Lost trust relationship

Recently I had to rebuild win2k-server/sp3 on a small office network. Upon completion I have issues trying to login from several workstations with username/pw other than the primary user. Logon fails with can't find domain. Also the event log is littered with the following

"The computer HCS-FOUR tried to connect to the server \\HCS01 using the trust relationship established by the HEADQUARTERS domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship."

My research into the 5513 error and above message led me to the "NET DOM" command but I have not been able to get it to run correctly. I could use some guidence on how to re-establish the trust relationship.

Thanks for your thoughts,

Eric
ehannerAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
If you reinstalled the server, then your original SID is gone; so there is no other way than the one I already described: Delete the computer accounts of the clients in question in AD, remove the clients from the (former) domain (by putting them into a temporary workgroup), reboot, and rejoin the (new) domain.
Depending on how many clients you have, you could try to automate this by using "netdom remove" and "netdom rejoin" instead of visiting each workstation. "netdom trust" won't help you here.
0
 
nick_sCommented:
To reestablish a trust in W2k you go to Active Directory Domains and Trusts. there you should see the domain and all child domain. And in the properties for each you can establish and remove trusts.

Nick
0
 
oBdACommented:
Remove the clients from the domain, delete the computer accounts in AD, add the clients back to the domain.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
rolfejrCommented:
The easiest way I have seen to reestablish a trust relationship is to log in to the machine as the local administrator, change it to a workgroup member, apply the changes, then go back in and add it back into the domain.  From my experience, this has almost always worked, I haven't had to delete the computer accoutn in AD, and you generally don't even have to reboot in between changing it to a workgroup and back to the domain.

It's worked for me, can't guarantee it will work for you, but it's easy, so give it a try.
0
 
ehannerAuthor Commented:
As I re-read my post, I see that I skipped the part where I used the same domain and computer names when I re-built the DC. I tried deleting the computer accounts and renaming the machines, and rejoining the domain with no luck.

When you say "apply the changes", what changes are you refering to? Changing the machine name? The trouble is the secret sid that is shared from the DC. The workstations are looking for a DC with a certain sid and it changed when I rebuilt win2k-server.

0
 
ehannerAuthor Commented:
Have any of you ever used NET DOM?
0
 
ehannerAuthor Commented:
Have any of you ever used NET DOM?
0
 
ehannerAuthor Commented:
oBdA
I'll try it this afternoon. Thanks. I tried removing the computer from the domain and rejoining and deleting the accounts but not at the same time.
0
 
ehannerAuthor Commented:
oBdA,
Your procedure worked as advertised. I had done both parts but not at the same time, previously. I did loose the desktop profile for the user on that machine for some reason. I was surprised by that since the users are all roaming profiles.

Thanks again,

Eric
0
All Courses

From novice to tech pro — start learning today.