locked
The trust relationship between this workstation and the primary domain failed

    Question

  • Hi,

    Working with Team Foundation Server 2010, and I am unable to add another user to the Administrator Console.  It gives an error about the state of the workstation and domain trust not working.

    Here are the details (There are many errors in the event log such as this):

    Log Name:      Application
    Source:        TFS Services
    Date:          7/14/2010 2:00:09 PM
    Event ID:      3071
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      COMPUTERNAME.DOMAINNAME.com
    Description:
    TF53010: The following error has occurred in a Team Foundation component or extension:
    Date (UTC): 7/14/2010 9:00:09 PM
    Machine: SRV-TFS-01
    Application Domain: TfsJobAgent.exe
    Assembly: Microsoft.TeamFoundation.Framework.Server, Version=10.0.0.0, Culture=neutral, PublicKeyToken=XXXXXXXXXXXXXXX; v2.0.50727
    Service Host:
    Process Details:
      Process Name: TFSJobAgent
      Process Id: 2512
      Thread Id: 3816
      Account name: NT AUTHORITY\NETWORK SERVICE

    Detailed Message: TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize the following identity: Domain Admins. Number of errors that occurred: 1.
    ++++++++++++++++++++++
    Sync error for identity: Domain Admins
    The trust relationship between this workstation and the primary domain failed
       at Microsoft.TeamFoundation.Framework.Common.SidIdentityHelper.ResolveSid(SecurityIdentifierInfo securityIdInfo, String& domain, String& userName, AccountType& type, Boolean& isDeleted)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.ResolveIdentity(IdentityDescriptor descriptor, String providerInfo, AccountSubType& subType)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.SyncIdentity(IdentityDescriptor descriptor, Boolean includeMembership, String providerInfo, TeamFoundationRequestContext requestContext, SyncErrors syncErrors)
       at Microsoft.TeamFoundation.Framework.Server.IdentitySynchronizer.SyncOneGroupMembership(TeamFoundationRequestContext requestContext, TeamFoundationIdentity groupToSync, IdentityComponent myComponent)

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="TFS Services" />
        <EventID Qualifiers="0">3071</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-07-14T21:00:09.000000000Z" />
        <EventRecordID>3907</EventRecordID>
        <Channel>Application</Channel>
        <Computer>COMPUTERNAME.DOMAINNAME.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>TF53010: The following error has occurred in a Team Foundation component or extension:
    Date (UTC): 7/14/2010 9:00:09 PM
    Machine: SRV-TFS-01
    Application Domain: TfsJobAgent.exe
    Assembly: Microsoft.TeamFoundation.Framework.Server, Version=10.0.0.0, Culture=neutral, PublicKeyToken=XXXXXXXXXXXXXXX; v2.0.50727
    Service Host:
    Process Details:
      Process Name: TFSJobAgent
      Process Id: 2512
      Thread Id: 3816
      Account name: NT AUTHORITY\NETWORK SERVICE

    Detailed Message: TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize the following identity: Domain Admins. Number of errors that occurred: 1.
    ++++++++++++++++++++++
    Sync error for identity: Domain Admins
    The trust relationship between this workstation and the primary domain failed
       at Microsoft.TeamFoundation.Framework.Common.SidIdentityHelper.ResolveSid(SecurityIdentifierInfo securityIdInfo, String&amp; domain, String&amp; userName, AccountType&amp; type, Boolean&amp; isDeleted)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.ResolveIdentity(IdentityDescriptor descriptor, String providerInfo, AccountSubType&amp; subType)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.SyncIdentity(IdentityDescriptor descriptor, Boolean includeMembership, String providerInfo, TeamFoundationRequestContext requestContext, SyncErrors syncErrors)
       at Microsoft.TeamFoundation.Framework.Server.IdentitySynchronizer.SyncOneGroupMembership(TeamFoundationRequestContext requestContext, TeamFoundationIdentity groupToSync, IdentityComponent myComponent)
    </Data>
      </EventData>
    </Event>

    Here is the output of TFSConfig identities, if this means anything.

     

    Account Name                  Exists (see note 1)  Matches (see note 2)
    -------------------------------------------------------------------------
    CREATOR OWNER                 True                 True
    NT AUTHORITY\NETWORK SERVICE  True                 True
    COMPUTERNAME\Administrator      True                 True
    DOMAINNAME\UserAccount               True                 True
    DOMAINNAME\Admin1        True                 True
    DOMAINNAME\Admin2           False                False
    DOMAINNAME\Admin3         False                False
    DOMAINNAME\Admin4         False                False
    DOMAINNAME\Admin5           False                False
    DOMAINNAME\COMPUTERNAME$          False                False
    DOMAINNAME\administrator        True                 True
    DOMAINNAME\Domain Admins        False                False
    BUILTIN\Administrators        True                 True

     

    Can someone point me in the right direction for further troubleshooting?

