Workstation Trust Relationship – How to Fix this
The security database on the server does not have a computer account for this workstation trust relationship – I am not sure how many of you have come across an error which says “The security database on the server does not have a computer account for this workstation trust relationship”.
Most of the times I have seen this error when the machine is turned off for a very extended period of time & when powered on if the user tries logging in, the workstation trust relationship error is seen.
One of the most easiest fix for this error is to rejoin the computer to the domain. This would require the computer account to be joined back to the domain and a reboot.
This solution works for most of the times, however I have come across many instances where the domain rejoin didn’t fix this issue.
So why do we see this error ? – this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself.
Security database on the server does not have a computer account for this workstation trust relationship
If you are planning to fix this error by rejoining the computer to the domain then follow the below listed steps :-
1) First unjoin the computer from the domain and make sure you set a local administrator password on machine or set an user account password which is a member of local administrators group.
2) Reboot the machine.
3) On the domain controller, go to Active Directory Users and Computers and delete the computer account.
4) This may take up to a few minutes for the changes to replicate between all of the Active Directory domain controllers. So wait for few minutes.
5) Rejoin the machine to the domain.
If the above method doesn’t fix the issue then try the below steps :-
Suppose that your computer name is WIN7.PRAJWAL.LOCAL, Open the Active Directory Users and Computers, locate the computer object, right click the computer object & click Attribute editor. You should see the below listed attribute pairs or values in attribute list.
dNSHostName: WIN7.PRAJWAL.LOCAL
servicePrincipalName:
HOST/WIN7
HOST/WIN7.PRAJWAL.LOCAL
RestrictedKrbHost/WIN7
RestrictedKrbHost/WIN7.PRAJWAL.LOCAL
If you find that any of these entries is incorrect for your computer object, go ahead and modify them to the correct one. Once you fix the entries then you should be able to login. Note that when you make any changes, please remember that it may take up to a few minutes for the changes to replicate between all of the Active Directory domain controllers. So this method works fine & does not need a reboot of the machine.
Amazing. The bit about adding the ADUC attributes to the computer account helped fix a problem that’s been plaguing me for ages. We have some Citrix VDIs that reset their computer account and other system settings on reboot. So on a couple of VDIs where admins, including myself, have made the mistake of trying to remove and rejoin the domain, the machine, on reboot would go back to its domain-joined status, but AD had processed the removal. It was impossible to rejoin it to the domain, because the VDI thought it was still part of the domain. Creating a new computer object and manually adding the attributes appears to have done the trick. I did also run the Reset-ComputerMachinePassword command in powershell as well – not sure if that had any part in the solution.
Excellent post! Solved my issue right away!
There’s got to be a better way. Came back from over the weekend and about 45 of the 300 computers are saying this. Rejoining 45 to the domain is not something I wanted to spend my week doing. Haven’t had this error in the 5 years since I set up the server / client computers at this location.
Fanatoli, sorry to ask again I know this is very old discussion, but did you find the root-cause and how to fix it permanently rather than the unjoin domain-reboot-rejoion domain-reboot band aid fix? Thanks.
But why is this happening, sometimes it will happen to several of our computers and I have to go around and disjoin and rename and rejoin, its a pain and very time consuming, I just had one I just added to the domain then it did some windows updates and rebooted and now its getting that message, I have also had my exchange server get this error message and I have to go in and pray that a reboot will solve the issue as I can’t just simply disjoin the exchange and rename it and rejoin it. I know this solution works but this can’t be the only solution, there has a to be a permanent solution or a reason to why its happening.
I know this is pretty old discussion, but has anyone found a root cause why this happens as I’ve seen daily occurrence of this on a lot of our machines and I have to deal with it on a daily-basis. What is the permanent solution and fix as well if anyone has it please do share. Thank you.