Resetablishing Trust relationships in AD

Posted on 2007-04-08
Medium Priority
Last Modified: 2008-05-30
how do you restablish trust relationships if AD was reinstalled?
Question by:Marshall Kass
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 30

Expert Comment

ID: 18873444
Can you elaborate further on the situation that you are trying to resolve?

[1] What do you mean by "AD was reinstalled"?  Did you lose a single DC in the forest root domain? In a child domain? Did you lose the only DC in your environment?  Please describe your current environment in more detail.

[2] What sort of trust relationships are you trying to re-establish? Again, more details on your current environment would be helpful, as well as a description of the problem you are encountering or error message that you are receiving.

Author Comment

by:Marshall Kass
ID: 18873969
I was running a 2000 SERVER as the AD PDC.  I also had a 2003 SERVER running AD as a child.  The 2003 PC died and when I rebuilt it, I could not add it back into the domain because it was never demoted before it died.  After reading about the ways to physically demote a DC, I decided to just rebuild the PDC (It is fairly old and had a few other dead DC in there).  I demoted the PDC, removed AD and then reinstalled it as a PDC with AD.  I then rebuilt the 2003 server and added it to the domain as a child.  Once I was done, I realized that all my windows XP Pro boxes (6) will not properly login because they are members of the old domain.  To reestablish them in the new domain I have to remove them then readd them.  This is a problem because their profiles as huge and I don't want the desktops to change.  I wanted to know if there is a way to do this without losing ingo on all the desktops and end up with a corrected network.
LVL 30

Expert Comment

ID: 18874880
Unfortunately there is not a way to do what you are suggesting.  You have created a completely new Active Directory environment, which means that your workstations need to be removed from the old domain and added to the new domain.  You will need to do this even if you have given the old and the new domains the same name.

The only way to avoid dropping and re-adding the workstations to the new domain would be to restore the 2000 domain controller from a system state backup of the old domain, if you have one available. You can then remove referenced to any failed DCs using the steps listed in this KB: http://support.microsoft.com/kb/216498

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Author Comment

by:Marshall Kass
ID: 18874984
Is there a way to minimize the effects of this on the workstation's desktops?  They are very tweaked!
LVL 30

Accepted Solution

LauraEHunterMVP earned 1000 total points
ID: 18875019
1. Create a local account called migrate and log on with this account once to create a "shell" profile. Log onto the workstation as a local admin - must be a different account than the migrate local account.

2. Go to the System applet in Control Panel. Under User Profiles copy the profile for OldDomain\UserA to the migrate account.

3. Switch the domain membership of the PC.  (Order is important, Step 2 must be done first.)

4. Log onto the new domain as NewDomain\UserA to establish a "shell" profile

5. Logout, then log back onto the workstation as a local admin. Go back to the System applet and copy the profile for the migrate local account to NewDomain\UserA.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question