Resetablishing Trust relationships in AD

Posted on 2007-04-08
Last Modified: 2008-05-30
how do you restablish trust relationships if AD was reinstalled?
Question by:Marshalk
  • 3
  • 2
LVL 30

Expert Comment

ID: 18873444
Can you elaborate further on the situation that you are trying to resolve?

[1] What do you mean by "AD was reinstalled"?  Did you lose a single DC in the forest root domain? In a child domain? Did you lose the only DC in your environment?  Please describe your current environment in more detail.

[2] What sort of trust relationships are you trying to re-establish? Again, more details on your current environment would be helpful, as well as a description of the problem you are encountering or error message that you are receiving.

Author Comment

ID: 18873969
I was running a 2000 SERVER as the AD PDC.  I also had a 2003 SERVER running AD as a child.  The 2003 PC died and when I rebuilt it, I could not add it back into the domain because it was never demoted before it died.  After reading about the ways to physically demote a DC, I decided to just rebuild the PDC (It is fairly old and had a few other dead DC in there).  I demoted the PDC, removed AD and then reinstalled it as a PDC with AD.  I then rebuilt the 2003 server and added it to the domain as a child.  Once I was done, I realized that all my windows XP Pro boxes (6) will not properly login because they are members of the old domain.  To reestablish them in the new domain I have to remove them then readd them.  This is a problem because their profiles as huge and I don't want the desktops to change.  I wanted to know if there is a way to do this without losing ingo on all the desktops and end up with a corrected network.
LVL 30

Expert Comment

ID: 18874880
Unfortunately there is not a way to do what you are suggesting.  You have created a completely new Active Directory environment, which means that your workstations need to be removed from the old domain and added to the new domain.  You will need to do this even if you have given the old and the new domains the same name.

The only way to avoid dropping and re-adding the workstations to the new domain would be to restore the 2000 domain controller from a system state backup of the old domain, if you have one available. You can then remove referenced to any failed DCs using the steps listed in this KB:

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Author Comment

ID: 18874984
Is there a way to minimize the effects of this on the workstation's desktops?  They are very tweaked!
LVL 30

Accepted Solution

LauraEHunterMVP earned 250 total points
ID: 18875019
1. Create a local account called migrate and log on with this account once to create a "shell" profile. Log onto the workstation as a local admin - must be a different account than the migrate local account.

2. Go to the System applet in Control Panel. Under User Profiles copy the profile for OldDomain\UserA to the migrate account.

3. Switch the domain membership of the PC.  (Order is important, Step 2 must be done first.)

4. Log onto the new domain as NewDomain\UserA to establish a "shell" profile

5. Logout, then log back onto the workstation as a local admin. Go back to the System applet and copy the profile for the migrate local account to NewDomain\UserA.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now