FIX: “The security database on the server does not have a computer account for this workstation trust relationship”

2 03 2011

I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post.  In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have seen around.  Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself.  Here are the steps I take to fix this issue when it crops up:

  • Open up Active Directory Users & Computers pointed to the domain the computer account resides in
  • From the “View” pull-down menu, make sure that “Advanced Features” is checked
  • Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
  • Open the Properties for the computer object
  • Choose the “Attribute Editor” tab on the Properties dialog box
  • Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name

As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:

dNSHostName:
srv1.mydomainname.com

servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com

If you find that any of these entries is incorrect, go ahead and fix them; once they all align correctly try logging in again.  After you make any changes, please remember that it may take up to a few minutes for those changes to replicate between all of the Active Directory domain controllers.  Adjusting these values usually works to get me past the error without a reboot in our environment.

About these ads

Actions

Information

69 responses

3 09 2011
Somewhat anonymous

Was missing the following entries for a machine that I dcpromo’d off the network and then tried to rejoin it to the domain:
TERMSRV/
SmtpSvc/
WSMAN/
ExchangeRFR/

Now I should at least be able to login again and deal with other problems that have likely popped up.
Thanks for the insight!

5 11 2011
Kunal Kumar

THIS SAVED ME A HEAPS OF TIME TO LOOK AROUND FOR A SOLUTION. Thank you very much.

17 11 2011
Leroy Agana

Double check these items and i i have them but i still cannot log in.. host name is correct.. damn what wrong…

19 11 2011
Curtis

Leroy – if none of the above helps, then it may be necessary to unjoin, delete the account, recreate it, and rejoin.

23 11 2011
Ataraxio Panzetta (@AtaraxioP)

Thanks for posting this. You’re a life saver.

7 12 2011
group policy tools

Hello my family member! I wish to say that this article is amazing, great written and come with approximately all important infos. I would like to peer more posts like this .

16 12 2011
FixZitNow

Thank you so much that fixed my issue.

11 01 2012
techrider62

I was having the same problem but all the fields were blank now after making the changes I,m getting same message on my server and can,t log into it.

29 01 2012
Scott Levy

Nice post. Here’s a tutorial that shows how you can easily build an online database-driven web application with a parent-child table relationship, without codinghttp://blog.caspio.com/web-database/creating-one-to-many-relational-datapages/

3 02 2012
Jeff Jernigan

Ok, so does CASE matter in these instances?

Example: cnwood-x10.cn-wood.local
versus: CNWOOD-X10.cn-wood.local

.. some values for my ServicePrincipalName on the Hypervisor server I can’t log into vary only in case.. I assumed since my DC’s are VM’s now inside this physical box that was why I couldn’t log in .. currently wiping an old poweredge to make it a physical DC.. (shrug) ..

4 02 2012
Milliyon

Oh! yeah .. Instead of doing that .. u can get the computer out form the domain, and delete the computer account from that domain and get it joined again .. hope that will get it fixed.

4 02 2012
Jeff J

So in A D Users and Computers I can just delete the computer itself and reboot the screwed up machine and rejoin it to the domain somehow?

18 02 2012
Danie

does this apply to server 2003 aswell for the fix because i can not find the attibute editor tab

thanks

Danie

28 02 2012
devill

Danie,
run-adsiedit.exe

14 03 2012
Squiggy

I had set a service principal name for a domain service account (for ADFS) to the host DNS name for a computer in my domain. Could no longer log into that computer until I logged onto the domain controller and removed the SPN from that account

16 03 2012
Azhar Hussain

Thank you very much it helped me a lot

20 04 2012
robin

hi

20 04 2012
robin

hi,
it is not working

11 05 2012
lamlam

i having problem also after set .. i cant loin to the server share folder..
access deny

11 05 2012
lamlam

when i \\server in the Domain svr , it is come out ..\\server is not accessible… how to solve this

11 05 2012
lamlam

can i join with same name

11 05 2012
lamlam

anyone know this error message ” a trust relationship between this workstation and the domain failed”

11 05 2012
lamlam

oh…finally done, delete, and rejoined server. : )

23 05 2012
John C. Wray III

My issue was I was migrating cifs to another server and I added a spn for the old server to the new server. I just needed to remove the old computer account from AD and I could log back in.

