Difference between revisions of "The trust relationship between this workstation and the primary domain failed"
Jump to navigation
Jump to search
m (Robot: Cosmetic changes) |
m (Robot: Cosmetic changes) |
||
| (25 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == The | + | == The Issue == |
| − | + | Some of the computers on the network display this error: | |
| + | <pre>The trust relationship between this workstation and the primary domain failed.</pre> | ||
| − | == | + | [[File:Domain_Trust_Error.jpeg|200px]] |
| + | [[File:Trust Relationship Failed.JPG|200px]] | ||
| + | |||
| + | No user is able to log in. | ||
| + | |||
| + | == Potential Solutions == | ||
| + | |||
| + | == Reboot == | ||
| + | |||
| + | Sometimes rebooting clears the error as a workaround | ||
| + | |||
| + | == Setup Time Sync == | ||
w32tm /config /manualpeerlist:bob.ad.pumpingstationone.org,0x8 /syncfromflags:MANUAL | w32tm /config /manualpeerlist:bob.ad.pumpingstationone.org,0x8 /syncfromflags:MANUAL | ||
| Line 12: | Line 24: | ||
w32tm /resync | w32tm /resync | ||
| − | == Reset | + | Also check the timezone is correct. |
| + | |||
| + | Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed. | ||
| + | |||
| + | == Reset Machine Password == | ||
netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:* | netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:* | ||
| + | |||
| + | |||
| + | |||
| + | Attempted on sliceyToo, has not yet been attempted elsewhere. | ||
| + | |||
| + | Reference: [http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx DON'T REJOIN TO FIX] | ||
| + | I have tried rejoining the computers to domain. It didn't fix. | ||
| + | |||
| + | == Remove Stale Entries to the Old Domain Controller from ldap == | ||
| + | |||
| + | The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain. | ||
| + | |||
| + | |||
| + | === cleaning out the _msdcs record === | ||
| + | Find the extra entry | ||
| + | |||
| + | |||
| + | <pre>samba-tool dns query bob _msdcs.ad.pumpingstationone.org @ ALL | ||
| + | Name=, Records=2, Children=0 | ||
| + | SOA: serial=5, refresh=900, retry=600, expire=86400, minttl=0, ns=vm.ad.pumpingstationone.org., email=hostmaster.ad.pumpingstationone.org. (flags=600000f0, serial=5, ttl=3600) | ||
| + | NS: vm.ad.pumpingstationone.org. (flags=600000f0, serial=1, ttl=900) | ||
| + | Name=8e76c887-c322-4e20-98df-372fa8801c44, Records=1, Children=0 | ||
| + | CNAME: vm.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900) | ||
| + | Name=dc, Records=0, Children=2 | ||
| + | Name=domains, Records=0, Children=1 | ||
| + | Name=e3fac096-8349-4e28-8fda-91d32e6ec7c0, Records=1, Children=0 | ||
| + | CNAME: bob.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900) | ||
| + | Name=gc, Records=0, Children=2 | ||
| + | </pre> | ||
| + | |||
| + | In this case, the extra record is the one that resolves to vm.ad.pumpingstaitonone.org: 8e76c887-c322-4e20-98df-372fa8801c44 | ||
| + | |||
| + | Delete it: | ||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org 8e76c887-c322-4e20-98df-372fa8801c44 CNAME vm.ad.pumpingstationone.org | ||
| + | |||
| + | |||
| + | === gc records === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org gc ALL | ||
| + | |||
| + | Delete A or AAAA record that is not a Domain controller | ||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc A ${IP4_Address} | ||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc AAAA ${IP6_Address} | ||
| + | |||
| + | I had a lot of stale entries, as ip address have changed before. | ||
| + | |||
| + | === _tcp.gc records === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.gc ALL | ||
| + | |||
| + | delete SRV records poining to removed machines | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100' | ||
| + | |||
| + | === _tcp.dc records === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.dc ALL | ||
| + | |||
| + | delete the extra records for _ldap and _kerberos | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' | ||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | |||
| + | === _tcp.pdc records === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.pdc ALL | ||
| + | |||
| + | delete the extra _ldap records: | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.pdc SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | |||
| + | === _tcp records records === | ||
| + | |||
| + | samba-tool dns query bob ad.pumpingstationone.org _tcp ALL | ||
| + | |||
| + | delete the extra _gc, _kerberos, _kpasswd, and _ldap records | ||
| + | |||
| + | samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp SRV 'vm.ad.pumpingstationone.org. 3268 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp SRV 'vm.ad.pumpingstationone.org. 88 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._tcp SRV 'vm.ad.pumpingstationone.org. 464 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | |||
| + | === _udp records === | ||
| + | |||
| + | samba-tool dns query bob ad.pumpingstationone.org _udp ALL | ||
| + | |||
| + | delete the extra _kerberos and _kpasswd records | ||
| + | |||
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._udp SRV 'vm.ad.pumpingstationone.org. 88 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._udp SRV 'vm.ad.pumpingstationone.org. 464 0 100' | ||
| + | |||
| + | |||
| + | === _tcp.Default-First-Site-Name._sites records === | ||
| + | |||
| + | samba-tool dns query bob ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites ALL | ||
| + | |||
| + | delete extra _kerberos, _ldap, and _gc records | ||
| + | |||
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 88 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 3268 0 100' | ||
| + | |||
| + | === _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains records === | ||
| + | |||
| + | |||
| + | find the domain guid: | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org domains ALL | ||
| + | |||
| + | In my case it was <code>Name=b83beba7-1a4b-4801-a2bd-8ee8ea0eb626, Records=0, Children=1</code> | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains ALL | ||
| + | |||
| + | delete the _ldap record | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | |||
| + | === _tcp.Default-First-Site-Name._sites.gc === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.gc ALL | ||
| + | |||
| + | delete extra _ldap records | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100' | ||
| + | |||
| + | === _tcp.Default-First-Site-Name._sites.dc === | ||
| + | |||
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.dc ALL | ||
| + | |||
| + | delete extra _kerberos and _ldap records | ||
| + | |||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' | ||
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100' | ||
| + | |||
| + | === More stale entries === | ||
| + | |||
| + | The primary problem has been resolved, but I am going to document stale entries left behind | ||
| + | * CN=NTDS Settings,CN=VM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org | ||
| + | ** Removing this entry removed the box from the replication pool in <code> samba-tool drs showrepl</code> | ||
Latest revision as of 05:00, 2 September 2014
The Issue
Some of the computers on the network display this error:
The trust relationship between this workstation and the primary domain failed.
