Hi,
We are currently having a problem with users passwords that have reached the renewal period and cannot be changed. They get an error message: “The security database on the server does not have a computer account for this workstation trust relationship.”
The computers used to change the passwords are all different and sometimes it works.
This leads met to believe that it’s not related to 1 specific computer but more a domain controller which is having the issue. So we tried to isolate the DC by changing the SRV record by way of LdapSrvPriority registry key. Some admins are now able to change their passwords but we are still having the problem with other admins, Citrix password reset and via RES.
There are several problems listed in DCdiag, I have noticed many SPN entries and a cleanup is planned. However the main issue I’m trying to solve is the password change one.
How can we troubleshoot this?
Is there a way to see which users are being authenticated on which server for ALL the users in AD?
I found PS this script but it accepts only 1 user: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
Tried to modify it with get-content but failed.
The Idea was to verify which users login /authenticated on which server and let them try to change the password to see that when it works, which DC was used.
Any help/ideas would be appreciated.
Timotatty