{"id":642,"date":"2011-02-18T13:56:29","date_gmt":"2011-02-18T13:56:29","guid":{"rendered":"http:\/\/www.kozeniauskas.com\/itblog\/?p=642"},"modified":"2011-02-18T13:58:21","modified_gmt":"2011-02-18T13:58:21","slug":"error-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship","status":"publish","type":"post","link":"http:\/\/www.kozeniauskas.com\/itblog\/2011\/02\/18\/error-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship\/","title":{"rendered":"Error: The security database on the server does not have a computer account for this workstation trust relationship"},"content":{"rendered":"

<\/a>\u00a0I had to change the Primary DNS suffix to some servers. To do that the server were moved to a separate OU and a Group Policy was applied to that OU to change the DNS suffix.
\nI’ve issued gpupdate \/force <\/strong>command on the servers and restarted them. After restart I was not able to login to some of them with my domain credentials. Only servers with Windows Server 2008 were having this problem. Windows 2003 servers were running as expected. The error that I was getting was:\u00a0The security database on the server does not have a computer account for this workstation trust relationship.\"\"<\/a><\/strong>
\n
\nI was able to login to the servers with local admin account.
\nOn Technet I found the following article it is a security measure that was introduced in later operating systems(Vista, Windows 7, Windows 2008):
\nhttp:\/\/technet.microsoft.com\/en-us\/library\/ee849847(WS.10).aspx<\/a><\/p>\n

I have not tried to recreate the trust as described in the article but instead I add Service Principal Name (SPN).
\nOriginally FQDN of my server was\u00a0server1.domain.local<\/strong> after adding primary DNS suffix the FQDN become server1.subdomain.domain.local<\/strong>. So I had to add this HOST SPN.<\/p>\n

There are 2 ways to add SPN, using setspn <\/strong>command or through ADSI Edit<\/strong> console.
\nLogin to the domain controller on the domain to which the server is joined to.
\nsetspn way:
\n<\/strong>\u00a0 in command prompt type:
\n\u00a0 setspn -L server1
\n\u00a0 server1<\/strong> is\u00a0the host name that is having problems.
\n\u00a0 The command sould show you all the SPNs\u00a0for this server, like this:
\n\u00a0 Registered ServicePrincipalNames for CN=SERVER1,OU=Servers,DC=DOMAIN,DC=local:
\n\u00a0\u00a0\u00a0 \u00a0 HOST\/SERVER1
\n\u00a0\u00a0\u00a0\u00a0\u00a0 HOST\/SERVER1.DOMAIN.local<\/em><\/p>\n

\u00a0 As you can see the SPN with the new DNS suffix is missing and this is why you are getting the error when trying to login.
\n\u00a0 To add the new SPN type:
\n\u00a0 setspn -A HOST\/SERVER1.SUBDOMAIN.DOMAIN.local server1<\/strong><\/p>\n

\u00a0 to confirm that SPN was added type the firs command again and you should see this:
\n\u00a0 Registered ServicePrincipalNames for CN=SERVER1,OU=Servers,DC=DOMAIN,DC=local:
\n\u00a0\u00a0\u00a0 \u00a0 HOST\/SERVER1.SUBDOMAIN.DOMAIN.local
\n\u00a0\u00a0\u00a0\u00a0\u00a0 HOST\/SERVER1
\n\u00a0 \u00a0\u00a0\u00a0 HOST\/SERVER1.DOMAIN.local<\/em><\/p>\n

ADSI console\u00a0way:
\n<\/strong>open ADSI edit by typing adsiedit.msc<\/strong> in run or command prompt.
\nNow you need to find the computer object that is having the problems. Because my server1<\/strong> is in Servers OU<\/strong> the path was:
\nDomain [DC.domain.local]\\OU=Servers
\n<\/strong>There I can see an object called CN=server1<\/strong> right click on it and select properties
\nNo find and select servicePrincipalName<\/strong> and click Edit<\/strong> button.
\nIn the Values to add field type:
\nHOST\/SERVER1.SUBDOMAIN.DOMAIN.local
\n<\/strong>click on\u00a0Add<\/strong> button
\nClose all the windows by click OK <\/strong>button.<\/p>\n

That’s it you should be able now to login ot server. You only need to use one method(setspn or ADSI edit).
\nAlso depending on your domain environment the change my not work straight away give it some time to replicate the change.<\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0I had to change the Primary DNS suffix to some servers. To do that the server were moved to a separate OU and a Group Policy was applied to that OU to change the DNS suffix. I’ve issued gpupdate \/force command on the servers and restarted them. After restart I was not able to login […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,5],"tags":[359,358,288],"_links":{"self":[{"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/posts\/642"}],"collection":[{"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/comments?post=642"}],"version-history":[{"count":4,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/posts\/642\/revisions"}],"predecessor-version":[{"id":646,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/posts\/642\/revisions\/646"}],"wp:attachment":[{"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/media?parent=642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/categories?post=642"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.kozeniauskas.com\/itblog\/wp-json\/wp\/v2\/tags?post=642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}