Solved

Domain trust

Posted on 2013-05-22
5
646 Views
Last Modified: 2013-05-24
I have 2 domains.

One is very old, one is new. (Building a trust between new and old)
The new one was built with a cloned machine, yup a bad thing.

I created a fresh install (2008 server), dcpromo into the new domain, dcpromo the cloned controller out (2008)
Verified sids.

SID for \\NEWDOMAIN-DC2:
S-1-5-21-1120723719-3465974444-2764455207

SID for PRODIE\NEWDOMAIN-dc2$:
S-1-5-21-1120723719-3465974444-2764455207-1157


SID for \\OLDDOMAIN-dc:
S-1-5-21-683549635-711648030-2797980900

SID for STEELCRAFT\OLDDOMAIN-dc$:
S-1-5-21-683549635-711648030-2797980900-1478

I am trying to build a trust between these two domains. I still get "domain trust cannot create a file when that file already exists"

I have gone through DNS to make sure there are no phantom entries
I have used netdom to check the trust and trusts that exsist.

I am stuck
The only thing I can think of is that the domain name itself is exactly the same.
0
Comment
Question by:wlacroix
  • 4
5 Comments
 
LVL 3

Author Comment

by:wlacroix
ID: 39189020
Rename of the domain wont save me, it leaves the SID in tact and does not affect trust relationships.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39189147
So far the only thing I can see is it is the DOMAIN sid not the machine sid.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39191140
This link explains the why it's broken.
http://support.microsoft.com/kb/127911

The new one was built with a cloned machine,
Where was it cloned from?

You could try deleting all the existing trusts and then rebuilding them from scratch.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39191688
I can verify that this was NOT the case because I built them myself.

2008 was built (no sysprep), then cloned, new controller added to domain 1, this server was promoted as the role holder and the forest was upgraded.


A new Clone was created from the 2008 build, this was built into a new domain with a different name. The trust never worked, it gave me the same error. (assumption here is SID error because of the clone situation)


SO....

New clone from the 2008 build (sysprep added), promoted to a domain controller in domain 2, demote the old one as stated above. you can clearly see the sids are NOT the same.
The only one that is left is the domain SID. (assumption here is that the domain was created with the bad cloned controller, pushing its information into the domain SID, so no matter what you do the sid is what it is, even a domain rename wont fix it, the sid wont change ever ever ever)



I am currently building a full new domain, domain 3, new domain name, new domain controllers everything. I suspect 2 things.

#1 the new domain will work, there is a new name, new netbios, new everything.
#2 the new domain will not work, its built off the EXACT same clone all the others were built off of. (on a side note i have 40 other servers built off the same clone)

SID for PD\newdomain3-dc$:
S-1-5-21-1944535435-2331424502-2653671940-1000

SID for \\newdomain3-dc:
S-1-5-21-1944535435-2331424502-2653671940

This domain name was reused when the new build happened, that could be it. I just cant see the domains having the same SID.
Any way to pull the domain SID itself, or is this a security breach?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39194387
New domain in place and all is ok so far, gong to use ADMT to try and move a computer.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question