The issue is the client get an error when user attempts to login in. The error message is "The security database on the server does not have a computer account for this workstation trust relationship". When this happens, I look at the computer
object attributes, and look at the SPN (serviceprincipalname) attribute and there are two values in there that should not be. “RestrictedKrbHost/computername” and “RestrictedKrbHost/computername.domainname”. I remove these from the SPN attribute,
reboot the client machine and they can authenticate and login. The issue keeps happening over and over again. There is both a 2008 R2 RODC and a 2003 R2 sp2 writeable DC at these sites. Disjoin the computer and rejoin didn't work even change the
computer name.
↧