27 05 2012
mario percivaldi

One of my domain terminals did´t log in. So after trying all kinds of tricks i´d decided to rip it off from the domain deleting it.
I created it again using the same name it had before, but it started saying: “The security database on the server does not have a computer account for this workstation trust relationship”
So i started searching for some answers and i had follow the steps shown above.
Now i have bigger troubles, because that message begun to apear on my domain controller, so i cant access it.
Is there any solution…….i´d created a new domain controller on the same domain on the same root.
Please Help!

11 06 2012
Tobias

This article really saved m life. With some more thinking and these hints I got my solution :)
The thing was that there existed a server with the name “server07″. This Server had ’cause of some special reasons an alias named “serverXY”.
Now the funktionaltity what caused the alias moved to an own server which should be named “serverXY”. The alias in DNS was deleted, the new Server was named to “serverXY” and the error occured.
The solution was, and that was only visible with the adsiedit, to delete the value “serverXY” in “servicePrincipalName” from the AD computer account of “server07″. This entry was created while creating the alias but wasn’t deleted when the alias was removed.
So…. thanks a lot!

19 06 2012
sekitoleko solomon

delete the profile and also remove it from the registry..this will definetly work when disjoining domain has refused

2 07 2012
noel

sall excellent if you have half an idea what you are doing – but i CANNOT find half of this on my 2003! please post pictures or better yet a video?! i am desperate! “Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides” WHAT?!?! you are helping the needy, please understand if we were pro’s we wouldnt need the help

12 07 2012
Harris in Nairobi

Had the same problem connecting a windows 7 laptop to windows 2003 domain. The three changes below

dNSHostName:
srv1.mydomainname.com

servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com

sorted the problem out. THANKS !!!!!!

12 07 2012
Harris in Nairobi

Though I had to remember our domain is .loc not .com….watch out for that one

7 08 2012
Edd

I had big problems trying this. For some reason as soon as I logged off the server and tried to log into the SERVER again. It gave me this same error on the server…ahhhhh! Now I can’t login :( I’ve left it on so people can still get to the resources but why oh why can’t i get into the domain admin account!?

24 08 2012
Jorge

had this happen on a dc today out of the blue. our mail gateway does ldap lookups to check for valid recipients and it suddenly started failing. nobody ever touches the dc unless there is a good reason, so it was very puzzling. i checked the spn and dns entries in the attributes and all of them were present.

guess what fixed it? reboot. :-\ i hate problems that just appear out of thin air and then disappear like that.

11 09 2012
Trevor Roberts Jr. (@VMTrooper)

Thanks Curtis! Your blog entry was the starting point to restore a troubled VM’s Domain account without rebooting.

I had to combine your notes with a setspn MS TechNet article since my servicePrincipalName entry was completely gone!

in any case. Thanks for saving me from a pointless reboot and annoying user outages.

12 09 2012
Shaik

Excellent!!! fix the issue and saved lot of time looking around….

8 10 2012
Oren

I couldn’t even find the computer account for my server, I added it manually but now I can’t see any attribute editor tab. I’m working on windows server 2003.

I would add again the host to the domain, the problem is that I don’t have the local admin password for it so I cant even logon locally :(

Any suggestions?

15 10 2012
31 10 2012
12 11 2012
Salvor

Thank you very much!

21 11 2012
daagy

This really saved ma time, thnx

23 11 2012
Mallik

Thanks ,really usefull information and it solved my problem

14 12 2012
Beatris

The next step is the 2-3 tablespoons of the decalcifying vinegar in the boiling chamber.
This episode introduces three people who are embracing creative solutions to the looming shortage of
drinking water – be it desalinating the ocean, catching rainwater or cleaning
up our rivers. First, why should I buy a product to put something into my body when I could have just as easy left it in
by filtering my water instead of using a pure water
distiller.

