Domain Trust Issue

[Rich]

I have a small network (~30 PC's) set up as a domain (Windows Server 2003 R2,
SP2).

Yesterday, a user attempted to logon and rec'd an error msg about a trust
issue between the workstation and domain. I pulled the PC off the domain and
re-joined it. That fixed the problem.

My question is, What would cause this problem?

Some info:
- He's the only one on the network with a Laptop running Vista 64-bit (what
can I say, he's the director and does things, then asks questions).
- He had taken the laptop home the night before, and said it worked fine
(but, heck, I don't know what he did and he probably didn't tell me
everything!)

Thanks for any thoughts . . .

Rich

 

[Ace Fekay [MCT]]

"Rich" wrote in message
news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com...
>I have a small network (~30 PC's) set up as a domain (Windows Server 2003
>R2,
> SP2).
>
> Yesterday, a user attempted to logon and rec'd an error msg about a trust
> issue between the workstation and domain. I pulled the PC off the domain
> and
> re-joined it. That fixed the problem.
>
> My question is, What would cause this problem?
>
> Some info:
> - He's the only one on the network with a Laptop running Vista 64-bit
> (what
> can I say, he's the director and does things, then asks questions).
> - He had taken the laptop home the night before, and said it worked fine
> (but, heck, I don't know what he did and he probably didn't tell me
> everything!)
>
> Thanks for any thoughts . . .
>
> Rich


Well, that's difficult to diagnose if you don't know, and he's not telling
you. If he has local admin rights, he could have installed some sort of
security software or something else that could have caused it.

Ace

 

[Dusko Savatovic]

Hi Rich,

Domain member computers occasionaly change domain password. This can be
disabled thru group policy. The behaviour you observed is typical when
password between member computer and domain controller gets out of sync. The
only solution is to unjoin and join again a domain. Before unjoin/join, you
may wish to reset computer account in Active Directory Users and Computers
(ADUC), but I didn't see practical benefits of this extra step.

"Rich" wrote in message
news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com...
> I have a small network (~30 PC's) set up as a domain (Windows Server 2003
> R2,
> SP2).
>
> Yesterday, a user attempted to logon and rec'd an error msg about a trust
> issue between the workstation and domain. I pulled the PC off the domain
> and
> re-joined it. That fixed the problem.
>
> My question is, What would cause this problem?
>
> Some info:
> - He's the only one on the network with a Laptop running Vista 64-bit
> (what
> can I say, he's the director and does things, then asks questions).
> - He had taken the laptop home the night before, and said it worked fine
> (but, heck, I don't know what he did and he probably didn't tell me
> everything!)
>
> Thanks for any thoughts . . .
>
> Rich

 

[Ace Fekay [MCT]]

"Dusko Savatovic" wrote in message
news:eLFvlFvUKHA.5208@TK2MSFTNGP05.phx.gbl...
> Hi Rich,
>
> Domain member computers occasionaly change domain password. This can be
> disabled thru group policy. The behaviour you observed is typical when
> password between member computer and domain controller gets out of sync.
> The only solution is to unjoin and join again a domain. Before
> unjoin/join, you may wish to reset computer account in Active Directory
> Users and Computers (ADUC), but I didn't see practical benefits of this
> extra step.
>

Dusko,

Disabling machine account password changes (default every 30 days with AD
2003 & 2008) can be done, and may possibly alleviate this issue, but
security-wise it's not really recommended, especially I would think if it's
just the boss doing something on his machine.

If interested, for more info on this setting, there was an in-depth
discussion on machine account password change settings in the AD newsgroup:

From: insane_drummer
Subject: XP Machine Account Password Changes
Date: Tue, 20 Oct 2009 02:11:10 +0530
Newsgroups: microsoft.public.windows.server.active_directory

I would be curious as to what the boss is doing on his machine causing this.
Maybe he has some sort of password saving software that may also be
prompting him about the machine account password that he's not sure how to
respond to? I mean, I don't know if those password apps do that or not, but
it's just a thought.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

 

[Dusko Savatovic]

Sure Ace,

The defaults are set with a reason and there's no reason to depart from the
well threaded path.
I was thinking about this issue. If the boss was doing something, he was
probably experimenting with newsid or sysprep or some similar tool.

