Hi,

We are currently having a problem with users passwords that have reached the renewal period and cannot be changed. They get an error message: The security database on the server does not have a computer account for this workstation trust relationship.

The computers used to change the passwords are all different and sometimes it works.

This leads met to believe that its not related to 1 specific computer but more a domain controller which is having the issue. So we tried to isolate the DC by changing the SRV record by way of LdapSrvPriority registry key. Some admins are now able to change their passwords but we are still having the problem with other admins, Citrix password reset and via RES.

There are several problems listed in DCdiag, I have noticed many SPN entries and a cleanup is planned. However the main issue Im trying to solve is the password change one.

How can we troubleshoot this?

Is there a way to see which users are being authenticated on which server for ALL the users in AD?

I found PS this script but it accepts only 1 user:  https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771

Tried to modify it with get-content but failed.

The Idea was to verify which users login /authenticated on which server and let them try to change the password to see that when it works, which DC was used.

Any help/ideas would be appreciated.

HI,

For last logon date and expired date data run following script:

Get-Aduser -Filter * -Properties *|select name,SamAccountName,PasswordExpired,PasswordLastSet,LastLogonDate,Enabled,DistinguishedName,DisplayName,GivenName,SurName|export-csv C:\output.csv

To get logon server DC name as given below:

cls
Remove-Item "C:\logon.txt" -ErrorAction SilentlyContinue

# THESE 2 LINES NEED TO BE CHANGED 
$domain = "'domainhere'"                 # change to your domain name
$location = 'OU=???,DC=??,DC=??'    # location of devices to be checked 

$computers = Get-ADComputer -filter * -Searchbase $location -ErrorAction SilentlyContinue
    $computers = $computers | sort 
    foreach ($computer in $computers) {
        $Shortname = $computer.Name
        $status = Test-Connection $Shortname -ErrorAction SilentlyContinue
        If ($status -NE $null) { 
            echo "Checking Computer $Shortname "
            $result =  (Get-WmiObject -Class win32_ntdomain -Filter "DomainName = $domain" -ComputerName $Shortname -ErrorAction SilentlyContinue).DomainControllerName
            if ($result -ne $null) {
                echo "Computer $Shortname which has result = $result " 
                echo "Computer $Shortname which has result = $result " >> c:\logon.txt
            }
        } else {
        echo "Computer $Shortname appears to be offline"
        }
    }

Thanks Purvesh,
Your script works but unfortunately thats not what I was looking for. 
What I need is which domain controller authenticated all the users in AD.

This code below from MALEK Ahmed works but requires manual input and using $users = get-content .\userlist.txt does not work.

###############################################################
# Get_User Last_Logon_v1.1.ps1
# Version 1.1
# Changelog : n/a
# MALEK Ahmed - 17 / 03 / 2013
###################

##################
#--------Config
##################

$domain = "put domain name here"

##################
#--------Main
##################

import-module activedirectory
# cls
"The domain is " + $domain
$samaccountname = Read-Host 'What is the User samaccountname?'
"Processing the checks ..."
$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$domaincontrollers = $myforest.Sites | % { $_.Servers } | Select Name
$RealUserLastLogon = $null
$LastusedDC = $null
$domainsuffix = "*."+$domain
foreach ($DomainController in $DomainControllers) 
{
if ($DomainController.Name -like $domainsuffix )
{
$UserLastlogon = Get-ADUser -Identity $samaccountname -Properties LastLogon -Server $DomainController.Name
if ($RealUserLastLogon -le [DateTime]::FromFileTime($UserLastlogon.LastLogon))
{
$RealUserLastLogon = [DateTime]::FromFileTime($UserLastlogon.LastLogon)
$LastusedDC =  $DomainController.Name
}
}
}
"The last logon occured the " + $RealUserLastLogon + ""
"It was done against " + $LastusedDC + ""
# $mesage = "............."
# $exit = Read-Host $mesage
Write-host "Done..."
###############################################################


Additionally I need to find a way to troubleshoot the The security database on the server does not have a computer account for this workstation trust relationship. Error message.

Tnx

Additionally I need to find a way to troubleshoot the The security database on the server does not have a computer account for this workstation trust relationship. Error message.

Hi,

Please check these articles below:

Error: The security database on the server does not have a computer account for this workstation trust relationship

https://technet.microsoft.com/en-us/library/ee849847(v=ws.10).aspx

How to Resolve the 'Trust relationship has been lost with domain controller'
Error (dsforum2wiki)

http://social.technet.microsoft.com/wiki/contents/articles/2227.how-to-resolve-the-trust-relationship-has-been-lost-with-domain-controller-error-dsforum2wiki.aspx

Best Regards,

Amy

Thanks Amy,

We have no solved it.

- Apparently the DC's were not updated since 2011.

- GPO's were not being replicated.

- One DC is so old that it takes almost 35 minutes to reboot.

After updating all 3 servers the problem seems to be gone.

Hi,

Glad to hear that you have found a solution and thank you for sharing with us!

You solution is very beneficial to others who have similar issues.

Please feel free to let us know if there are any further requirements.

Best Regards,

Amy