wlacroix
asked on
Domain trust
I have 2 domains.
One is very old, one is new. (Building a trust between new and old)
The new one was built with a cloned machine, yup a bad thing.
I created a fresh install (2008 server), dcpromo into the new domain, dcpromo the cloned controller out (2008)
Verified sids.
SID for \\NEWDOMAIN-DC2:
S-1-5-21-1120723719-346597 4444-27644 55207
SID for PRODIE\NEWDOMAIN-dc2$:
S-1-5-21-1120723719-346597 4444-27644 55207-1157
SID for \\OLDDOMAIN-dc:
S-1-5-21-683549635-7116480 30-2797980 900
SID for STEELCRAFT\OLDDOMAIN-dc$:
S-1-5-21-683549635-7116480 30-2797980 900-1478
I am trying to build a trust between these two domains. I still get "domain trust cannot create a file when that file already exists"
I have gone through DNS to make sure there are no phantom entries
I have used netdom to check the trust and trusts that exsist.
I am stuck
The only thing I can think of is that the domain name itself is exactly the same.
One is very old, one is new. (Building a trust between new and old)
The new one was built with a cloned machine, yup a bad thing.
I created a fresh install (2008 server), dcpromo into the new domain, dcpromo the cloned controller out (2008)
Verified sids.
SID for \\NEWDOMAIN-DC2:
S-1-5-21-1120723719-346597
SID for PRODIE\NEWDOMAIN-dc2$:
S-1-5-21-1120723719-346597
SID for \\OLDDOMAIN-dc:
S-1-5-21-683549635-7116480
SID for STEELCRAFT\OLDDOMAIN-dc$:
S-1-5-21-683549635-7116480
I am trying to build a trust between these two domains. I still get "domain trust cannot create a file when that file already exists"
I have gone through DNS to make sure there are no phantom entries
I have used netdom to check the trust and trusts that exsist.
I am stuck
The only thing I can think of is that the domain name itself is exactly the same.
ASKER
So far the only thing I can see is it is the DOMAIN sid not the machine sid.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can verify that this was NOT the case because I built them myself.
2008 was built (no sysprep), then cloned, new controller added to domain 1, this server was promoted as the role holder and the forest was upgraded.
A new Clone was created from the 2008 build, this was built into a new domain with a different name. The trust never worked, it gave me the same error. (assumption here is SID error because of the clone situation)
SO....
New clone from the 2008 build (sysprep added), promoted to a domain controller in domain 2, demote the old one as stated above. you can clearly see the sids are NOT the same.
The only one that is left is the domain SID. (assumption here is that the domain was created with the bad cloned controller, pushing its information into the domain SID, so no matter what you do the sid is what it is, even a domain rename wont fix it, the sid wont change ever ever ever)
I am currently building a full new domain, domain 3, new domain name, new domain controllers everything. I suspect 2 things.
#1 the new domain will work, there is a new name, new netbios, new everything.
#2 the new domain will not work, its built off the EXACT same clone all the others were built off of. (on a side note i have 40 other servers built off the same clone)
SID for PD\newdomain3-dc$:
S-1-5-21-1944535435-233142 4502-26536 71940-1000
SID for \\newdomain3-dc:
S-1-5-21-1944535435-233142 4502-26536 71940
This domain name was reused when the new build happened, that could be it. I just cant see the domains having the same SID.
Any way to pull the domain SID itself, or is this a security breach?
2008 was built (no sysprep), then cloned, new controller added to domain 1, this server was promoted as the role holder and the forest was upgraded.
A new Clone was created from the 2008 build, this was built into a new domain with a different name. The trust never worked, it gave me the same error. (assumption here is SID error because of the clone situation)
SO....
New clone from the 2008 build (sysprep added), promoted to a domain controller in domain 2, demote the old one as stated above. you can clearly see the sids are NOT the same.
The only one that is left is the domain SID. (assumption here is that the domain was created with the bad cloned controller, pushing its information into the domain SID, so no matter what you do the sid is what it is, even a domain rename wont fix it, the sid wont change ever ever ever)
I am currently building a full new domain, domain 3, new domain name, new domain controllers everything. I suspect 2 things.
#1 the new domain will work, there is a new name, new netbios, new everything.
#2 the new domain will not work, its built off the EXACT same clone all the others were built off of. (on a side note i have 40 other servers built off the same clone)
SID for PD\newdomain3-dc$:
S-1-5-21-1944535435-233142
SID for \\newdomain3-dc:
S-1-5-21-1944535435-233142
This domain name was reused when the new build happened, that could be it. I just cant see the domains having the same SID.
Any way to pull the domain SID itself, or is this a security breach?
ASKER
New domain in place and all is ok so far, gong to use ADMT to try and move a computer.
ASKER