Just my 2c.


"Ace Fekay [MCT]" wrote in message
news:uI2DvExUKHA.1280@TK2MSFTNGP04.phx.gbl...
> "Dusko Savatovic" wrote in message
> news:eLFvlFvUKHA.5208@TK2MSFTNGP05.phx.gbl...
>> Hi Rich,
>>
>> Domain member computers occasionaly change domain password. This can be
>> disabled thru group policy. The behaviour you observed is typical when
>> password between member computer and domain controller gets out of sync.
>> The only solution is to unjoin and join again a domain. Before
>> unjoin/join, you may wish to reset computer account in Active Directory
>> Users and Computers (ADUC), but I didn't see practical benefits of this
>> extra step.
>>
>
> Dusko,
>
> Disabling machine account password changes (default every 30 days with AD
> 2003 & 2008) can be done, and may possibly alleviate this issue, but
> security-wise it's not really recommended, especially I would think if
> it's just the boss doing something on his machine.
>
> If interested, for more info on this setting, there was an in-depth
> discussion on machine account password change settings in the AD
> newsgroup:
>
> From: insane_drummer
> Subject: XP Machine Account Password Changes
> Date: Tue, 20 Oct 2009 02:11:10 +0530
> Newsgroups: microsoft.public.windows.server.active_directory
>
> I would be curious as to what the boss is doing on his machine causing
> this. Maybe he has some sort of password saving software that may also be
> prompting him about the machine account password that he's not sure how to
> respond to? I mean, I don't know if those password apps do that or not,
> but it's just a thought.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

 

[Ace Fekay [MCT]]

"Dusko Savatovic" wrote in message
news:OyXYxX0UKHA.4704@TK2MSFTNGP02.phx.gbl...
> Sure Ace,
>
> The defaults are set with a reason and there's no reason to depart from
> the well threaded path.
> I was thinking about this issue. If the boss was doing something, he was
> probably experimenting with newsid or sysprep or some similar tool.
>
> Just my 2c.
>

Hmm, interesting thought. A good reason to not give someone local admin
rights, but then again, it's difficult when it's a demanding boss.

Or possibly another thought - he may have installed his own
security/firewall app, such as what his home ISP provided for free (Comcast,
AOL, etc) and it locked down the system?

Ace

 

[DaveMills]

On Thu, 22 Oct 2009 10:26:45 +0200, "Dusko Savatovic"
wrote:

>Hi Rich,
>
>Domain member computers occasionaly change domain password. This can be
>disabled thru group policy. The behaviour you observed is typical when
>password between member computer and domain controller gets out of sync. The
>only solution is to unjoin and join again a domain.
It is not the "only" solution. NetDom can be used to reset the passwords or
easier is to reset the account from the PC. For XP this is simply opening System
Properties/Computer Name tab and using the "Network ID" button not the "Change"
button. This wizard will find the existing computer account and allow you to use
it. All group memberships and other setting are then kept. Leaving the domain
and rejoining can loose settings such as "Managed Computer" status.

>Before unjoin/join, you
>may wish to reset computer account in Active Directory Users and Computers
>(ADUC), but I didn't see practical benefits of this extra step.
>
>"Rich" wrote in message
>news:995C0772-1DDC-453B-8C29-5BBF3670A319@microsoft.com...
>> I have a small network (~30 PC's) set up as a domain (Windows Server 2003
>> R2,
>> SP2).
>>
>> Yesterday, a user attempted to logon and rec'd an error msg about a trust
>> issue between the workstation and domain. I pulled the PC off the domain
>> and
>> re-joined it. That fixed the problem.
>>
>> My question is, What would cause this problem?
>>
>> Some info:
>> - He's the only one on the network with a Laptop running Vista 64-bit
>> (what
>> can I say, he's the director and does things, then asks questions).
>> - He had taken the laptop home the night before, and said it worked fine
>> (but, heck, I don't know what he did and he probably didn't tell me
>> everything!)
>>
>> Thanks for any thoughts . . .
>>
>> Rich
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.