I'm having a major issue with an older Windows Server 2008 R2 that I need to join to the domain so that domain users can access it for printing reports. It seems like the server lost its trust relationship recently. I tried rejoining it to the domain using the local admin account, and while that succeeded, domain users (even domain admins) still can't log in.
When I run the command `Test-ComputerSecureChannel -Verbose`, it returns "Logon Failure: unknown user name or bad password." I've already attempted to use `Reset-ComputerMachinePassword`, but I get the same error again. I've tried rejoining the server multiple times with various DNS names, and I've ensured the server's clock is synced with the NTP server. Oddly, the user groups in the computer management SID show blank question marks. I'm really stuck and can't figure out what to do next!
7 Answers
Honestly, no one's going to invest their time fixing a server that should have been phased out over a decade ago!
Have you tried running `test-computersecurechannel -repair -credential (Get-Credential) -verbose`? This will prompt you for your current domain admin credentials and can help fix the trust issue you're facing.
Unfortunately, my server's PowerShell version is too old for that command. I'm looking into upgrading it to see if that helps.
My suggestion is to remove the server from the domain and try re-adding it. Just a heads up, don't come back to blame me if it doesn't work!
I've already gone through that process multiple times.
Have you checked if the computer is locked out in Active Directory? Here are a few troubleshooting steps:
- Check your DNS with `nslookup domaincontrollername` and `ping domaincontrollername`.
- Make sure the system time matches your domain controller within 5 minutes, as time mismatches can block Kerberos logon.
- You might also want to run `klist purge` on CMD and then reboot the server afterward. After that, remove and re-add your computer account in Active Directory. Lastly, consider using `netdom` or `nltest` commands to reset your machine account.
Before proceeding, can you check what the domain level is and the operating system of your domain controller? If it's a newer version, it might not support joining a 2008 R2 server anymore.
Exactly! If your domain controllers are patched up, 2008 R2 may not be able to join.
Honestly, it might be time to consider upgrading your server to something supported or migrate its functions (like your print queues) to a better-functioning server. Keeping an outdated server like this is risky—it’s like leaving a door wide open for attacks or major downtimes.
Yeah, but upgrading might disrupt the EMR system, and I can't risk that.
Here's a more unconventional approach: what if you set up a Samba server on Ubuntu or another Linux distribution? You could configure it for pass-through authentication and join your Windows 2008 R2 server to that. Additionally, consider setting up another domain controller that can still allow 2008 R2 to join and configure a trust for user logins.
I get that, but it’s a tough spot—I’ve been working with it for over 15 years!