Why do PC's lose their trust relationship?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I say PC's but it can say servers too. I'm not quite so concerned if it's
just a workstation but when it happens to a windows server it can no longer
serve. The computer accounts haven't been deleted from the domain. Is
there anything I can do proactively?
 
Trust relationships rely on security certificates ttl and how they are setup,
when they expire and whether they have the ability to renew. Additionally,
checking NetBIOS and DNS may help you obtain more information. Check your
event logs (PC and server) and post back security and trust related
information of run Netdiag /test:kerberos and see if any inconsistencies pop
up.

-Allen Firouz
 
I assume we're talking about the secure channel trusts? If this is
happening you've probably got networking problems, and/ or name resolution
problems.

Like Allen said, are there errors/ warnings in the event logs?

Are these mainly remote machines over a poor line, etc.?

What can you tell us about your setup and the environment?


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<-> wrote in message I say PC's but it can say servers too. I'm not quite so concerned if it's
just a workstation but when it happens to a windows server it can no longer
serve. The computer accounts haven't been deleted from the domain. Is
there anything I can do proactively?
 
I see event logs on the domain controller saying their secure channel
password isn't correct. I was able to look at the PC's event log (though
couldn't map an administrative share due to trust relationship failur) and
honestly nothing looks out of the ordinary. I did see one thing where a
service running with a domain account wouldn't start due to a password
issue, but that would I think be more a symptom rather than the problem
itself.

We do have the occasional network outage. In the last couple of months we
have had two 1/2 hour outages and have been told that outages of 5 minutes
or less won't be reported by the NetAdmins. Also, the server admins ran
into this problem when rebooting a server and voluntarily rejoining it to
the domain.

The setup is with a 100mbit ethernet with FDDI backbone, all based on Cisco.
We have three DC's, all at HQ building.

The main problem is that occasionally a machine will not synchronize its LSA
password and then, it cannot serve. Best guess is that it had network
problems when it was its time to synchronize it, and it just got out of
sync.

I have checked the netlogon logs and not seen anything, I'll run the
kerberos check and see if that turns anything up.
 
I THINK I'VE GOT PAY DIRT!!!
----


Type: Error
Event ID: 4319
Source: NetBT
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: A duplicate name has been detected on the TCP network. The IP
address of the
machine that sent the message is in the data. Use nbtstat -n in a command
window to see which name is in the Conflict state.

Type: Warning
Event ID: 3033
Source: MRxSmb
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: The redirector was unable to register the address for transport
NetBT_Tcpip_{2E4FDBD6-0CE7-42D3-997E-9161E for the following reason: .
Transport has been taken offline.


Some NBTstat logs

---------------

---------------------------------------------
PC1NOPROB <00> UNIQUE Registered
PC1NOPROB <20> UNIQUE Registered
DOMAIN <00> GROUP Registered
DOMAIN <1E> GROUP Registered
PC1NOPROB <01> UNIQUE Registered

C:\Documents and Settings\>nbtstat -a PC2NOTRUST

Local Area Connection:
Node IpAddress: [10.30.49.61] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PC2NOTRUST <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
PC2NOTRUST <20> UNIQUE Registered
PC2NOTRUST <03> UNIQUE Registered
PC2NOTRUST$ <03> UNIQUE Registered
DOMAIN <1E> GROUP Registered

MAC Address = xx-11-xx-02-F1-1B
============================================

and the clincher:
 
So you've fixed it?!?

Nice. Well done!!


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<-> wrote in message I THINK I'VE GOT PAY DIRT!!!
----


Type: Error
Event ID: 4319
Source: NetBT
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: A duplicate name has been detected on the TCP network. The IP
address of the
machine that sent the message is in the data. Use nbtstat -n in a command
window to see which name is in the Conflict state.

Type: Warning
Event ID: 3033
Source: MRxSmb
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: The redirector was unable to register the address for transport
NetBT_Tcpip_{2E4FDBD6-0CE7-42D3-997E-9161E for the following reason: .
Transport has been taken offline.


Some NBTstat logs

---------------

---------------------------------------------
PC1NOPROB <00> UNIQUE Registered
PC1NOPROB <20> UNIQUE Registered
DOMAIN <00> GROUP Registered
DOMAIN <1E> GROUP Registered
PC1NOPROB <01> UNIQUE Registered

C:\Documents and Settings\>nbtstat -a PC2NOTRUST

Local Area Connection:
Node IpAddress: [10.30.49.61] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PC2NOTRUST <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
PC2NOTRUST <20> UNIQUE Registered
PC2NOTRUST <03> UNIQUE Registered
PC2NOTRUST$ <03> UNIQUE Registered
DOMAIN <1E> GROUP Registered

MAC Address = xx-11-xx-02-F1-1B
============================================

and the clincher:
 
Hi,

I was going to say, I actually got cut off in mid post, the "and the
clincher" was that I found two machines with the same name by doing a
physical walkaround.

I think I may have a better understanding of why these happen, it seems to
usually be something related to DNS/WINS, registered records etc. That's
more than I knew a week ago! ^_^

Thanks for all your help everyone!


ptwilliams said:
So you've fixed it?!?

Nice. Well done!!


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<-> wrote in message I THINK I'VE GOT PAY DIRT!!!
----


Type: Error
Event ID: 4319
Source: NetBT
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: A duplicate name has been detected on the TCP network. The IP
address of the
machine that sent the message is in the data. Use nbtstat -n in a command
window to see which name is in the Conflict state.

Type: Warning
Event ID: 3033
Source: MRxSmb
User: N/A
Generated: 2/2/2005 11:12:24 PM
Message: The redirector was unable to register the address for transport
NetBT_Tcpip_{2E4FDBD6-0CE7-42D3-997E-9161E for the following reason: .
Transport has been taken offline.


Some NBTstat logs

---------------

---------------------------------------------
PC1NOPROB <00> UNIQUE Registered
PC1NOPROB <20> UNIQUE Registered
DOMAIN <00> GROUP Registered
DOMAIN <1E> GROUP Registered
PC1NOPROB <01> UNIQUE Registered

C:\Documents and Settings\>nbtstat -a PC2NOTRUST

Local Area Connection:
Node IpAddress: [10.30.49.61] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PC2NOTRUST <00> UNIQUE Registered
DOMAIN <00> GROUP Registered
PC2NOTRUST <20> UNIQUE Registered
PC2NOTRUST <03> UNIQUE Registered
PC2NOTRUST$ <03> UNIQUE Registered
DOMAIN <1E> GROUP Registered

MAC Address = xx-11-xx-02-F1-1B
============================================

and the clincher:



I see event logs on the domain controller saying their secure channel
password isn't correct. I was able to look at the PC's event log (though
couldn't map an administrative share due to trust relationship failur) and
honestly nothing looks out of the ordinary. I did see one thing where a
service running with a domain account wouldn't start due to a password
issue, but that would I think be more a symptom rather than the problem
itself.

We do have the occasional network outage. In the last couple of months
we
have had two 1/2 hour outages and have been told that outages of 5
minutes
or less won't be reported by the NetAdmins. Also, the server admins ran
into this problem when rebooting a server and voluntarily rejoining it to
the domain.

The setup is with a 100mbit ethernet with FDDI backbone, all based on
Cisco. We have three DC's, all at HQ building.

The main problem is that occasionally a machine will not synchronize its
LSA password and then, it cannot serve. Best guess is that it had
network
problems when it was its time to synchronize it, and it just got out of
sync.

I have checked the netlogon logs and not seen anything, I'll run the
kerberos check and see if that turns anything up.
Click to expand...
Click to expand...
 
Back
Top