here asking for guidence
either.
>
> > We could have solved it here. I would tell you what it was but
> > you wouldnt believe it anyway and still have me chasing DNS problems that
> > are
> > not there.
>
> Look at ALL of YOUR posts -- you have had a lot of people offer you
> help and you are still flailing around without a solution.
Yes, all the posts in response to others. And the problem IS FIXED as of
today. AGAIN an example of you not fully reading a post.
>
> That should help you to realize you aren't stating you problem clearly,
> following the testing strategy we give you, or working logically.
Again, the problem should have been clear, after all you are supposed to be
the professional and be able to intrepert what less experieced users are
asying/asking.
I followed all the testing I was able to. Maybe if things were clearer it
would have gotton there more quickly.
>
> You admitted in your last post that you "don't have a clue" what the
> problem is and yet you argue with those trying to help you.
Well, it sure didnt look like a DNS issue and wasnt. Most of the
suggestions looked like lots of extra fishing on how to perform all of the
extra tasks. My time is limited like everyone elses.
>
> Notice that you bother to complain that WE aren't solving your problem,
> but you still don't state explicitly HOW you have proven that you DNS
> or your DC is well.
That is stupid, who would complain if you actually fixed a problem? Maybe
where you come from it is. Whenever I did get a problem resolved I have
always thanked the person(s) involved.
Everything was resolvng both internally and externally.
>
> Were you doing that you would post "IPConfig /all" and "DCDiag /c"
> outputs or just simply state: "DCDiag /c completes with no FAIL or
> WARN messages."
I did post those and also pointed out what I thought was relevant. Didnt
seem to matter to anyone.
Herb Martin
>
> Yeah, it's all my fault for you not understanding a simple situation.
Exactly -- if you have a simple situation you would be getting excellent
advice from SOMEONE in the several threads you have started if you
had only clearly stated your problem, tried the tests suggested, and
unambiguously offered the results.
This is the most important thing you could likely learn if you wish to
improve as a system admin.