FIX: “The security database on the server does not have a computer account for this workstation trust relationship”

https://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/

I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post.  In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have seen around.  Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself.  Here are the steps I take to fix this issue when it crops up:

  • Open up Active Directory Users & Computers pointed to the domain the computer account resides in
  • From the “View” pull-down menu, make sure that “Advanced Features” is checked
  • Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
  • Open the Properties for the computer object
  • Choose the “Attribute Editor” tab on the Properties dialog box
  • Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name

As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:

dNSHostName:
srv1.mydomainname.com

servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com

If you find that any of these entries is incorrect, go ahead and fix them; once they all align correctly try logging in again.  After you make any changes, please remember that it may take up to a few minutes for those changes to replicate between all of the Active Directory domain controllers.  Adjusting these values usually works to get me past the error without a reboot in our environment.