RSAT Across Domains | Security database on the server does not have a computer account for this workstation trust relationship

Problem when trying to use RSAT to remotely administer a different domain.

“Security database on the server does not have a computer account for this workstation trust relationship”

There are numerous blog/forum posts regarding the cause of this error, however most are related to workstations on the local domain not being able to authenticate to the local DC. (The quick fix being to remove the network cable, login with the cached credentials and remove/readd the PC to the domain.

On this occasion I was trying to use RSAT to manage DHCP on an alternative domain. The connectivity is in place with a Non-Transitive Trust between Domain A and Domain B but I was trying to administer Domain C!

The really simple fix was to use the command line “runas /netonly” which allows MMC to run as an alternative user (in the destination domain) seamlessly “/netonly” allows you to run applications as a local user but authenticating over the network as another user.

runas /netonly /user:domain\username "mmc dhcpmgmt.msc /server=DC"

Note: On Windows Server 2008 holding the “shift” key and right clicking on MMC will not display the “runas” function as in Windows Server 2008 R2 or Windows 7. A quick workaround is to use the “ShellRunAs” Sysinternals tools. Simply drag and drop the exe/msc onto the tool and it will prompt to run with alternative credentials.

References: http://ss64.com/nt/runas.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.