Fixing Trust Relationship Issues between A Workstation and a Domain

by Damian on October 13, 2013 · 8 comments

in Windows Home Server

Free time has been very sparse of late to get any writing done, but thought I would throw up a quick post in case anyone else runs in to a similar issue. Earlier this year I migrated over from WHSv1 to Windows Server 2012 Essentials. For the most part it has been a smooth transition although there have definitely been some bumps in the road. It seems like when things finally start working without issue something always comes up! Yesterday I go to log into my Windows 7 PC and get a message about my password expiring. I am guessing that since my PC is connected to the Windows Server 2012E domain this is something being passed down from the server (although I have never been prompted to change my PC password so it still seemed odd). I went ahead and changed my password, and when I did I got this error message when I tried to log in:

 

No matter what I tried I could not log in to my PC via the domain. I switched from the domain to my local PC to log in and it worked, but now I was not only not connected to the domain but anything I had added to my PC since I joined the domain was missing. I dug around the internet only to find that this is somewhat of a common problem where somehow the password on the client PC gets out of sync with  the password stored on the domain (in this case my server). I came across this article which detailed a fix where you remove the workstation from the domain and re add. I went through the steps, finally went back to my PC to log in to the domain and now I got another error:

At this point I was ready  to take a bat to my server and PC lol. Since free time is a commodity I just don’t have the patience I use to with technology, but I took a deep breathe, did a search for the error message and found several posts / solutions. Most of the solutions though were similar to the solution from the first error, so they weren’t much help. I found this article though which detailed how to confirm your workstation details on the domain to make sure the appropriate information was there. I switched over to my server and went in to Administrative Tools -> Active Directory Users and Computers, and under the Computers icon I could see my computer and my wife’s. The first thing that stuck out was that under the description mine was blank but my wife’s was populated.

Capture

The article mentioned for the issue PC to check the attributes “dNSHostName” and “servicePrincipalName” which you can do my right clicking on the PC, selecting “Properties” and going to the “Attribe Editor” tab (note, make sure you have advanced features checked under View in the toolbar or you will not see this). Sure enough these two attributes were blank. Under dNSHostName I added the following (Assume that Damian-PC is the workstation and MooseKnuckles is the server domain):

DAMIAN-PC.MooseKnuckles.local

Next, under servicePrincipalName I added the following:

HOST/DAMIAN-PC
HOST/DAMIAN-PC.MooseKnuckles.local
RestrictedKrbHost/DAMIAN-PC
RestrictedKRBHost/DAMIAN-PC.MooseKnuckles.local
TERMSRV/DAMIAN-PC
TERMSRV/DAMIAN-PC.Mooseknuckles.local

Sure enough that did the trick and I was able to finally rejoin the domain on my Windows 7 PC. I am still scratching my head as to why this issue even came up, and why I had to change the password on my PC, but for now everything is working so I will settle with that. Now I just wait for the next issue :D

 


Article by

Hi, my name is Damian, and I'm tech gadget addict! Although I always had some interest in technology, it wasn't until I got my EX470 and more importantly found Mediasmartserver.net, that my interest became an addiction. My goal, aside from world domination and to see the Mets/Broncos win another championship, is to set up the perfect digital home where all my media is available at the click of a button. When I am not writing for Mediasmartserver.net you can find me over at my blog at http://www.adigitalhomeblog.com or follow me on twitter


{ 8 comments }

Greg October 13, 2013 at 4:25 pm

Good to see you getting another article up Damian. Kids really can limit your free time.

I don’t mean to take this OT, but if you or any other readers can give any suggestions….. for the past month or so my main PC (Office) has somehow lost its sharing ability on the network/homegroup. The other PC’s in the house can see all other computers and can share with each other, but when I try to access the shared folders of the work pc I get an error message “Windows cannot access \\OFFICE\xxxxxx”, where xxxxxx is the folder name. I have removed the PC from the workgroup and rejoined it several times, and ensured the folders are shared, but every time I just keep getting this message.

It has been very annoying and the only reason I stopped investigating was that I thought when the 8.1 update came out, I would do a refresh or clean install of everything.

Damian October 18, 2013 at 3:44 am

Hmmm …. that is very odd. Did something change with your PC at some point (any adjustment to user permissions)?

Greg October 18, 2013 at 2:37 pm

No, I didn’t change any permissions.

sandy December 24, 2013 at 3:12 am

can u plz share the print screen from AD related to “dNSHostName” and “servicePrincipalName” because i m not able to find both the options

Daniel Melanchthon [MSFT] December 25, 2013 at 3:42 pm

Hi Damian,
in this situation you do not have to leave the domain. A Windows domain can be addressed via a Netbios name or a DNS name. Go to the client and logon using a local admin account. Look at the Join domain dialog. Which domain name is present (Netbios or DNS)? Just overwrite the existing domain name with the other version and join the same domain. Your computer account will be synced right away.
You can also use NETDOM to reset the password: http://support.microsoft.com/kb/325850/en-us
Both ways are more admin-friendly.
Best,
Daniel
Disclaimer: I work for Microsoft.

Helrazr February 12, 2014 at 9:42 am

+1 for the netdom machine password reset. Couple caveats,

1- You need to know the local admin id and password
2- You have to find netdom.exe for your O/S as for instance Windows 7 doesn’t have the tool natively. You need to download the Remote server admin tools from Microsoft and install it for netdom

Ryan January 18, 2014 at 4:45 pm

I came across this article while looking for general information on the HP Media Smart Server. I read the article, because I am having the same issue at work where a PC will lose the trust relationship with the domain- Win7 Professional (32 and 64 bit PCs) and Server 2008 R2 domain. I have found no real “fix” except to simply rejoin to the domain, but more alarming I think is no one seems to know WHY this is happening- much less Microsoft. Has anyone here come across similar issue or know some more as to what is going on?

*Daniel, I noted your solution and will use it next time this happens. Thanks for the input!

Jay January 20, 2014 at 9:49 am

A much easier way to fix this issue is to remove it from the domain and use ProfWiz (http://www.forensit.com/downloads.html) to rejoin the domain and re-associate the profile all in one move. I have to deal with this issue all the time and this is by far the easiest way Ive found to fix the problem.

Comments are closed, visit the forums to continue the discussion.

Previous post:

Next post: