Hi,

We are facing one issues on which most of the clients are facing issues while logging into the system. They get the error 'The trust relationship between this workstation and the primary domain failed.' and doesn't allows users to log on to the machine. But after trying 2-3 times or after restarting the machine it allows to log-on to the machine using same credentials and id. Also the host-name and users id is existing on the DC.

While running the test from client logon :

nltest /sc_query:abc.com
Flags: 0
Trusted DC Name:
Trusted DC Connection Status Status = 5 0*5 ERROR_ACCESS_DENIED
The command completed successfully.

I get the above result.

Pls help.

Hi,

refer this post seems same issue.

http://community.spiceworks.com/topic/575567-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed

Hi Prabhu,

Thanks for your reply. However didn't find any permanent solutions.
On the above linked URL, there is only temp solutions which is not possible to run on every client manually.

Regards,
NS

Hi,

Did you introduce server 2012 or profile migration happened in place recently.?If so, you have to point the ldap priority.

If you using any third party software , you have to re-enable the trust between forest.

Hi NMselvaraja,

We are using Win 2008R2 Ent & Standard as our DC's. And we dont have performed any profile migration activity.

It was working fine till , but from last few months getting such errors.

Best Regards,

NS

some useful suggestions here:
http://deployhappiness.com/the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/

Are you sure that your DCs are in a healthy state and your AD replication works with no problem? I would recommend checking that using dcdiag and repadmin commands.

I would also recommend that you following the recommendations I mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx

Hi Nilkantha,

To determine the cause of trust relationship problems

1. Log on with a local account.

2. Set Net Logon flags by using the Nltest tool as follows:
   nltest /dbflag:0x2000ffff.

3. Run nltest as follows: nltest /sc_reset:<domain name to which you think your computer is joined>.
   The %windir%\debug\netlogon.log explains why the secure channel setup is not possible. One possible reason is that SYSVOL isn't ready on the computer. By examining the Netlogon.log file, you can find the following error:

   08/30 10:15:19 [MAILSLOT] Returning paused to '<Domain>' since: SysVol not ready

http://technet.microsoft.com/en-us/library/cc961803.aspx

Thanks,

Umesh.S.K

• Proposed as answer by Umesh S K Friday, January 16, 2015 5:55 AM

Hi Ahmed,

This is the output of RDC server and seems fine everything, but sometimes messages appears , " There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems." like this but now everything is passed.

In RDC:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ABCSERVER
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: HO-Sites\ABCSERVER
      Starting test: Connectivity
         ......................... ABCSERVER passed test Connectivity

Doing primary tests

   Testing server: HO-Sites\ABCSERVER
      Starting test: Advertising
         ......................... ABCSERVER passed test Advertising
      Starting test: FrsEvent
         ......................... ABCSERVER passed test FrsEvent
      Starting test: DFSREvent
         ......................... ABCSERVER passed test DFSREvent
      Starting test: SysVolCheck
         ......................... ABCSERVER passed test SysVolCheck
      Starting test: KccEvent
         ......................... ABCSERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ABCSERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... ABCSERVER passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ABCSERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... ABCSERVER passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ABCSERVER passed test ObjectsReplicated
      Starting test: Replications
         ......................... ABCSERVER passed test Replications
      Starting test: RidManager
         ......................... ABCSERVER passed test RidManager
      Starting test: Services
         ......................... ABCSERVER passed test Services
      Starting test: SystemLog
         ......................... ABCSERVER passed test SystemLog
      Starting test: VerifyReferences
         ......................... ABCSERVER passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : abc
      Starting test: CheckSDRefDom
         ......................... abc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... abc passed test CrossRefValidation

   Running enterprise tests on : abc.com
      Starting test: LocatorCheck
         ......................... abc.com passed test LocatorCheck
      Starting test: Intersite
         ......................... abc.com passed test Intersite

In Others Addidtional Domain controllers there are some errors messages appears as shown below:

In ADC1:

      Starting test: SystemLog
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 01/14/2015   17:49:09
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
         ......................... ADC1 passed test SystemLog

In ADC2: 

      Starting test: SystemLog
         An error event occurred.  EventID: 0x00009018
            Time Generated: 01/14/2015   17:15:33
            Event String:
            The following fatal alert was generated: 48. The internal error stat
e is 552.
         An error event occurred.  EventID: 0x00009012
            Time Generated: 01/14/2015   17:15:33
            Event String:
            The certificate received from the remote server was issued by an unt
rusted certificate authority. Because of this, none of the data contained in the
 certificate can be validated. The SSL connection request has failed. The attach
ed data contains the server certificate.
         An error event occurred.  EventID: 0x00009018
            Time Generated: 01/14/2015   17:15:33
            Event String:
            The following fatal alert was generated: 48. The internal error stat
e is 552.
         An error event occurred.  EventID: 0x00009012
            Time Generated: 01/14/2015   17:15:33
            Event String:
            The certificate received from the remote server was issued by an unt
rusted certificate authority. Because of this, none of the data contained in the
 certificate can be validated. The SSL connection request has failed. The attach
ed data contains the server certificate.
                     
            Time Generated: 01/14/2015   17:45:23
            Event String:
            The certificate received from the remote server was issued by an unt
rusted certificate authority. Because of this, none of the data contained in the
 certificate can be validated. The SSL connection request has failed. The attach
ed data contains the server certificate.
         ......................... ADC2 failed test SystemLog

Best Regards,

NS

Your DCs look OK.

I would recommend that you refer to that for troubleshooting: http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx

Mainly check that you create your clients a sysprepped image. You might also need to temporary disable security software in use for testing.

Hi Nilkantha,

Did you perform the test on client machine as I mentioned above?Can you post netlogon.log message?

Thanks,

Umesh.S.K

Hi Nilkantha,

Any update on the issue?

Thanks,

Umesh.S.K

Hi,

Thanks for your reply. However didn't find any permanent solutions.

To find permanent solution, we need to find out the cause of the issue.

Could you recall that which changes had been made before the issue occurred?

Did these problematic clients stay offline for more than 30 days (or another fixed number of days)?

If there are any third party software installed, please disable them temporarily to see if the issue persists.

Best Regards,

Amy

HI Amy,

Sorry, I am not getting the exact point from when this error coming. 

No those client machines who are daily connected with DC also getting these errors.

Is this issues is related to DHCP ? Last month we have enabled the DHCP on ADC & RDC as primary and secondary DHCP Server. and the DHCP ip range is different than LAN IP. Is there any link in this.

Best REegards,
NS

Sorry Umesh S.K

I was on leave and could not reply. 

Do I need to run this command on client machine or server machine? 
Run nltest as follows: nltest /sc_reset:<domain name to which you think your computer is joined>

Regards,

NS

hi Nilkantha,

Run this command on couple of you client machines and post the result.

Thanks,

Umesh.S.K

Hi Umesh,

I have run the command that you have suggested above ..

The above screen shows the command has been successfuly executed. But there is no log written on 'netlogon.log' file. Please let me know if further debug parameters needs to be enabled or else.

Best Regards,
NS.