Jump to content

Problem with Active Directory

mkessler9
By mkessler9
in Troubleshooting
 Share
Posted

Ok, so just for my own use case and purposes I have decided to setup Active directory on my Dell 2950 server. I have setup my main computer up with the domain server. Once I added my computer to the domain I restarted the computer and added a new user in active directory(on the server) just to make sure everything was working...  When it booted back up it gave me the choice to sign into the account that's on the SSD or sign into a account that I have on the server. When I put in my credentials for the user account I had created and clicked sign in it gave me this error "The security database on the server does not have a computer account for this workstation trust relationship." I'm thinking this just means that when I added the computer to the domain that it did not create a account for that computer in active directory on the server. But I'm not positive that that's it.

 

I haven't been able to find anything online to help me, so anyone know what the problem is? Have I not set something up that needs to be setup?

 

Thanks.

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to comment
https://linustechtips.com/topic/185630-problem-with-active-directory/
Share on other sites
Link to post
Share on other sites
Posted
  • Author

This is what happens when the computer or server is moved to a new location/IP changes:

To fix it you need to remove your computer from the domain and rejoin it. 

Well as far as that goes neither of the computers IP address changed as both have a static IP. Unless when I joined that computer to the domain it changed. But I'll try it when I get home. 

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

@mkessler9

I work on these things at my job (which I'm at right now). We have had this issue before. You need to go to the Active Directory on the DC (Domain Controller) >  Users and Computers > Computers > Then make sure the computer account exists. The computer account will be named whatever your computer name is (the [name]-PC in Windows when you first install the OS and make the first user). You can check the computer name by pressing Windows + E then clicking System Properties in the top left corner (or on the ribbon bar if you are using Windows 8).

If the account is there, then you need to make sure you are signing into the computer with your domain account (we use Domain/User for example).

 

If both of those things are good, then we get to the more specific issues beyond simple things. First check these two things though.

 

This is what happens when the computer or server is moved to a new location/IP changes:

To fix it you need to remove your computer from the domain and rejoin it. 

That's not the issue. I mean, that causes this issue, but it's not the reason if he didn't move the computer, which it seems like he didn't. Other things can cause this problem.

† Christian Member †

For my pertinent links to guides, reviews, and anything similar, go here, and look under the spoiler labeled such. A brief history of Unix and it's relation to OS X by Builder.

 

 

Link to post
Share on other sites
Posted

That's not the issue. I mean, that causes this issue, but it's not the reason if he didn't move the computer, which it seems like he didn't. Other things can cause this problem.

 

Hmm what else can cause it? (interested) currently learning this in college so any info would be useful  :)

I guess what i said and perhaps if any of the PC names changes?

Quack 🦆

Link to post
Share on other sites
Posted
  • Author

@mkessler9

I work on these things at my job (which I'm at right now). We have had this issue before. You need to go to the Active Directory on the DC (Domain Controller) >  Users and Computers > Computers > Then make sure the computer account exists. The computer account will be named whatever your computer name is (the [name]-PC in Windows when you first install the computer). You can check the computer name by pressing Windows + E then clicking System Properties in the top left corner (or on the ribbon bar if you are using Windows 8).

If the account is there, then you need to make sure you are signing into the computer with your domain account (we use Domain/User for example).

 

If both of those things are good, then we get to the more specific issues beyond simple things. First check these two things though.

 

That's not the issue. I mean, that causes this issue, but it's not the reason if he didn't move the computer, which it seems like he didn't. Other things can cause this problem.

Ok thanks, I should be home within the hour and I'll check them then.

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

Hmm what else can cause it? (interested) currently learning this in college so any info would be useful  :)

I guess what i said and perhaps if any of the PC names changes?

Well, a lot can. Good example, we have 3 DC's at my workplace. We used snapshots (because they are all VM's) to restored DC3 back to an older version to fix a major issue. This was before we knew you were never supposed to use snapshots to backup DC's. Ever. It breaks synchronization when you do this and causes the DC that was reverted back to fall out of trust with the domain meaning it basically can't connect anymore because the Primary DC (DC1 in this case) doesn't trust it. 

After reverting DC3 to an older version using snapshots, we then logged into DC3 to make sure things were fixed. It gave us this exact same error. Which is kind of crazy considering it's a DC (i.e. it is the server). Admittedly, it wasn't the primary DC, so it makes sense, but at the same time, it wouldn't if you didn't realize that. 

