Trust relationship between this workstation and Primary Domain Fai

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have never had trouble joining clients to the Win 2k domain before, but
this time I accidentally lost track of workstation #'s and joined a client to
the domain with the same name as an existing client. I realized my mistake
after a user could not log on to the other workstation. I managed to get that
workstation joined back to the domain under a new name, but the newest
machine, WinXP Pro SP2, now will not join the domain, no matter what. I
should say that I can get it to join - I get the welcome message - but it
always hangs on "loading your personal settings" when I try to log on to the
domain for the first time ( with a domain admin account). I have gone through
these posts and tried many things, moving to a workgroup and rejoining,
adding through netdom, resetting secure channels, etc... any number of times,
even reinstalled the OS on the client - all to no avail. It's as if this
machine is blackballed as far as the AD domain is concerned. The error that
is always there is that the "trust relationship between this workstation and
the primary domain failed". Can this trust relationship be manually repaired?
How? Also, how does the domain identify this PC uniquely? Is the GUID from
the NIC, a BIOS chip, the CPU, or the OS key? If I can't fix it, can I fool
it (the domain) into thinking this is a different machine? Any help would be
greatly appreciated. This is a particularly puzzling problem because all the
things in the forum that should have fixed this have failed to do so, so far.
- Thanks, Mike
 
Have you un-joined the computer from the domain? That is likely the only
way to repair the damage. Un-join the PC by logging onto it as "Workstation
Only", then remove it from the domain and move it to a workgroup. The
process will complete with an error message, which is fine. Then reboot the
PC and log onto the workgroup, re-joining the domain only then.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Yes, unfortunately, I have tried that many times without success. In fact,
this morning I once again did a fresh install of WinXP SP2, gave the computer
a new different name in a new different workgroup, rebooted, and tried once
again to join the domain. Once again it appeared I was joined to the domain
(and partly I am because I can tell that group policy is applied because of
logon disclaimer and renamed administrator account) but I still hang at
"loading personal settings". I walked away and let it sit for half an hour.
When I came back it's still sitting at the same screen. No domain user can
log on to the domain at this PC.

Richard G. Harper said:
Have you un-joined the computer from the domain? That is likely the only
way to repair the damage. Un-join the PC by logging onto it as "Workstation
Only", then remove it from the domain and move it to a workgroup. The
process will complete with an error message, which is fine. Then reboot the
PC and log onto the workgroup, re-joining the domain only then.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


[email protected] said:
I have never had trouble joining clients to the Win 2k domain before, but
this time I accidentally lost track of workstation #'s and joined a client
to
the domain with the same name as an existing client. I realized my mistake
after a user could not log on to the other workstation. I managed to get
that
workstation joined back to the domain under a new name, but the newest
machine, WinXP Pro SP2, now will not join the domain, no matter what. I
should say that I can get it to join - I get the welcome message - but it
always hangs on "loading your personal settings" when I try to log on to
the
domain for the first time ( with a domain admin account). I have gone
through
these posts and tried many things, moving to a workgroup and rejoining,
adding through netdom, resetting secure channels, etc... any number of
times,
even reinstalled the OS on the client - all to no avail. It's as if this
machine is blackballed as far as the AD domain is concerned. The error
that
is always there is that the "trust relationship between this workstation
and
the primary domain failed". Can this trust relationship be manually
repaired?
How? Also, how does the domain identify this PC uniquely? Is the GUID from
the NIC, a BIOS chip, the CPU, or the OS key? If I can't fix it, can I
fool
it (the domain) into thinking this is a different machine? Any help would
be
greatly appreciated. This is a particularly puzzling problem because all
the
things in the forum that should have fixed this have failed to do so, so
far.
- Thanks, Mike
Click to expand...
Click to expand...
 
I also just found this from this morning before I reinstalled the OS on the
client. It was in the System log on the DC as a warning just before the
"Access denied" error regarding one of the logon attempts for the workstation:
Event ID 36872
Warning
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an application
is the directory server. Applications that manage their own credentials, such
as Microsoft Internet Information Services (IIS), are not affected by this.
Could this mean that the problem is on the DC? How could it have lost its
credentials when the issue is going on with the workstation? In the past few
months I've added two workstations to the domain without incident. I'm
wondering if this is the problem or a bogus message. If it is the problem,
how do you fix it?
- Mike

[email protected] said:
Yes, unfortunately, I have tried that many times without success. In fact,
this morning I once again did a fresh install of WinXP SP2, gave the computer
a new different name in a new different workgroup, rebooted, and tried once
again to join the domain. Once again it appeared I was joined to the domain
(and partly I am because I can tell that group policy is applied because of
logon disclaimer and renamed administrator account) but I still hang at
"loading personal settings". I walked away and let it sit for half an hour.
When I came back it's still sitting at the same screen. No domain user can
log on to the domain at this PC.

