Problem Connecting a Computer to a Domain

[barmstrong]

When trying to connect a Windows 2000 computer to a NT4 domain I get this error:

Your computer could not be joined to the domain because the following error has occurred: The security database on the server does not have a computer account for this workstation trust relationship.

Im a newbie when it comes to domains since all of the normal users I support are remote users. I go into my computer properties and network identification and add the computer to the domain and it does prompt for a username and password then they get that error message. Can someone tell me what I need to have them check/change in order to get the comp to connect to the domain. Thanks!

 

[Saltin]

IT's been a while since Ive worked in an NT 4.0 domain. Mainly I gear myself toward 2k, but I can take a poke at this.
One thing is certain, your computer does not have an account in the Domain you are attempting to join.
Generally, an account is created during the process of joining the Domain. When you are asked for credentials it is asking for a user account with the right to create a computer account in the domain you are attempting to join.

There could be a couple of reasons this is happening
1) The account you are using is not a Domain Admin account.
2) If it is an Admin account, it may have had the right to create computer accounts/join computers to the domain specifically denied to it.
3) The box you are attempting to join to the domain cannot reach the PDC for that domain.


I would suggest
1) Use an Admin account
2) Make sure that Admin account has the right to add computers to the domain
3) Make sure you can ping the PDC by name and IP.

 

[barmstrong]

i called them and explained what they needed to do and now all of a sudden they are not being prompted for a username and password. they can ping the server and it shows up in my network places but they cant connect for it to prompt for a username and password. :|

 

[Saltin]

What is the name of the domain and what are you entering into the domain name box when you attempt to join?

You usually shouldnt put the Fully Qualified Domain Name in, just the name of the actual domain.

Example, if it is called hello.goodbye.com, you should enter only "hello" or "goodbye", depending on which you want to join.

 

[barmstrong]

the name of the actual domain, exactly what i put in yesterday that made it connect, now no prompt for password.

 

[cfjohnsn]

The easiest thing to do is to have your admin go into server manager to delete (if it ever created) the PCs account and then create a computer account for you and then try to join the domain again. That will usually solve the problem.

 

[phatcow]

first, log on locally to the machine, not to the domain first... then change the mode of the workstation from using a domain to useing a workgroup temporaly.
then reboot.
then go into your NT4 PDC(or bdc for that matter) and delete your old computer account that was there, if there even is one.



now go back to your workstation, whcih should be fully rebooted by now, and then change the mode back to Domain mode. When you type in your domain and click ok, it will prompt you to enter a domain account with proper permissions to add a computer in the domain, usually an administrator. Now it will say welcome to domain. Now reboot..

Your done.

 

[barmstrong]

thanks, ill emailed them the instructions and hopefully it will work.

 

[barmstrong]

thanks everyone, i had them change the workgroup name to temp, delete the user account off the server, create a new user account, rebooted the machine, changed to the correct domain and got the prompt this time then had the admin logon and it worked.

 

[barmstrong]

a new problem arose, i cant seem to get a straight answer as to how the network is setup, im assuming they use roaming profiles because once he logged into the domain, he had the generic empty desktop. at that point he also seemed to lose administrative ability over his machine. i had him log in as administrator on his local machine and he could do everything he needed, then when he logged into the domain again he lost all the functionality. is his control over the machine controlled by the server, does he need to be made a power user on the network in order to be able to make changes to his local computer?

also, when a laptop leaves a domain, do you have to have a separate local account on the computer? or can you still log in to windows with your regular domain account? should we delete the local accounts after the domain account is configured?

thanks.

 

[Saltin]

Domain accounts are authenticated against a DC. If a laptop is not connected to the network you should have them log on to a local account.

 

[MulLa]

Shouldn't the laptop have a cached domain account when it's disconnected? I can still log into my domain account on the laptop even tho it's not connected.

 

[barmstrong]

does the domain account control access to your own computer? like if you arent a power user on the domain you cant do much to your own pc?

 

[Saltin]

Yep, it caches the account. It's still best practise to use a local account though. It makes things clearer for the computer. It knows it isnt on a domain and it tends to speed things up a tad. Notice I didnt say "they HAVE to log onto a local account" I just said they likely should.

Barmstrong, generally the group that your user account is in will define what you can and cannot do with your computer. The "users" group can do just about nothing in 2k. It can be a headache for admins. Power user accounts generally require less babysitting, but you should also trust the user's judgement and computing abilities. Power user's can destroy thier OS if they arent careful. You would have to try very hard as a simple user to do likewise.