I work in an AD environment, powered by Windows Server 2003. When I received my new workstation loaded with Vista, I was able to join the domain and all was good. After 2 days of using it, I started receiving the “The security database on the server does not have a computer account for this workstation trust relationship” error when trying to log on to a domain account.

I searched around quite a bit and found the culprit. The guys that take care of the group policies have a Primary DNS suffix set that is different from the domain’s FQDN used when joining workstations. I’m not going to say whether that’s good or bad, it is what it is. Anyways, this name mismatch is the reason the domain is freaking out when I try to log in. The solution is quite simple:

1. Remove your computer from the domain the normal way on your workstation.

2. Reset your computer account in the domain (if you can’t do this, ask your admin to do it for you).

3. Right click “My Computer”, click “Properties”. Scroll down to the “Computer name, domain and workgroup settings” and click “Change Settings”.

4. Click the “Change” button.

5. Click the “More” button.

6. Enter what the GPO is assigning as the Primary DNS Suffix for this computer. Example: pc.ou.domain.com where your domain is ou.domain.com. You can get this by clicking “Start->Run” and type “rsop.msc”. Under “Computer Configuration” expand Administrative Templates->Network->DNS Client and double click on “Primary DNS Suffix”.

7. Uncheck “Change primary DNS suffix when domain membership changes”.

8. Reboot.

9. Rejoin the domain.

If all goes well you shouldn’t see the error again. I have seen where you will need to set the Primary DNS suffix in step 6 again after joining the domain. After doing this, everything worked fine.