Richard G. Harper said:
Have you un-joined the computer from the domain? That is likely the only
way to repair the damage. Un-join the PC by logging onto it as "Workstation
Only", then remove it from the domain and move it to a workgroup. The
process will complete with an error message, which is fine. Then reboot the
PC and log onto the workgroup, re-joining the domain only then.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


[email protected] said:
I have never had trouble joining clients to the Win 2k domain before, but
this time I accidentally lost track of workstation #'s and joined a client
to
the domain with the same name as an existing client. I realized my mistake
after a user could not log on to the other workstation. I managed to get
that
workstation joined back to the domain under a new name, but the newest
machine, WinXP Pro SP2, now will not join the domain, no matter what. I
should say that I can get it to join - I get the welcome message - but it
always hangs on "loading your personal settings" when I try to log on to
the
domain for the first time ( with a domain admin account). I have gone
through
these posts and tried many things, moving to a workgroup and rejoining,
adding through netdom, resetting secure channels, etc... any number of
times,
even reinstalled the OS on the client - all to no avail. It's as if this
machine is blackballed as far as the AD domain is concerned. The error
that
is always there is that the "trust relationship between this workstation
and
the primary domain failed". Can this trust relationship be manually
repaired?
How? Also, how does the domain identify this PC uniquely? Is the GUID from
the NIC, a BIOS chip, the CPU, or the OS key? If I can't fix it, can I
fool
it (the domain) into thinking this is a different machine? Any help would
be
greatly appreciated. This is a particularly puzzling problem because all
the
things in the forum that should have fixed this have failed to do so, so
far.
- Thanks, Mike
Click to expand...
Click to expand...
Click to expand...
 
Ah, no; that's not what I asked. You should have tried, before reinstalling
Windows and/or changing the computer's credentials, specifically using the
Network Identification tab to remove it from the domain. It's likely now
too late since you've reinstalled Windows. If the DNS configuration is
correct (pointing only to the domain DNS master for name resolution) then
you may simply have to disjoin the domain correctly, remove all machine
accounts for the machine, then re-join the domain.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


[email protected] said:
Yes, unfortunately, I have tried that many times without success. In fact,
this morning I once again did a fresh install of WinXP SP2, gave the
computer
a new different name in a new different workgroup, rebooted, and tried
once
again to join the domain. Once again it appeared I was joined to the
domain
(and partly I am because I can tell that group policy is applied because
of
logon disclaimer and renamed administrator account) but I still hang at
"loading personal settings". I walked away and let it sit for half an
hour.
When I came back it's still sitting at the same screen. No domain user can
log on to the domain at this PC.

Richard G. Harper said:
Have you un-joined the computer from the domain? That is likely the only
way to repair the damage. Un-join the PC by logging onto it as
"Workstation
Only", then remove it from the domain and move it to a workgroup. The
process will complete with an error message, which is fine. Then reboot
the
PC and log onto the workgroup, re-joining the domain only then.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


[email protected] said:
I have never had trouble joining clients to the Win 2k domain before,
but
this time I accidentally lost track of workstation #'s and joined a
client
to
the domain with the same name as an existing client. I realized my
mistake
after a user could not log on to the other workstation. I managed to
get
that
workstation joined back to the domain under a new name, but the newest
machine, WinXP Pro SP2, now will not join the domain, no matter what. I
should say that I can get it to join - I get the welcome message - but
it
always hangs on "loading your personal settings" when I try to log on
to
the
domain for the first time ( with a domain admin account). I have gone
through
these posts and tried many things, moving to a workgroup and rejoining,
adding through netdom, resetting secure channels, etc... any number of
times,
even reinstalled the OS on the client - all to no avail. It's as if
this
machine is blackballed as far as the AD domain is concerned. The error
that
is always there is that the "trust relationship between this
workstation
and
the primary domain failed". Can this trust relationship be manually
repaired?
How? Also, how does the domain identify this PC uniquely? Is the GUID
from
the NIC, a BIOS chip, the CPU, or the OS key? If I can't fix it, can I
fool
it (the domain) into thinking this is a different machine? Any help
would
be
greatly appreciated. This is a particularly puzzling problem because
all
the
things in the forum that should have fixed this have failed to do so,
so
far.
- Thanks, Mike
Click to expand...
Click to expand...
Click to expand...
 
