How do I forcefully remove the broken or stale Trust relationship between two domains in the windows server 2003 Domain controller?
How do I forcefully remove the broken or stale Trust relationship between two domains in the windows server 2003 Domain controller?
Our scenario
We are trying to migrate the 2003 active directory domain server to 2012 R2.
We are unable to raise the forest functional level to 2003, because one broken trust relationship in the domain and trust console in AD exists, and we are unable to remove it. We tried most of the technics available on the internet but fails.
Please help us to remove the stale trust relationship
Our scenario
We are trying to migrate the 2003 active directory domain server to 2012 R2.
We are unable to raise the forest functional level to 2003, because one broken trust relationship in the domain and trust console in AD exists, and we are unable to remove it. We tried most of the technics available on the internet but fails.
Please help us to remove the stale trust relationship
ASKER
We already try with this article
Can you possibly post a picture?
If it is shown in trusts and relationships, you should see the object name to identify it in AD.
You may also try to search the registry for such names.
If there are asscociated object, they may prevent the deletion of the object via the GUI.
If it is shown in trusts and relationships, you should see the object name to identify it in AD.
You may also try to search the registry for such names.
If there are asscociated object, they may prevent the deletion of the object via the GUI.
ASKER
The below image for the broken domain
ASKER
When I try to raise the forest functional level in the root domain (TA.COM) the show following error
ASKER
ASKER
TA.COM is our primary domain controller that is running on windows 2003 R2 Standard edition 32 bit .and "Infoparktest.TA.COM" is a child domain controller, which is not existing now. So i can't get any option to delete the child domain from the domain and trust console in the TA.COM domain controller
OK, and where are your FSMO roles
netdom query fsmo
or
Get-ADForest yourdomain | Format-Table
and
Get-ADDomain yourdomain | format-table
netdom query fsmo
or
Get-ADForest yourdomain | Format-Table
and
Get-ADDomain yourdomain | format-table
ASKER
TA-SRV.TA.COM Is the FSMO role holder / Primary Domain controller
There are 5 FSMO roles...
Schema master
Domain naming master
PDC
RID pool manager
Infrastructure master
Maybe you run the PS without the FormatTable so see all settings...
You find also ReplicaDirectoryServers in there (Domain)
If you have fragments left over in the AD, which point to any dead infrastructure objects, you have to find them...
Most of them you can at least see unter AS site and services as well as Domains and Trust
Another source may be the DNS settings you can find in the DNS Forward Looklup zones- _mcdcs.yourdomain.com
As a trust setup is a functionality between two domain controlers, you can not easily remove them when the conterpart DC is not available anymore. The only way is now to clean up the AD and remove all objects which may belong to an old trust or relation.
This affects DNS, Domain Trusts and services, Sites and services, connected NTDS settings, connected
replication settings (DRFS and / or FSR)
As the error message points to the PDC emulator FSMO role, this is the start point.
The second message is pointing to an Win 2000 DC which may exist somewhere either in DNS or in AD Sites and services.
The more save method is to click through all properties of all OU elements in Domain Trusts and Services as well as Sites and services and try to remove them from there as far as possible. If this fails, the only way is to identify the settings in AD and to delete them with ADSIEdit or Systinternal ADExplorer.
But deleting objects directly from AD has to be done carafully as there are several obejcts connected to each other with different locations in AD. You have to find them all.
SO whatever you delete, write them down, the names may be needed later. Also some objects may have a hint to the AD container, where they exist. Write then down as well.
So, what to do now:
1.) GO to DNS
Check all subfolders for orphaned items.
You can delete them here, but they may come back if there are also additional references in AD...
2.) Check replication settings...
You should only find valid replication agreements...
Note that Win 2000 used FSR, not DFSR.
3.) CheckAD Domains and trusts...
right click the domain - properties:
Only valid trust should be here...
4.) Check AD Sites and Services
Click through the structure and check, if there are any invalid objects somewhere.
Right-Click on each folder (including root), properties to see if there are any invalid objects.
Schema master
Domain naming master
PDC
RID pool manager
Infrastructure master
Maybe you run the PS without the FormatTable so see all settings...
You find also ReplicaDirectoryServers in there (Domain)
If you have fragments left over in the AD, which point to any dead infrastructure objects, you have to find them...
Most of them you can at least see unter AS site and services as well as Domains and Trust
Another source may be the DNS settings you can find in the DNS Forward Looklup zones- _mcdcs.yourdomain.com
As a trust setup is a functionality between two domain controlers, you can not easily remove them when the conterpart DC is not available anymore. The only way is now to clean up the AD and remove all objects which may belong to an old trust or relation.
This affects DNS, Domain Trusts and services, Sites and services, connected NTDS settings, connected
replication settings (DRFS and / or FSR)
As the error message points to the PDC emulator FSMO role, this is the start point.
The second message is pointing to an Win 2000 DC which may exist somewhere either in DNS or in AD Sites and services.
The more save method is to click through all properties of all OU elements in Domain Trusts and Services as well as Sites and services and try to remove them from there as far as possible. If this fails, the only way is to identify the settings in AD and to delete them with ADSIEdit or Systinternal ADExplorer.
But deleting objects directly from AD has to be done carafully as there are several obejcts connected to each other with different locations in AD. You have to find them all.
SO whatever you delete, write them down, the names may be needed later. Also some objects may have a hint to the AD container, where they exist. Write then down as well.
So, what to do now:
1.) GO to DNS
Check all subfolders for orphaned items.
You can delete them here, but they may come back if there are also additional references in AD...
2.) Check replication settings...
You should only find valid replication agreements...
Note that Win 2000 used FSR, not DFSR.
3.) CheckAD Domains and trusts...
right click the domain - properties:
Only valid trust should be here...
4.) Check AD Sites and Services
Click through the structure and check, if there are any invalid objects somewhere.
Right-Click on each folder (including root), properties to see if there are any invalid objects.
ASKER
Thanks very much, Bembi, we will try and update
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://social.technet.microsoft.com/Forums/windows/en-US/fdd89522-134c-4f8b-9dce-a6493e1150b9/how-do-i-remove-broken-or-stale-trust-relationships-between-two-domains?forum=winserverDS