Resetablishing Trust relationships in AD

Posted on 2007-04-08
Last Modified: 2008-05-30
how do you restablish trust relationships if AD was reinstalled?
Question by:Marshalk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 30

Expert Comment

ID: 18873444
Can you elaborate further on the situation that you are trying to resolve?

[1] What do you mean by "AD was reinstalled"?  Did you lose a single DC in the forest root domain? In a child domain? Did you lose the only DC in your environment?  Please describe your current environment in more detail.

[2] What sort of trust relationships are you trying to re-establish? Again, more details on your current environment would be helpful, as well as a description of the problem you are encountering or error message that you are receiving.

Author Comment

ID: 18873969
I was running a 2000 SERVER as the AD PDC.  I also had a 2003 SERVER running AD as a child.  The 2003 PC died and when I rebuilt it, I could not add it back into the domain because it was never demoted before it died.  After reading about the ways to physically demote a DC, I decided to just rebuild the PDC (It is fairly old and had a few other dead DC in there).  I demoted the PDC, removed AD and then reinstalled it as a PDC with AD.  I then rebuilt the 2003 server and added it to the domain as a child.  Once I was done, I realized that all my windows XP Pro boxes (6) will not properly login because they are members of the old domain.  To reestablish them in the new domain I have to remove them then readd them.  This is a problem because their profiles as huge and I don't want the desktops to change.  I wanted to know if there is a way to do this without losing ingo on all the desktops and end up with a corrected network.
LVL 30

Expert Comment

ID: 18874880
Unfortunately there is not a way to do what you are suggesting.  You have created a completely new Active Directory environment, which means that your workstations need to be removed from the old domain and added to the new domain.  You will need to do this even if you have given the old and the new domains the same name.

The only way to avoid dropping and re-adding the workstations to the new domain would be to restore the 2000 domain controller from a system state backup of the old domain, if you have one available. You can then remove referenced to any failed DCs using the steps listed in this KB:

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Author Comment

ID: 18874984
Is there a way to minimize the effects of this on the workstation's desktops?  They are very tweaked!
LVL 30

Accepted Solution

LauraEHunterMVP earned 250 total points
ID: 18875019
1. Create a local account called migrate and log on with this account once to create a "shell" profile. Log onto the workstation as a local admin - must be a different account than the migrate local account.

2. Go to the System applet in Control Panel. Under User Profiles copy the profile for OldDomain\UserA to the migrate account.

3. Switch the domain membership of the PC.  (Order is important, Step 2 must be done first.)

4. Log onto the new domain as NewDomain\UserA to establish a "shell" profile

5. Logout, then log back onto the workstation as a local admin. Go back to the System applet and copy the profile for the migrate local account to NewDomain\UserA.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question