Richard,
I understood what you asked me to do, but I had already tried that way at
least a dozen times before. That is one of the things that should have worked
that I had read earlier in some of the other posts to the newsgroup. That's
the part that's so frustrating, it should fix the problem but it doesn't. I
decided to do a fresh install and try that method again, after you suggested
it, with a new computer ID, a new workgroup ID, but again to no avail. I
really think it hinges on that broken trust relationship somehow tied to a
GUID from the computer that doesn't change with changes to a new ID or even a
fresh install. It really seems in a lot of ways that I am being joined to the
domain partially. I say this because I see the computer in AD Users &
Computers, group policy for the domain is applied to the PC (because of
password policy, renamed admin account, automatic updates are controlled by
domain policy & I see the PC on WSUS update server). So far, it seems I just
can't get domain user accounts logged on to the domain from that PC. My
biggest fear is if there is a problem on the domain side and I will not be
able to join ANY new PC to the domain in the future. I have a document
imaging and storage server that will be needed to be added to the domain in
about a month, so I am really nervous now about that. I appreciate all of
your help and suggestions so far, so if you can think of anything else based
on what I've told you this time, please let me know.
Thanks,
- Mike

Richard G. Harper said:
Ah, no; that's not what I asked. You should have tried, before reinstalling
Windows and/or changing the computer's credentials, specifically using the
Network Identification tab to remove it from the domain. It's likely now
too late since you've reinstalled Windows. If the DNS configuration is
correct (pointing only to the domain DNS master for name resolution) then
you may simply have to disjoin the domain correctly, remove all machine
accounts for the machine, then re-join the domain.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


[email protected] said:
Yes, unfortunately, I have tried that many times without success. In fact,
this morning I once again did a fresh install of WinXP SP2, gave the
computer
a new different name in a new different workgroup, rebooted, and tried
once
again to join the domain. Once again it appeared I was joined to the
domain
(and partly I am because I can tell that group policy is applied because
of
logon disclaimer and renamed administrator account) but I still hang at
"loading personal settings". I walked away and let it sit for half an
hour.
When I came back it's still sitting at the same screen. No domain user can
log on to the domain at this PC.

Richard G. Harper said:
Have you un-joined the computer from the domain? That is likely the only
way to repair the damage. Un-join the PC by logging onto it as
"Workstation
Only", then remove it from the domain and move it to a workgroup. The
process will complete with an error message, which is fine. Then reboot
the
PC and log onto the workgroup, re-joining the domain only then.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


message I have never had trouble joining clients to the Win 2k domain before,
but
this time I accidentally lost track of workstation #'s and joined a
client
to
the domain with the same name as an existing client. I realized my
mistake
after a user could not log on to the other workstation. I managed to
get
that
workstation joined back to the domain under a new name, but the newest
machine, WinXP Pro SP2, now will not join the domain, no matter what. I
should say that I can get it to join - I get the welcome message - but
it
always hangs on "loading your personal settings" when I try to log on
to
the
domain for the first time ( with a domain admin account). I have gone
through
these posts and tried many things, moving to a workgroup and rejoining,
adding through netdom, resetting secure channels, etc... any number of
times,
even reinstalled the OS on the client - all to no avail. It's as if
this
machine is blackballed as far as the AD domain is concerned. The error
that
is always there is that the "trust relationship between this
workstation
and
the primary domain failed". Can this trust relationship be manually
repaired?
How? Also, how does the domain identify this PC uniquely? Is the GUID
from
the NIC, a BIOS chip, the CPU, or the OS key? If I can't fix it, can I
fool
it (the domain) into thinking this is a different machine? Any help
would
be
greatly appreciated. This is a particularly puzzling problem because
all
the
things in the forum that should have fixed this have failed to do so,
so
far.
- Thanks, Mike
Click to expand...
Click to expand...
Click to expand...
 
Back
Top