Solved

Cannot remove a trusted domain.

Posted on 2007-12-04
4
6,857 Views
Last Modified: 2013-12-05
I have a problem removing a domain trust created before I took over the IT postion.  So I'm not sure how or when it was created.  There are two domains on the same subnet.  They no longer share any rescoures.  Domain-1 shows Domain-2 in the Active Directory Domains and Trust console.  Domain-2 does NOT show Domain-1 in the ADDT console.  From a command prompt on the master in Domain-1 when I use the NETDOM TRUST command: "netdom trust domain-1/ d:domain-2 /remove /force" I get the error: "Trust not removed! This is a parent-child trust. The parent domain could not be contacted."  I can ping the other master from both masters in each domain.
0
Comment
Question by:taltomare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
paulhekje earned 500 total points
ID: 20448258
a parent-child trust means that they belong to the same Active Directory forest.

You can only remove the child domain using method:
- run dcpromo on the last dc of the child domain and remove/demote the dc.
- if the dc is not running anymore: use AD domains and trusts. Don't forget to clean up AD sites and service + DNS/Wins after removing the domain.

A parent domain cannot be removed!
You have big troubles when no dc exists in the parent domain (call Microsoft! )
the parent domain is also called "forest root domain"
0
 

Author Comment

by:taltomare
ID: 20449299
Is there something that I check to see the parent-child domain setup?
0
 
LVL 6

Expert Comment

by:paulhekje
ID: 20450137
easiest with ad users/computers, you can browse the domain hierarchy when you rightclick the domain and choose "connect to domain"
0
 

Expert Comment

by:RetalixUSA
ID: 20908363
I just got off the phone with Microsoft support on this one and have a solution for you:

You can forcefully remove a domain trust using the ntdsutil

so here is step by step how to remove a domain trust forcefully:

goto command line:

type: ntdsutil
type: m c
type: connections
type: connect to server <dc you are on in caps>
type: q
type: s o t
type: list domains
here you should see a list of domains with a number to the left, use the number to reference which domain you want to connect to and delete
type: select domain <number you want to delete>
type: q
type: remove selected domain

And your done.  If it gives you an error you can use the adsiedit.msc command to remove a lost and found connections, basically look through the HUGE tree of stuff for a lost and found and delete any reference to the domains you want to get rid of.  Then go through the ntdsutil again to try and remove it again.  Good luck, I hope this helps some poor sap like I used to be!

Good luck!
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question