问题
2018年1月25日星期四 上午3:19
所有已加域计算机提示密码过期修改了密码后无法正常登陆到Win10系统,提示 "服务器上的安全数据库没有此工作站信任关系的计算机帐户”。需要重新退域再加域才能解决,每次都出现这种情况请问怎么解决?
全部回复 (4)
2018年1月27日星期六 上午2:04 ✅已答复
1、我查看了所有域用户的SPN都是not set
2、域控器上运行命令提没有相同的SPN:C:\Users\Administrator>setspn -x
Checking domain DC=CANEC,DC=hotel,DC=local
Processing entry 1
found 0 group of duplicate SPNs.
2018年1月29日星期一 上午8:32 ✅已答复
1、我查看了所有域用户的SPN都是not set
需要查看的是 computers 下的计算机账号不是Users 下的用户账户。
如果去确实没有,就像我上一贴说的手动添加。
更进一步的诊断,建议你咨询服务器论坛:
https://social.technet.microsoft.com/Forums/windowsserver/zh-CN/home
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
2018年1月26日星期五 上午2:37
您好,
一般来说域账号登录时提示的这个错通常都是安全通道损坏、重复/无效SPN等原因造成的。为了更好的排查这个问题,接下来请帮我们确认以下几点信息:
1.这些计算机的IP是手动配置的还是DHCP分配的?
2.在DC上打开事件查看器,在System下查看是否有任何报错日志。打开Active Directory Users and Computers,找到这两台计算机账号,右击选择Properties,在Attribute Editor栏下找到servicePrincipalName,查看SPN注册是否正常,若没有SPN,请手动添加两条如下,然后尝试重新登录:
HOST/COMPUTERNAME
HOST/COMPUTERNAME.domain.local
若存在,请继续运行命令setspn -x 查看域内是否有计算机注册了相同SPN。若存在,那么会出现类;下图所示的重复信息:
这种情况下我们需要再次运行命令:setspn -d duplicate spn来删除重复的SPN(通常是带有CNF的对象),完成后重启服务器查看能否解决问题。
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
2018年1月27日星期六 上午1:46
;Log Name: System
Source: NETLOGON
Date: 1/3/2018 8:33:57 AM
Event ID: 5723
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: HACANECSVRDC01.CANEC.hotel.local
Description:
The session setup from computer 'HACANECENG03' failed because the security database does not contain a trust account 'HACANECENG03$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'HACANECENG03$' is a legitimate machine account for the computer 'HACANECENG03' then 'HACANECENG03' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:
If 'HACANECENG03$' is a legitimate machine account for the computer 'HACANECENG03', then 'HACANECENG03' should be rejoined to the domain.
If 'HACANECENG03$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'HACANECENG03$' is not a legitimate account, the following action should be taken on 'HACANECENG03':
If 'HACANECENG03' is a Domain Controller, then the trust associated with 'HACANECENG03$' should be deleted.
If 'HACANECENG03' is not a Domain Controller, it should be disjoined from the domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5723</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-01-03T00:33:57.000000000Z" />
<EventRecordID>8134</EventRecordID>
<Channel>System</Channel>
<Computer>HACANECSVRDC01.CANEC.hotel.local</Computer>
<Security />
</System>
<EventData>
<Data>HACANECENG03</Data>
<Data>HACANECENG03$</Data>
<Binary>8B0100C0</Binary>
</EventData>
</Event>