WikiBots
1,397
edits
Changes
From Pumping Station One
The trust relationship between this workstation and the primary domain failed (view source)
Revision as of 05:00, 2 September 2014
, 05:00, 2 September 2014Robot: Cosmetic changes
== The Issue ==
== The Issue ==
Some of the computers on the lan display this error.
Some of the computers on the network display this error:
<pre>The trust relationship between this workstation and the primary domain failed.</pre>
<pre>The trust relationship between this workstation and the primary domain failed.</pre>
[[File:Domain_Trust_Error.jpeg]]
[[File:Domain_Trust_Error.jpeg|200px]]
[[File:Trust Relationship Failed.JPG|200px]]
No user is able to log in.
== Potential Solutions ==
== Potential Solutions ==
Also check the timezone is correct.
Also check the timezone is correct.
Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed.
Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed.
== Reset Machine Password ==
== Reset Machine Password ==
netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:*
netdom RESETPWD /Server:bob /UserD:PS1\hef /PasswordD:*
Attempted on sliceyToo, has not yet been attempted elsewhere.
Attempted on sliceyToo, has not yet been attempted elsewhere.
Reference: [http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx DON'T REJOIN TO FIX]
I have tried rejoining the computers to domain. It didn't fix.
== Remove Stale Entries to the Old Domain Controller from ldap ==
== Remove Stale Entries to the Old Domain Controller from ldap ==
The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain.
The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain.
=== cleaning out the _msdcs record ===
Find the extra entry
<pre>samba-tool dns query bob _msdcs.ad.pumpingstationone.org @ ALL
Name=, Records=2, Children=0
SOA: serial=5, refresh=900, retry=600, expire=86400, minttl=0, ns=vm.ad.pumpingstationone.org., email=hostmaster.ad.pumpingstationone.org. (flags=600000f0, serial=5, ttl=3600)
NS: vm.ad.pumpingstationone.org. (flags=600000f0, serial=1, ttl=900)
Name=8e76c887-c322-4e20-98df-372fa8801c44, Records=1, Children=0
CNAME: vm.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
Name=dc, Records=0, Children=2
Name=domains, Records=0, Children=1
Name=e3fac096-8349-4e28-8fda-91d32e6ec7c0, Records=1, Children=0
CNAME: bob.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900)
Name=gc, Records=0, Children=2
</pre>
In this case, the extra record is the one that resolves to vm.ad.pumpingstaitonone.org: 8e76c887-c322-4e20-98df-372fa8801c44
Delete it:
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org 8e76c887-c322-4e20-98df-372fa8801c44 CNAME vm.ad.pumpingstationone.org
=== gc records ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org gc ALL
Delete A or AAAA record that is not a Domain controller
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc A ${IP4_Address}
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc AAAA ${IP6_Address}
I had a lot of stale entries, as ip address have changed before.
=== _tcp.gc records ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.gc ALL
delete SRV records poining to removed machines
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
=== _tcp.dc records ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.dc ALL
delete the extra records for _ldap and _kerberos
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100'
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
=== _tcp.pdc records ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.pdc ALL
delete the extra _ldap records:
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.pdc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
=== _tcp records records ===
samba-tool dns query bob ad.pumpingstationone.org _tcp ALL
delete the extra _gc, _kerberos, _kpasswd, and _ldap records
samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp SRV 'vm.ad.pumpingstationone.org. 88 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._tcp SRV 'vm.ad.pumpingstationone.org. 464 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp SRV 'vm.ad.pumpingstationone.org. 389 0 100'
=== _udp records ===
samba-tool dns query bob ad.pumpingstationone.org _udp ALL
delete the extra _kerberos and _kpasswd records
samba-tool dns delete bob ad.pumpingstationone.org _kerberos._udp SRV 'vm.ad.pumpingstationone.org. 88 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._udp SRV 'vm.ad.pumpingstationone.org. 464 0 100'
=== _tcp.Default-First-Site-Name._sites records ===
samba-tool dns query bob ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites ALL
delete extra _kerberos, _ldap, and _gc records
samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 88 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 389 0 100'
samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
=== _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains records ===
find the domain guid:
samba-tool dns query bob _msdcs.ad.pumpingstationone.org domains ALL
In my case it was <code>Name=b83beba7-1a4b-4801-a2bd-8ee8ea0eb626, Records=0, Children=1</code>
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains ALL
delete the _ldap record
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains SRV 'vm.ad.pumpingstationone.org. 389 0 100'
=== _tcp.Default-First-Site-Name._sites.gc ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.gc ALL
delete extra _ldap records
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100'
=== _tcp.Default-First-Site-Name._sites.dc ===
samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.dc ALL
delete extra _kerberos and _ldap records
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100'
samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100'
=== More stale entries ===
The primary problem has been resolved, but I am going to document stale entries left behind
* CN=NTDS Settings,CN=VM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org
** Removing this entry removed the box from the replication pool in <code> samba-tool drs showrepl</code>
