The security database on the server does not have a computer account for this workstation trust relationship

When I try to log on to my DC it says "The security database on the server does not have a computer account for this workstation trust relationship". It won't let me log on. I installed another server server 2012r2  (its virtual )
and I can get to ADSI edit. 
I think what happened was I had a pc that could not connect without unplugging the network cable. So I found this fix 
FIX: “The security database on the server does not have a computer account for this workstation trust relationship”2032011
I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post.  In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have
seen around.  Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself.  Here are the steps I take to fix this issue when it crops up:
Open up Active Directory Users & Computers pointed to the domain the computer account resides in
From the “View” pull-down menu, make sure that “Advanced Features” is checked
Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
Open the Properties for the computer object
Choose the “Attribute Editor” tab on the Properties dialog box
Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname
you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name
As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:
dNSHostName:
srv1.mydomainname.com
servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com"
Not reading it carefully I add a computer with the same name as the pc having the issue and followed the above. The problem is that I did not notice that the spn did not want the name of my server (serv1) but the name of the trouble
pc.
dcdiag output
PS C:\Users\administrator.TOM> dcdiag.exe
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   ***Error: DC3 is not a Directory Server.  Must specify /s:<Directory Server> or  /n:<Naming Context> or nothing to
   use the local machine.
   ERROR: Could not find home server.
PS C:\Users\administrator.TOM> dcdiag.exe /s:DC2
Directory Server Diagnosis
Performing initial setup:
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site\DC2
      Starting test: Connectivity
         The host 9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM could not be resolved to an IP address. Check the DN
         server, DHCP, server name, etc.
         Neither the the server name (DC2.TOM) nor the Guid DNS name (9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM)
         could be resolved by DNS.  Check that the server is up and is registered correctly with the DNS server.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... DC2 failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site\DC2
      Skipping all tests, because server DC2 is not responding to directory service requests.
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : TOM
      Starting test: CheckSDRefDom
         ......................... TOM passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... TOM passed test CrossRefValidation
   Running enterprise tests on : TOM
      Starting test: LocatorCheck
         ......................... TOM passed test LocatorCheck
      Starting test: Intersite
         ......................... TOM passed test Intersite
PS C:\Users\administrator.TOM> regsvr32 schmmgmt.dll
PS C:\Users\administrator.TOM> netdig /fix
netdig : The term 'netdig' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdig /fix
+ ~~~~~~
    + CategoryInfo          : ObjectNotFound: (netdig:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> Setup /PrepareSchema
Setup : The term 'Setup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Setup /PrepareSchema
+ ~~~~~
    + CategoryInfo          : ObjectNotFound: (Setup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> netdiag /test
netdiag : The term 'netdiag' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdiag /test
+ ~~~~~~~
    + CategoryInfo          : ObjectNotFound: (netdiag:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> nslooup
nslooup : The term 'nslooup' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nslooup
+ ~~~~~~~
    + CategoryInfo          : ObjectNotFound: (nslooup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM>

Ok fixed. 
At a elevated cmd prompt run ;
C:\Users\administrator.TOM>setspn -x
As you can see the DC serv1 had duplicate SPNs.
Checking domain DC=TOM
Processing entry 1
HOST/serv1.TOM is registered on these accounts:
        CN=SERV1,OU=Domain Controllers,DC=TOM
        CN=C00049,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/TOWN-HBWJ29ZOQC is registered on these ac
counts:
        CN=Administrator,CN=Users,DC=TOM
        CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/town-hbwj29zoqc.TOM is registered on thes
e accounts:
        CN=Administrator,CN=Users,DC=TOM
        CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
RestrictedKrbHost/serv1 is registered on these accounts:
        CN=C00049,CN=Computers,DC=TOM
        CN=SERV1,OU=Domain Controllers,DC=TOM
RestrictedKrbHost/serv1.TOM is registered on these accounts:
        CN=C00049,CN=Computers,DC=TOM
        CN=SERV1,OU=Domain Controllers,DC=TOM
found 5 groups of duplicate SPNs.
Went to the computers OU and changed computer c00049 to the correct SPN. Now I have a new issues, I'll start a new thread.

