This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 67%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
We have approx 20 Mazak milling machines running either Win 95, Win 2000 Pro or Win XP. Since the beginning of the year I've not been able to re-add them back onto the domain (functional level 2016). As they are old a hard drive replacement is often needed to keep them going but its like for like, the Mazak engineer will replace a machine running Win 2000 Pro with a new hard drive with the same OS. They then leave us, the IT dept to re-add them back onto the domain. This is where the issue is.
The machines live on a segregated VLAN separate from our normal network. Theyll have their static IPs set then attempted to add back onto the domain. This fails with a "an internal error " or more often "the specified name is no longer available". The attempted re-join can create an AD entry but its immediately disabled and accessing the computer from another computer shows a "Trust relationship" error.
Now there's loads of stuff on the internet about this and Win XP does have a workaround (install SP3 and KB969442) but nothing available for 2000 or 95.
Can anyone help or suggest the best way for these multi million pound machines to be accessed?
Can anyone shed any light on why this happened in the first place (server update possibly)?
"Scrap the lot" I hear people say but to replace them is a lot of money, well into 7 or 8 figures so our task is to keep them going for a while longer. 😒
Thank you
Steve
OK, two of the 20 Mazaks now off the domain and unable to re-join. Both have had new hard drives installed by a Mazak engineer, both been ghosted with the original clone taken when the machine was new (approx 1945!) and both have had their segregated VLAN static IPs set back to where they were previously. So I can see them by pinging but same old story, refusal to join the domain. One is now using WinSCP FTP software to drop (or pull) .eia programmes onto the hard drive from the network (works ok but no monitoring available) and the other doesnt even enjoy having the FTP software installed. Machine now redundant. 😒
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
These operating systems are very old and likely not compatible with the security protocols used in your 2016 domain functional level.
The attempted re-join creates a disabled account with trust relationship errors, preventing proper access.
The 2016 domain level might be too high for these legacy systems.
Hi S.Sengupta
thanks for the information. We've had an idea of further segregating these machines onto a network serviced by an older server running 2012. But it would reduce our Cyber Essentials accreditation and so has been rejected as a step back too far.
Its the Win 95 and 2000 Pro machines which are the worry. XP can be patched if it can be upgraded to Service Pack 3 but typically we have a lot more 95/2000 machines in our estate. Synology/NAS boxes have been suggested though thats a simple transfer of files, we'd completely lose our job monitoring ability via Seiki, this may end up our only solution.
thanks
OK, so a further update which is rather puzzling but in a good way. We had a Mazak hard drive fail, so been replaced by one of their engineers. The HD has been ghosted and left to me to attempt the domain re-join. No way will that work, I thought.
This is a Win 2000 Pro machine dating back about 20 years but still in full production. I inputted the segregated VLAN static IP, and used the built in Network Identification Wizard from within the Windows Control Panel. Used my own domain credentials to attempt the domain rejoin, made sure the Active Directory entry was still enabled, it was and success!! Logged on as myself rather than the usual local Mazak account, again success!! And I can now do a \\UKxxxxx5\C drive to download programs from a Seiki terminal to the C drive share......Result!!! AD entry is still enabled and no "Trust relationship" issues when accessing the C drive.
For the time being that is. Got another Win 2000 Pro machine thats been off for a couple of months, if I can get that going I'll get a pay rise!!
So, the story continues!
I have another Mazak machine to re-join to the domain. This had a new hard drive a couple of months ago, and is running Win 2000 Pro.
The successful rejoin I had with another machine running Win 2000 Pro last month had to have the following scenarios:
a. An existing Active Directory entry which is enabled
b. Required feature enabled for an hour on one DC
As this machine has been off for so long there is no AD entry so my thoughts are, can I impersonate that machines domain ID by rebuilding one of our old scrap PCs onto the domain thus creating the required ID entry. So PC PXE booted and rebuilding with the aforementioned domain ID.
Wish me luck!!