No user is able to log in.
Potential Solutions
Reboot
Sometimes rebooting clears the error as a workaround
Setup Time Sync
w32tm /config /manualpeerlist:bob.ad.pumpingstationone.org,0x8 /syncfromflags:MANUAL w32tm /config /update net stop w32time net start w32time w32tm /resync
Also check the timezone is correct.
Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed.
Reset Machine Password
netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:*
Attempted on sliceyToo, has not yet been attempted elsewhere.
Reference: DON'T REJOIN TO FIX I have tried rejoining the computers to domain. It didn't fix.
Remove Stale Entries to the Old Domain Controller from ldap
The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain.
cleaning out the _msdcs record
Find the extra entry
samba-tool dns query bob _msdcs.ad.pumpingstationone.org @ ALL
Name=, Records=2, Children=0
SOA: serial=5, refresh=900, retry=600, expire=86400, minttl=0, ns=vm.ad.pumpingstationone.org., email=hostmaster.ad.pumpingstationone.org. (flags=600000f0, serial=5, ttl=3600)
NS: vm.ad.pumpingstationone.org. (flags=600000f0, serial=1, ttl=900)
Name=8e76c887-c322-4e20-98df-372fa8801c44, Records=1, Children=0
CNAME: vm.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
Name=dc, Records=0, Children=2
Name=domains, Records=0, Children=1
Name=e3fac096-8349-4e28-8fda-91d32e6ec7c0, Records=1, Children=0
CNAME: bob.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
Name=gc, Records=0, Children=2
In this case, the extra record is the one that resolves to vm.ad.pumpingstaitonone.org: 8e76c887-c322-4e20-98df-372fa8801c44
Delete it:
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org 8e76c887-c322-4e20-98df-372fa8801c44 CNAME vm.ad.pumpingstationone.org
gc records
samba-tool dns query bob _msdcs.ad.pumpingstationone.org gc ALL
Delete A or AAAA record that is not a Domain controller
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc A ${IP4_Address}
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc AAAA ${IP6_Address}
I had a lot of stale entries, as ip address have changed before.
_tcp.gc records
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.gc ALL
delete SRV records poining to removed machines
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
_tcp.dc records
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.dc ALL
delete the extra records for _ldap and _kerberos
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
_tcp.pdc records
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.pdc ALL
delete the extra _ldap records:
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.pdc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
_tcp records records
samba-tool dns query bob ad.pumpingstationone.org _tcp ALL
delete the extra _gc, _kerberos, _kpasswd, and _ldap records
samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp SRV 'vm.ad.pumpingstationone.org. 3268 0 100' samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp SRV 'vm.ad.pumpingstationone.org. 88 0 100' samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._tcp SRV 'vm.ad.pumpingstationone.org. 464 0 100' samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp SRV 'vm.ad.pumpingstationone.org. 389 0 100'
_udp records
samba-tool dns query bob ad.pumpingstationone.org _udp ALL
delete the extra _kerberos and _kpasswd records
samba-tool dns delete bob ad.pumpingstationone.org _kerberos._udp SRV 'vm.ad.pumpingstationone.org. 88 0 100' samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._udp SRV 'vm.ad.pumpingstationone.org. 464 0 100'
_tcp.Default-First-Site-Name._sites records
samba-tool dns query bob ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites ALL
delete extra _kerberos, _ldap, and _gc records
samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 88 0 100' samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 389 0 100' samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
_tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains records
find the domain guid:
samba-tool dns query bob _msdcs.ad.pumpingstationone.org domains ALL
In my case it was Name=b83beba7-1a4b-4801-a2bd-8ee8ea0eb626, Records=0, Children=1
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains ALL
delete the _ldap record
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains SRV 'vm.ad.pumpingstationone.org. 389 0 100'
_tcp.Default-First-Site-Name._sites.gc
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.gc ALL
delete extra _ldap records
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
_tcp.Default-First-Site-Name._sites.dc
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.dc ALL
delete extra _kerberos and _ldap records
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
More stale entries
The primary problem has been resolved, but I am going to document stale entries left behind
- CN=NTDS Settings,CN=VM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org
- Removing this entry removed the box from the replication pool in
samba-tool drs showrepl
- Removing this entry removed the box from the replication pool in