Similar Messages

  • Security database on the server doesn't have a computer account for this workstation trust relationship

    Hi,
    in our windows server 2008 R2 standard , we are facing this error "Security database on the server doesn't have a computer account for this workstation trust relationship " on an regular basis. we have did below mentioned teps to solve the issue
    1. Disjoin the system from Domain & joined it again.
    2. tested the computer secure channel connection.
    3. checked the DNS settings of server
    4.checked the computer account in AD which disabled or not.
    Everything was ok but after doing changes again after 2 - 3 days we are facing same error message.
    Please help to sort the issue on an urgent basis. 

    When the error happen, can you check the computer account in your AD's console (with advanced feature at on), to check the date it was updated and if the SID is the same ? (objectSID and pwdLastset)
    I guess someone try to domain join a computer with the same name, and flush your computer account at the same time.
    Regards, Philippe
    Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
    Answer an interesting question ? Create a
    wiki article about it!

  • Purchased film from itunes and want to download to ipad. Getting error message. Attempting to copy to the disk "OS_Install" failed. You do not have enough access priveleges for this operation.. Any ideas?

    Purchased film from itunes and want to download to ipad. Getting error message. Attempting to copy to the disk "OS_Install" failed. You do not have enough access priveleges for this operation.. Any ideas?

    Purchased film from itunes and want to download to ipad. Getting error message. Attempting to copy to the disk "OS_Install" failed. You do not have enough access priveleges for this operation.. Any ideas?

  • The iphone cannot be synced. you do not have enough access privileges for this operation

    The iPhone"Kyle's iPhone" cannot be synced. You do not have enought access privileges for this opperation. what do i do?

    Thank you.
    I actually figured it out a while ago.
    Turns out it is not an issue with the iPhone or iTunes.
    By process of elimination I deduced it could be a permissions issue with the hard drive and/or folder that holds the contents of my Music Library.
    For example, if the "Sharing & Permissions" settings (found in the "Get Info" Window) are set to "Read Only" on the internal or external drive that contains your Music Library for iTunes then you can not write to the disk. Therefore, you do not have privelges to make changes to the internal or external drive and you get the error message when you try to sync with the information on that drive.
    Here's the kicker and million dollar questions:
    How did the "Sharing & Permissions" settings get changed on my Hard Drive without me doing it?
    Why did my iPhone sync fine yesterday and suddenly today the Hard Drive is doing this?
    I have to set all priveleges to all drives to "Read & Write" and that just doesn't seem very secure to me.

  • I am trying to synced my iphone but I get an error message "the iphone cannot be synced you do not have enough access privileges for this operation"

    I have just installed itune on a windows 8 OS and am am trying to sync my iphone but it cannot import photos and come up with the error message "you do not have enough access privileges for this operation"

    Hey there Opal4,
    It sounds like you are unable to use iTunes due to this error message about not having enough access privileges. According to the following article you may need to change the permissions on the file directly:
    These messages occur if permissions are incorrect on your designated music folder or on a folder inside your designated music folder. Permissions are settings that determine who can read, write to, or execute a file or folder on your computer. Every file and folder on your hard disk has an associated set of permissions.
    Example: If permissions are correct on your Music folder, but incorrect on the U2 folder inside your Music folder, you would be able to add other music to your iTunes library, but not that new U2 album.
    Windows XP:
    How to set, view, change, or remove file and folder permissions in Windows XP
    From: Trouble adding music to iTunes library or importing audio CD
              http://support.apple.com/kb/ts1387
    Thank you for using Apple Support Communities.
    Regards,
    Sterling

  • I have purchased Quicktime Pro and entered the registration key but does not operate.  Apple does not have a support tab for this so I'd appreciate any help.  I have Windows 7 Home.

    I have purchased Quicktime Pro and entered the registration code.  It indicates at it has been installed, but it does not run.  Any suggestions? 

    The trim to selection function is available and it appears to be working.  For now, I seem to be operable as Pro even though the header doesn't say so. Thanks.

  • Reactivating users via pwpolicy gives error "User does not have a shadowhash account"

    Hi All,
    I've got a OS X (10.8) server running Open Directory and File Sharing. We deal with a lot of free lance people so accounts are often being deactivated and reactived.
    A user is first created by submitting to an internal form that starts an applescript that creates the user account, password, and sets a hardExpireDateGMT that disables the account on the individual's out date. It also adds them to specific file sharing groups etc. This works perfectly for us.
    Our problem stems from when we "re-hire" people. Again an internal form is used to start an applescript. This script searchs the OD for the user to make sure they actually have been in the system. If it finds the user it sets a new temp passoword, updates any contact info, and then uses "pwpolicy -enableuser" to reenable the user. Our error occurs at the last step during the "enableuser". We get the error "User <username> does not have a shadowhash account>"> However, we can manually enable the user through Workgroup Manager.
    Is there a way to create the shadowhash account via the command line? Or is there a better way then pwpolicy to reenable the user?
    Thanks!

    Hi,
    Here are a few Microsoft articles that provide the suggestions to troubleshoot this issue below:
    Error: The security database on the server does not have a computer account for this workstation trust relationship
    http://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx
    Domain Controller does not allow interactive logon, shows error “The security database on the server does not have a computer account for this
    workstation trust relationship"
    http://support.microsoft.com/kb/2015518
    But if you cannot log onto the Windows Small Business Server with administrator permissions, it is hard for us to troubleshoot this issue. You may need
    to restore the system from backup. For the detailed steps, you may refer to the following Microsoft TechNet article:
    Recover the Operating System or the Full Server
    http://technet.microsoft.com/en-us/library/cc794282(v=WS.10).aspx
    Regards,
    Arthur Li
     TechNet Subscriber Support 
    in forum
    If you have any feedback on our support, please contact
    [email protected] . 
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • The Itunes library cannot be saved. You do not have enough access privileges for this operation, What does this mean?

    What does it mean when you receive a box that says " The Itunes library cannot be saved. You do not have enough access privileges for this operation"?

    See if these help
    the iphone cannot be synced. you do not have enough access privileges for this operation
    Re: access privileges ????
    Re: Access Privileges
    The iPhone "phonename" cannot be synced. You do not have enough access privileges for this operation

  • I am getting an error message saying: The itunes library file can not be saved.  You do not have enough access priviliges for this operation.  What does this mean?

    Hi,
    Looking for some help.  I am getting the following error message on my itunes account:
    "The itunes library file cannot be saved.  You do not have enough access priviliges for the operation."
    Does anyone know why this is appearing and how to get rid of it?
    Thanks

    See if these help
    the iphone cannot be synced. you do not have enough access privileges for this operation
    Re: access privileges ????
    Re: Access Privileges
    The iPhone "phonename" cannot be synced. You do not have enough access privileges for this operation

  • "The iTunes Library file cannot be saved. You do not have enough access privileges for this operation"  What does this mean?

    Also why won't iTunes recognize my iPod Touch since updating to the latest version?  I have a PC and can no longer sync my iPod bc it never shows up under devices. 

    See if these help
    the iphone cannot be synced. you do not have enough access privileges for this operation
    Re: access privileges ????
    Re: Access Privileges
    The iPhone "phonename" cannot be synced. You do not have enough access privileges for this operation

  • New audio files receives error message from iTunes - You do not have enough access privileges for this operation.

    Every time a new audio file is downloaded onto my desktop, (or if I double click on a new audio file) iTunes no-longer will play them. It gives an error message stating: Attempting to copy to the disk "Mackintosh" failed. You do not have enough access privileges for this operations.
    Please can you help me to resolve this situaion. I confess that I am not very computer savvy.

    Launch iTunes on the computer.
    From the iTunes menu bar click Store > Authorize This Computer
    Make sure to sign in using the same Apple ID used on the iPhone.
    Then sync your iPhone.