22 01 2013
Joe

I’ve been having trouble with trust relationship between DC and a workstation named LOC07-07. I have left and rejoined the domain several times and have also deleted and recreated computer object in AD.

By way of history, a while back I moved the original machine named LOC07-07 to a different office and renamed it to LOC09-05. Later, I added a new machine name LOC07-07 to the domain. Using the tips from this blog, I just found that the SPN for LOC09-05 is still LOC07-07. Of course, this is wrong, but could this be the root cause of my problems?

Is best next step to unjoin LOC09-05, delete the computer account in the AD, and rejoin?
.

15 12 2012
Neil

Thank you. Your solution worked! Saved me much time. Great post!

13 02 2013
Strange networking issue: Cannot log in if computer is on a switch

[...] I found fixes for the error here and here, hope they [...]

3 03 2013
Anonymous

I love this article, saved my life :)

27 03 2013
beaudietl

I am sure this piece of writing has touched all the internet users, its
really really pleasant piece of writing on building
up new web site.

7 04 2013
coupon protection for pc

WOW just what I was looking for. Came here by searching for repair a pdf

14 04 2013
Larry

+500! Since I’m still learning Win 2008 server and running a small home network environment; I was just about to give up and re-install the OS. Thank you greatly for saving me that ordeal!

14 05 2013
26 05 2013
Fabricimagery.Com

Heya i’m for the primary time here. I found this board and I find It truly useful & it helped me out much. I’m hoping
to provide one thing back and aid others such as
you aided me.

26 06 2013
VMware user

I can log in to my VM again.
Thank you!

23 07 2013
Madeline

Good blog! I really love how its easy to browse. I’m curious how I could be notified when a new article has been created. I’ve subscribed to your RSS which should do!
Have a nice day and plz excuse my poor english!

25 07 2013
bla

It worked ! Thank you

4 09 2013
5 09 2013
Lorena

Yes, Thanks a lot The action on both attributes was the solution for my problem.

Lorena J.

18 09 2013
Matthew Watkin

I just had this situation happen to me, we had a contractor who made a VM template from our File server – but did not rename the server. I deployed a VM from the template and booted up and to my horror seen what he had done. My file shares are still accessible thankfully, and I can log onto the server – what I am going to do out of hours is repair it, as this is my file server, I cannot lose the ACL’s – so I am going to rename it on the domain – then rename it back to what it was. Does anyone know if this will work?

19 09 2013
Iquitos Shamanistic Tours Peru

By cashing in on an online resource which supports
a Peru vacation you will be able to find out the many destinations that may appeal to you
or your vacationing group. A short canoe ride down the river
will bring our guests to a unique opportunity within the Bahuaja-Sonene National Park.
Be aware that it is a very popular vacation spot and you will be
waiting in a lot of lines all day, it is a pretty steep
entrance fee and you should be willing to deal out the bucks in order
to see these amazing ruins. My culture considers making others wait
for one disrespectful and reprehensible, I try very, and very hard
never to be late for any appointment I have made and do not like
to be kept waiting. Doubtless best known for its wealth of trekking routes,
not least the Inca Trail, Visitors to Peru are also blessed
with many other opportunities for adventure, including in one of the most challenging of all
Earth’s environments; the jungle. Good Travel Value
- Low Mileage Cash in for Frequent Flyer Rewards Peru is in South America,
an eight hour flight from Los Angeles.

2 10 2013
Nick

I renamed the only domain controller on the network, and got the dreaded “The security database on the server does not have a computer account for this workstation trust relationship.” This is a Windows Server 2012 machine. After opening up a case with Microsoft, it seems the domain controller got renamed locally (in the registry), but did not successfully update the directory. So AD had no idea who the domain controller was that was hosting AD. Here is the fix.