But that's why the only "Microsoft recommended" way to backup a DC is through Windows Server Backup. Because that accounts for what happens to event synchronization between DC's when you have to jump one back to an older state. 

The actual base reasoning for the issue "The security database on the server does not have a computer account for this workstation trust relationship." is that the server doesn't trust the workstation. Meaning it won't let it log on because it isn't allowed in the Domain. It's a security feature really. 

The list of things that could cause this that I know of off the top of my head are such:

  • The security database is corrupt (i.e. the account can't be found by the server to let the computer on)
  • The computer can't contact the domain. (i.e. networking issue though it's rare it says this rather than "This computer can't contact the domain." or something similar.)
  • The computer was moved (as you said) meaning the server views it as a different computer (new IP and such).
  • The two machines are having issues with kerberos (Microsoft used authentication protocol).

And so on. Basically anything that interferes with the computer authenticating with the server. Whether server or workstation side.

† Christian Member †

For my pertinent links to guides, reviews, and anything similar, go here, and look under the spoiler labeled such. A brief history of Unix and it's relation to OS X by Builder.

 

 

Link to post
Share on other sites
Posted

Well, a lot can. Good example, we have 3 DC's at my workplace. We used snapshots (because they are all VM's) to restored DC3 back to an older version to fix a major issue. This was before we knew you were never supposed to use snapshots to backup DC's. Ever. It breaks synchronization when you do this and causes the DC that was reverted back to fall out of trust with the domain meaning it basically can't connect anymore because the Primary DC (DC1 in this case) doesn't trust it. 

After reverting DC3 to an older version using snapshots, we then logged into DC3 to make sure things were fixed. It gave us this exact same error. Which is kind of crazy considering it's a DC (i.e. it is the server). Admittedly, it wasn't the primary DC, so it makes sense, but at the same time, it wouldn't if you didn't realize that. 

But that's why the only "Microsoft recommended" way to backup a DC is through Windows Server Backup. Because that accounts for what happens to event synchronization between DC's when you have to jump one back to an older state. 

The actual base reasoning for the issue "The security database on the server does not have a computer account for this workstation trust relationship." is that the server doesn't trust the workstation. Meaning it won't let it log on because it isn't allowed in the Domain. It's a security feature really. 

The list of things that could cause this that I know of off the top of my head are such:

  • The security database is corrupt (i.e. the account can't be found by the server to let the computer on)
  • The computer can't contact the domain. (i.e. networking issue though it's rare it says this rather than "This computer can't contact the domain." or something similar.)
  • The computer was moved (as you said) meaning the server views it as a different computer (new IP and such).
  • The two machines are having issues with kerberos (Microsoft used authentication protocol).

And so on. Basically anything that interferes with the computer authenticating with the server. Whether server or workstation side.

 

Thanks :)

 

I am currently learning this stuff but I am in my first year, So we have only skipped over the things like Kerberos for the moment. Is your other two DC's read only? (the main DC being the only one that can be changed). That may explain why when you revert back to a snapshot the server its self does not access or the ability to revert (copy over) the database so it just corrupts? Or perhaps because its changed from the original (main) DC that it wont trust the unauthorised changes?

 

This is just pure guesswork on what I think I understand haha :P

Quack 🦆

Link to post
Share on other sites
Posted

Thanks :)

 

I am currently learning this stuff but I am in my first year, So we have only skipped over the things like Kerberos for the moment. Is your other two DC's read only? (the main DC being the only one that can be changed). That may explain why when you revert back to a snapshot the server its self does not access or the ability to revert (copy over) the database so it just corrupts? Or perhaps because its changed from the original (main) DC that it wont trust the unauthorised changes?

 

This is just pure guesswork on what I think I understand haha :P

You're welcome. 

Cool. That's not how ours are set up. That's not what causes the problem when using snapshots. 

Lol, I figured. It's close, but not exactly right (it is a guess afterall). 

The problem is that when you have multiple DC's in a Domain, they label each event (a change in the system) with an Event ID. A new user being created is an event. A password change is an event. Pretty much anything where a configuration change occurs for the Domain is an event. If the Event ID isn't identical between DC's, they fall out of trust with one another (meaning they stop trusting each other). 

Using a snapshot literally is like a time machine for a DC, so it's current Event ID changes as well. So say I have 3 DC's. Whether they are read-only or not is kind of irrelevant to this. DCs 1-3 are all on Event ID 4096. That's the last event that occurred in the Domain that all DC's recognize. If you jump DC3 back using a snapshot, it's current Event ID will be whatever it was when the snapshot was taken. Say, 2567. 

So, when DC1 (primary DC) tries to authenticate then replicate it's current setup to DC3, it will see that it's already done that once, and that DC3 should be current, but isn't. From DC1's perspective, that means DC3 isn't DC3 and shouldn't be trusted. Windows Server Backups somehow preserves the DC's ability to authenticate while still allowing it to be restored. Not sure how, but it does. Snapshots don't. 

I figure Windows Server Backup verifies to DC1 that DC3 really is DC3 and is trustable via some flag that says "Hey, I just restored from this backup at this time, and I am definitely DC3."

† Christian Member †

For my pertinent links to guides, reviews, and anything similar, go here, and look under the spoiler labeled such. A brief history of Unix and it's relation to OS X by Builder.

 

 

Link to post
Share on other sites
Posted
  • Author

@mkessler9

I work on these things at my job (which I'm at right now). We have had this issue before. You need to go to the Active Directory on the DC (Domain Controller) >  Users and Computers > Computers > Then make sure the computer account exists. The computer account will be named whatever your computer name is (the [name]-PC in Windows when you first install the OS and make the first user). You can check the computer name by pressing Windows + E then clicking System Properties in the top left corner (or on the ribbon bar if you are using Windows 8).

If the account is there, then you need to make sure you are signing into the computer with your domain account (we use Domain/User for example).

 

If both of those things are good, then we get to the more specific issues beyond simple things. First check these two things though.

 

That's not the issue. I mean, that causes this issue, but it's not the reason if he didn't move the computer, which it seems like he didn't. Other things can cause this problem.

Ok so this is weird. I took the computer off the domain and put it in a workgroup and now I'm trying to add it back to the domain but it can't find it. Nothings changed server side. And I have a static ip along with the dns set to the server. But when I go to add me to a member it won't work :/ (I had this issue before but yesterday I did something to make it work but I don't know what I did to do it)

 

Oh btw the domain I'm trying to add me to is called- domain.net which is what it says on server side

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

Ok so this is weird. I took the computer off the domain and put it in a workgroup and now I'm trying to add it back to the domain but it can't find it. Nothings changed server side. And I have a static ip along with the dns set to the server. But when I go to add me to a member it won't work :/ (I had this issue before but yesterday I did something to make it work but I don't know what I did to do it)

 

Oh btw the domain I'm trying to add me to is called- domain.net which is what it says on server side

That tells me the issue with the PC was that it couldn't contact the domain, so it couldn't log on. 

Are you typing "domain.net" in the Domain box when trying to add the computer to the domain, or are you typing "domain"? You have to type the full domain according to the server, which would be "domain.net" and not just "domain". 

What all services do you have installed on the server? Obviously it's a Domain Controller, but aside from that? 

I know this is a silly question, but does the Domain Controller have a static IP address? 

Try pinging the DC from the computer through a command prompt using "ping domain.net", then try it with the IP address of the server. If one works while the other doesn't, then it's a DNS issue. If both don't work, it's a network issue. If both work, then it's a server issue.

† Christian Member †

For my pertinent links to guides, reviews, and anything similar, go here, and look under the spoiler labeled such. A brief history of Unix and it's relation to OS X by Builder.

 

 

Link to post
Share on other sites
Posted
  • Author

That tells me the issue with the PC was that it couldn't contact the domain, so it couldn't log on. 

Are you typing "domain.net" in the Domain box when trying to add the computer to the domain, or are you typing "domain"? You have to type the full domain according to the server, which would be "domain.net" and not just "domain". 

What all services do you have installed on the server? Obviously it's a Domain Controller, but aside from that? 

I know this is a silly question, but does the Domain Controller have a static IP address? 

Try pinging the DC from the computer through a command prompt using "ping domain.net", then try it with the IP address of the server. If one works while the other doesn't, then it's a DNS issue. If both don't work, it's a network issue. If both work, then it's a server issue.

I'm doing domain.net and I tried pinging both and both work.

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

I'm doing domain.net and I tried pinging both and both work.

Have you tried flushing your DNS? It's this in the command prompt:
ipconfig /flushdns
Then try adding the computer to the domain.

† Christian Member †

For my pertinent links to guides, reviews, and anything similar, go here, and look under the spoiler labeled such. A brief history of Unix and it's relation to OS X by Builder.

 

 

Link to post
Share on other sites
Posted

Ok so this is weird. I took the computer off the domain and put it in a workgroup and now I'm trying to add it back to the domain but it can't find it. Nothings changed server side. And I have a static ip along with the dns set to the server. But when I go to add me to a member it won't work :/ (I had this issue before but yesterday I did something to make it work but I don't know what I did to do it)

Oh btw the domain I'm trying to add me to is called- domain.net which is what it says on server side

Out of curiosity, what is you schema level? Eg, 2008, 2008R2, 2012, etc...

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted
  • Author

Have you tried flushing your DNS? It's this in the command prompt:

ipconfig /flushdns
Then try adding the computer to the domain.

 

I tried it. Still gets an error when I try to connect to the domain.

 

Out of curiosity, what is you schema level? Eg, 2008, 2008R2, 2012, etc...

I'm using Windows Server 2008 R2

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

I tried it. Still gets an error when I try to connect to the domain.

I'm using Windows Server 2008 R2

Are you using the ADDS server as a name server or are you using your router as the name server?

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted
  • Author

Are you using the ADDS server as a name server or are you using your router as the name server?

I'm using the name from Active Directory?

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

I'm using the name from Active Directory?

Right but what device is translating the names to IP address? By default when installing the ADDS role, a DNS role is installed. If your DC and computer can't talk to each other there might be something going on network side.

Verify that both the DC and computer can talk to each other and their gateways. If a ping times out make sure the firewall is off on the server and try again.

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted
  • Author

Right but what device is translating the names to IP address? By default when installing the ADDS role, a DNS role is installed. If your DC and computer can't talk to each other there might be something going on network side.

Verify that both the DC and computer can talk to each other and their gateways. If a ping times out make sure the firewall is off on the server and try again.

I already said that they can both talk to each other earlier. And yes I'm using the dns role serverside also.

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

I already said that they can both talk to each other earlier. And yes I'm using the dns role serverside also.

Sorry, didn't see that as I'm on my phone. Just to clarify have you tried pinging the computer from the server?

Edit: and is there a record for your PC in DNS?

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted
  • Author

Sorry, didn't see that as I'm on my phone. Just to clarify have you tried pinging the computer from the server? Edit: and is there a record for your PC in DNS?

Yup, I get a reply. 

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

Yup, I get a reply.

Have you tried renaming and then attempting to reintroduce to the domain?

Also when you first joined the PC, what rights did the account you used have?

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted
  • Author

Have you tried renaming and then attempting to reintroduce to the domain?

Also when you first joined the PC, what rights did the account you used have?

I have not tried renaming the domain, but I am restarting the server to see if that does anything. And when I connected to the domain the first time I signed in as an administrator.

Gaming rig- Cpu- Amd 9590, 16gbs of G Skill Ram, Gpu- GTX 760 windforce 3 edition 2gb. A Thermaltake water 2.0 water cooler for my cpu. Keyboard- Thermaltake Posieden , Case- 750D, Mobo Asus 990fx R2.0. 24 inch Dell LED monitor

Link to post
Share on other sites
Posted

I have not tried renaming the domain, but I am restarting the server to see if that does anything. And when I connected to the domain the first time I signed in as an administrator.

Sorry, I didn't mean rename the domain, I meant to rename the PC, restart and then try to join.

                                                                                                                                                      

CPU: Intel I7-4790k | MOBO: Asus Sabertooth Z97 Mark 1 | Ram: Corsair Vengance 32GB 1600hz | GPU: EVGA GTX980 Reference

PSU: Corsair EVGA G2 850W  | SSD: Intel 730 Series 480GB, Kingston SSDNow V300 120GB | HDD: WD Black 1TB

 CPU Cooler: Corsair H105 | Case: Corsair 760T (White) | Peripherals: (2)Asus VS247H-P, Corsair M65, Corsair K70 RGB w/ Brown Switches

Link to post
Share on other sites
Posted

have you also tried joining the domain by using the ip instead of the the domain name and have you tried setting your primary dns server on your client pc to the ip of your dns server/dc 

If you tell a big enough lie and tell it frequently enough it will be believed.

-Adolf Hitler 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Troubleshooting

×