  • There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

    Good day Guys
    First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 
    While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
    We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.
    They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.
    But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)
    With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:
    "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"
    Outlook is unable to connect to the Proxy server. (Error Code 0)"
    Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?
    Your assistance will be greatly appreciated.

    Hi,
    Firstly, I would suggest we use Exchange 2013 FE as the Outlook Anywhere proxy server.
    For the certificate issue, it mostly occurs because the host name that Outlook are trying to access does not match the certificate SAN. Please check with this point. If they do not match, you
    can change the host name by referring to the following article:
    https://support.microsoft.com/kb/940726/en-us?wa=wsignin1.0
    Thanks,
    Simon Wu
    TechNet Community Support

  • Exchange 2013 w/Outlook 2013 "The name of the security certificate is invalid or does not match the name of the site"

    I've completed an upgrade from Exchange 2003 to Exchange 2013 and I have one last SSL message that I can't get rid of.  I've installed a 3rd party cert that is working great for webmail and cell phone access but for some reason the Outlook 2010/2013
    clients get prompted for a security warning.  I just implemented the SSL cert yesterday and I've noticed that new installs of Outlook seem to work just fine.  My Outlook 2013 client doesn't prompt me with the message but I have other users who are
    still getting the "The name of the security certificate is invalid or does not match the name of the site" error.  The domain on the cert error show up as server.mydomain.local.  I've gone through all the virtual directories and pointed
    all of my internal and external URL's to https://mail.mydomain.com.   This made one of the two warnings go away but not the second.  I've dug around on google and gone through everything I could find here and as far as I can tell my internal
    and external url's are configured properly and I can't figure out where this error is originating from.  Any ideas on where I should look outside of the virtual directories? 
    I'm including a good link I found that contains all of the virtual directories I updated.  I've checked them through both CLI and GUI and everything looks good.
    http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
    http://jaworskiblog.com/2013/04/13/setting-internal-and-external-urls-in-exchange-2013/

    Hi,
    When the Outlook connect to Exchange 2013/Exchange 2010, the client would connect to Autodiscover service to retrieve Exchange service automatically from server side. This feature is not available in Exchange 2003 Outlook profile.
    Generally, when mailbox is moved to Exchange 2013, the Outlook would connect to server to automatically update these information. It needs time to detect and update the changes in server side. I suggest we can do the following setting For autodiscover service:
    Get-ClientAccessServer | Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.mydomain.com/autodiscover/autodiscover.xml
    Please restart IIS service by running IISReset in a Command Prompt window after all configuraions.
    Regards,
    Winnie Liang
    TechNet Community Support

  • The name of the security certificate is invalid or does not match the name of the site error?

    I am looking for some help folks. We are in a Outlook 2007/Exchange2010/Windows2008R2 environment.
    When users open Outlook off the network, and occasionally on the network, they get the error
    The name of the security certificate is invalid or does not match the name of the site error
    The CAS hostname is HRECAS.XXX.ORG. The URL that is listed on the SSL certificate (issued by VeriSign) is WEB.XXX.ORG. WEB.XXX.ORG is what users use to get to OWA and such.
    When I use testexchangeconnectivity.com, under certificate name validation I see an error that reads:
    Host name autodiscover.xxx.org doesn't match any name found on the server certificate CN=web.xxx.org.
    Does this mean somehow we have to add autodiscover.xxx.org on the certificate?
    I tried to add AutoDiscoverExternalUri using
    http://support.microsoft.com/?kbid=940726 &
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/2d0c0f5f-e4ec-4f33-a37d-b94fd7a2319f on the CAS server.
    Set-ClientAccessServer -identity HRECAS -AutodiscoverServiceExternalUri
     https://autodiscover.xxx.org/Autodiscover/Autodiscover.xml 
    I get an error that says
    "a positional parameter cannot be found that accepts argument '-AutoDiscoverExternalUri'.
    Can someone point to me what I am doing wrong with the command and whether I should be concerning myself with adding that line? By the way the
    InternalUrl information is already configured on the system. Also should I edit the certificate to add autodiscover.xxx.org?
    Thank in advance for your support.
    TD
    TD

