I have been playing with my own little AD domain sandbox in hyper-V and came across this error when trying to logon to a domain member server using an account with Domain Admin rights:
“The security database on the server does not have a computer account for this workstation trust relationship”
This is strange because my setup is not very complicated, just one forest DC, one domain DC and a member server. Of course, the first thing I tried is to reset the computer account and also to rejoin the server to the domain, which didn’t work
From virtualcurtis‘ blog, the workaround is to fix two AD computer account attributes: dNSHostName and servicePrincipalName. But why would it even happen in the first place?Usually, this happens due to either secure channel issue or computer account reset issues.
Anyway, I checked the attributes for the computer account and sure enough, both values were blank. To proof the point, I unjoined the server, deleted the computer account and rejoined. Still the computer account came back with these 2 blank attributes. So I added the attribute values manually, but when I tried to commit the SPN values, it complained of duplicates.
The problem became obvious to me; SPN must be unique with a forest. This server was previous joined to the forest! And sure enough, I found the computer account still lingering in the ADUC of the forest! Deleted the computer name in the forest, rejoined the member server to the domain and the issue was resolved.