     

     

    **EDIT**

     

    I should also add this other event error I get:

    TF53010: The following error has occurred in a Team Foundation component or extension:
    Date (UTC): 7/23/2010 10:00:08 PM
    Machine: COMPUTERNAME
    Application Domain: TfsJobAgent.exe
    Assembly: Microsoft.TeamFoundation.Framework.Server, Version=10.0.0.0, Culture=neutral, PublicKeyToken=XXXXXXXXXXXXXX; v2.0.50727
    Service Host:
    Process Details:
      Process Name: TFSJobAgent
      Process Id: 2780
      Thread Id: 6924
      Account name: NT AUTHORITY\NETWORK SERVICE

    Detailed Message: TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize the following identity: Domain Admins. Number of errors that occurred: 1.
    ++++++++++++++++++++++
    Sync error for identity: Domain Admins
    The trust relationship between this workstation and the primary domain failed
       at Microsoft.TeamFoundation.Framework.Common.SidIdentityHelper.ResolveSid(SecurityIdentifierInfo securityIdInfo, String& domain, String& userName, AccountType& type, Boolean& isDeleted)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.ResolveIdentity(IdentityDescriptor descriptor, String providerInfo, AccountSubType& subType)
       at Microsoft.TeamFoundation.Framework.Server.WindowsProvider.SyncMembers(IdentityDescriptor descriptor, IIdentitySyncHelper syncHelper, Dictionary`2 syncAgents, String providerInfo, TeamFoundationRequestContext requestContext, SyncErrors syncErrors)
       at Microsoft.TeamFoundation.Framework.Server.IdentitySynchronizer.SyncOneGroup(TeamFoundationRequestContext requestContext, TeamFoundationIdentity idToSync, IdentityComponent identityComponent)

    Friday, July 23, 2010 9:47 PM

Answers

  • Hi Shuhari00,

    Thanks for the post. From the logs, it looks like you are using the "Network Service" account on the TFS server to run the TFS services. This account is responsible of sync the domain users with the TFS system. So technically, this account need permissions on the domain controller's active directory to read the user accounts. If you are running TFS on a Workgroup, then the users who connect to the TFS server should have a equivalent user name and password on the TFS server as a Local account.

    To know more on the Domains and trust considerations with respect to TFS, please visit: http://msdn.microsoft.com/en-us/library/ms253081.aspx

    Hope this helps!

    Let us know if this helped! Mark the post answered.


    ArunRama, TFS Installation and Setup team.
    Friday, July 23, 2010 10:18 PM

All replies

  • Hi Shuhari00,

    Thanks for the post. From the logs, it looks like you are using the "Network Service" account on the TFS server to run the TFS services. This account is responsible of sync the domain users with the TFS system. So technically, this account need permissions on the domain controller's active directory to read the user accounts. If you are running TFS on a Workgroup, then the users who connect to the TFS server should have a equivalent user name and password on the TFS server as a Local account.

    To know more on the Domains and trust considerations with respect to TFS, please visit: http://msdn.microsoft.com/en-us/library/ms253081.aspx

    Hope this helps!

    Let us know if this helped! Mark the post answered.


    ArunRama, TFS Installation and Setup team.
    Friday, July 23, 2010 10:18 PM
  • Hi,
    to fix the issue you should either reset the computer account in AD or disjoin and rejoin the computer to the domain.
    Thanks,
    --Vladimir

     

    Saturday, July 24, 2010 7:23 AM
  • Hi Shuhari00,

    Thanks for the post. From the logs, it looks like you are using the "Network Service" account on the TFS server to run the TFS services. This account is responsible of sync the domain users with the TFS system. So technically, this account need permissions on the domain controller's active directory to read the user accounts. If you are running TFS on a Workgroup, then the users who connect to the TFS server should have a equivalent user name and password on the TFS server as a Local account.

    To know more on the Domains and trust considerations with respect to TFS, please visit: http://msdn.microsoft.com/en-us/library/ms253081.aspx

    Hope this helps!

    Let us know if this helped! Mark the post answered.


    ArunRama, TFS Installation and Setup team.

    Can you please explain how to add "network service" account to DC's active directory and to delegate permission.
    I have the same problem of adding users to TFS. I could add some of them but not all of them, strange...

     

    thanx in advance

    Tuesday, August 24, 2010 11:09 PM