    Hi Tapera,
    Thanks for the question.
    SRV record is a good idea. You can set the SRV to
    https://web.abc.com/autodiscover/autodiscover.xml but you must make sure the
    url can be resolved from External clients.
    In addition, there is still a issue. It is hard coded that Outlook will find the autodiscover by the orders below:
    1. Access autodiscover via SCP in AD.
    https://web.abc.com/autodiscover/autodiscover.xml
    2. If SCP access fails, it will try:
    https://abc.com/autodiscover/autodiscover.xml
    3. Then
    https://autodiscover.abc.com/autodiscover/autodiscover.xml
    4. Local XML file
    5. SRV record
    As you can see, Outlook will try SRV record at last. Therefore, it will still try to access
    https://autodiscover.abc.com/autodiscover/autodiscover.xml each time you run Outlook. Then the certificate warning will still persists.
    I have a workaround solution. You can do a local policy to disable the autodiscover to access the
    https://autodiscover.abc.ocom/autodiscover/autodiscover.xml by:
    1.   
    On the Outlook client machine, open regedit and add the following key:
    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover
             "ExcludeHttpsAutodiscoverDomain"
             "ExcludeHttpsRootDomain"
    2.   
    Then set the value to “1” on the above two keys.
    Thanks,
    Simon  

  • Outlook Security Alert - "the name on the security certificate is invalid or does not match the name of the site"

    Due to our company changing names, we recently moved to a new domain. All users were at first getting a certificate error when opening Outlook "the name on the security certificate is invalid or does not match the name of the site." After our network
    admin made some changes, nobody receives this error anymore except one user. The URL at the top of the security alert is the old domain, mail.olddomain.com. I checked the users Exchange Proxy Settings in Outlook, everything is showing the URL's of the new
    domain so I'm not sure where this is coming from. I'm assuming it has to be something on her local machine since she is the only one who still gets the error.
    Thanks in advance for any help.
    Exchange server 2008
    Outlook 2010

    Hi,
    Please follow all above suggestions to confirm whether the issue happens in OWA. And run Test E-mail AutoConfiguration in Outlook to check whether there is any URL settings using the old domain.
    If the issue doesn’t happen in OWA and your URL configurations are all same as others and set correctly, please create a new Outlook profile to have a try.
    Thanks,
    Winnie Liang
    TechNet Community Support

Maybe you are looking for

  • After successful install, I am unable to use RoboHelp 7 because of constant refresh of file lists

    RoboHELP 7 installed on Windows XP Our enterprise support team installed RH7 on my new laptop via our corporate intranet.  I received an e-mail message reporting that the install failed so I contacted the support team, someone logged on to my machine

  • Can't uninstall/update Can't find iTunes.msi file

    Something happened to my itunes. Could have been my daughter's creative genius or any one of a thousand other things.... All I know is (and I don't use iTunes a lot) I can't get iTunes to load. When I click on my desktop icon or try to run it from my

  • Can I please get a Debug code compiles

    The code below is supposed to use threads to get the checksum of two files chosen for Jfilechoosers and then compare there checksums and tell whether they are equal or not. I have all working but the values for the files individual checksums are not

  • 4 Gig Nano not updating/Cant write to this disk error. Please Help!

    Hi. I have a Ipod Nano 4g. (actually my husbands.. but anyway) he will load it to his computer and it starts updating, recognizes it.. everything looks perfect then after about 4 songs sometimes 3 or 8.. but generally within minutes it stops updating

  • Reporting in Toad

    Hi, there is a table as follows : OrgId Orgname country-id prod-description salesqtr 123 ABC 15 AAAA FY07 123 ABC 15 AAAA FY08 456 MNO 20 AAAA FY07 456 MNO 20 BBBB FY07 456 MNO 20 CCCC FY07 Can i get the output as follows in Toad or sql plus : Orgid