Start the domain controller in AD Services Restore Mode via F8 at boot.
Change the computer name in the following 4 registry keys back to the OLD computer name, before you did the name change:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName “OLDSERVERNAME”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName “OLDSERVERNAME”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “Hostname”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “NVHostname”

Change the “Hostname” and “NVHostname” values to OLDSERVERNAME and restart the server it should now restart with the name OLDSERVERNAME and it should be functional as a domain controller

Hope this helps someone in dire need! nick -at- aryfi dot com.

10 10 2013
collision87

thankyou .. it worked for me

30 10 2013
Error: The security database on the server does not have a computer account for this workstation trust relationship | Bits and Bytes

[…] Courtesy of: http://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-… […]

10 01 2014
bench mark startegies

Superb blog! Do you have any recommendations for aspiring writers?
I’m hoping to start my own website soon but I’m a little lost on everything.
Would you propose starting with a free platform like
Wordpress or go for a paid option? There are so many options out there that
I’m completely overwhelmed .. Any suggestions?
Kudos!

5 02 2014
All Pinky No Brain

I tried all this, but no joy – I still get the “no trust relationship … blah blah”. This is a virtual machine (Hyper-V), to which no-one seems to have local account information… An existing VM got copied & renamed, resulting in this irritating issue. Any more ideas?

16 02 2014
Max Yap

Cause
The DCs Service Principle Name (SPN) has been duplicated and now exists as an attribute on both the DC as well as some other user or computer.
Back to the top | Give Feedback
Collapse imageResolution

Locate the duplicate SPN and remove it. This value can be found with SETSPN.EXE or LDIFDE.EXE. In this example the duplicate name is “2008r2spn-02″

setspn.exe -x
setspn.exe -q 2008r2spn-02*
ldifde.exe -f spn.txt -d -l serviceprincipalname -r “(serviceprincipalname=*2008r2spn-02*)” -p subtree

Go to –> administrative tool —> Active Directory Users and Computers —> under Computer/Computers, remove the duplicate SPN.

18 02 2014
George

Simply changing the computer’s name often does the trick.

28 02 2014
Harold M. Hines

Excellent, what a website it is! This blog presents useful information to us, keep it up.

13 03 2014
abozabra

Wouldn’t be just in Win7, you just need to go to advance sharing and enable the network discover for the domain?

28 03 2014
sid

To be honest I still learning here. My issue started when I applied new policies to the domain and then tried to pull them from the DC. I kept getting an error stating that it was not able to authenticate the computer. I played around with it trying different things to get it to update using gpupdate /force but it would not. I am not sure how I got to the next issue I am currently dealing with right now which is I get the message upon attempting to login “The Security database on the server does not have a computer account for this workstation trust relationship”.

I am not sure what I did to have this happen, but I have tried to disjoin from the domain and rejoin the domain several times and I have not been successful with getting past this error. Lack of knowledge on my part I am sure is also to blame here. I have been poking around on the web to see if I can find information about this issue and what to do to fix it. It is drving me nuts because it is recgonized in DNS I can ping from the DC and the client they can talk but it just will not allow me to log in with my domain accounts. Anyway I appreciate the info from this blog and I will carry on in hopes that I will figure this out.

7 04 2014
Jason

Thanks for the information. This has worked for me and allowed me to logon. But I’m after some more information and background. The computer in question sits behind a firewall on a separate subnet. The firewall permits the domain traffic in a test environment. This has allowed me to do some rebuilding and testing of the domain.

I’ve got two new domain controllers, and two member servers, one on the same subnet as the DC’s the other behind the firewall. The server on the same subnet joins the domain fine, yet every time the server behind the firewall seems to join the domain but does not allow the domain users to authenticate.

If I update the dNSHostName and servicePrincipalName as described above, it works fine.

So – why would one computer always not populate the attributes?

Jason

18 04 2014
TP-LINK TL-WR841N Wireless N300 Home Router

Good day! Do you know if they make any plugins to protect against hackers?
I’m kinda paranoid about losing everything I’ve worked
hard on. Any suggestions?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: