Trust relationship failed

[Dawn Houser]

We have a 2000 AD native mode with a few NT 4 member
servers. These servers are no longer mapable but pingable.
When attempting to log into the NT4 server it gives "the
system cannot log you on to this domain because the
system's computer accounting in its primary domain is
missing or the password on that account is incorrect".
We have changed the network settings to workgroup,
rebooted and attempt to connect to the domain. It will not
connect unless you put in a username/password. We are able
to see it in AD but still are unable to map to it. We
get "the trust relationship between this workstation and
the primary domain failed".
Logging in locally to the server we can see the domain and
if we click on a domain server we get the login/password
which allows us access. But if we try to access with a
2000 box it does not allow us to get to it either the
trust error or access denied.
The last domain server (5 total), the primary domain, was
updated on Friday with the lastest service packs,
824146,824141,823182 which I removed today but still we
can't get to these NT 4 servers. I saw something in one of
these updates about a restrict anonymous logon users and
about a year ago my NT 4 servers got the registry edited
for restrict anonymous to 1 from 0, under
HKeyLM\system\currentcontrolset\control\lsa. I have not
changed this on the NT 4 back to 0 but I don't think this
is the problem.
Any assistance would be appreciated!

 

[Tim Springston \(MSFT\)]

Hi Dawn-

You may want to check RESTRICTANONYMOUS opn the domain controller(s). Also,
it owuld be a good idea to check and see if SMB signing is required on your
domain controller(s). These could result in this problem.

An easy way to check all of this in one fell swoop is to run the MPS Reports
DS (DIR_SVC) utility on a domain controller and look at the
%computername%_REG_ENTRIES.TXT file. It will contain what those settings
are on that machine.

http://www.microsoft.com/downloads/...7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

 

[David Pharr [MSFT]]

The error you're seeing is a broken secure channel issue - resetting the
computer's machine account using the netdom utility or unjoining/rejoining
the domain should resolve that issue.

From your description it sounds as if you've removed the computers from the
domain and joined them to a workgroup. If that is the case then there
currently should not be computer accounts for those machines in the domain.
If the old computer accounts are still sitting in AD Users and Computers,
delete the accounts before attempting to rejoin the domain. When you
attempt to rejoin the domain you will be prompted for credentials and you
will need to supply a domain account that has permissions to join computers
to the domain. In Windows 2000, any domain account should be able to join
10 computers to the domain.

If your machine was currently a member of the domain, you could use netdom
to reset the computer account and then restart the computer for it to take
effect.
329721 Description of Netdom.exe Syntax and Versions
http://support.microsoft.com/?id=329721

RestrictAnonymous should NOT be set to 2 on your DCs otherwise your NT4
machines will not be able to communicate with the DCs.

246261 How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/?id=246261

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "Dawn Houser" <[email protected]>
| Sender: "Dawn Houser" <[email protected]>
| Subject: Trust relationship failed
| Date: Sun, 8 Feb 2004 19:36:44 -0800
| Lines: 28
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcPuvfBF16L/9ltWTt+tvEVgVpmQzw==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:65921
| NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| We have a 2000 AD native mode with a few NT 4 member
| servers. These servers are no longer mapable but pingable.
| When attempting to log into the NT4 server it gives "the
| system cannot log you on to this domain because the
| system's computer accounting in its primary domain is
| missing or the password on that account is incorrect".
| We have changed the network settings to workgroup,
| rebooted and attempt to connect to the domain. It will not
| connect unless you put in a username/password. We are able
| to see it in AD but still are unable to map to it. We
| get "the trust relationship between this workstation and
| the primary domain failed".
| Logging in locally to the server we can see the domain and
| if we click on a domain server we get the login/password
| which allows us access. But if we try to access with a
| 2000 box it does not allow us to get to it either the
| trust error or access denied.
| The last domain server (5 total), the primary domain, was
| updated on Friday with the lastest service packs,
| 824146,824141,823182 which I removed today but still we
| can't get to these NT 4 servers. I saw something in one of
| these updates about a restrict anonymous logon users and
| about a year ago my NT 4 servers got the registry edited
| for restrict anonymous to 1 from 0, under
| HKeyLM\system\currentcontrolset\control\lsa. I have not
| changed this on the NT 4 back to 0 but I don't think this
| is the problem.
| Any assistance would be appreciated!
|