reestablishing trust with subdomain

I'm running two windows server 2003 machines. one is called mydc and is the
only domain controller in the ad-integrated domain called foo.local. the
other is called mysubdc and is the only domain controller in the domain
sub.foo.local. something went wrong with mysubdc and i reinstalled the os
without demoting it or doing anything to indicate on mydc that mysubdc was
no longer functional. i then promoted mysubdc back to the domain controller
for sub.foo.local. no i get the following error message in mysubdc's event
log:

The computer mydc tried to connect to the server \\mysubdc using the trust
relationship established by the SUB domain. However, the computer lost the
correct security identifier (SID) when the domain was reconfigured.
Reestablish the trust relationship.

i investingated this in the microsoft KB and found this article:

http://support.microsoft.com/default...N-US;q260575#2

which describes using netdom to reset machine account passwords. however,
when i try to use it on mysubdc with the following command line:

netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator /passwordd:*

i get:

The machine account password for the local machine could not be reset.

No mapping between account names and security IDs was done.

The command failed to complete successfully.


the article says:

This behavior is also applicable to replication between domain controllers
of the same domain. If the domain controllers that are not replicating
reside in two different domains, you should inspect the trust relationship
more closely.

but it doesn't say how to do this. do i have to demote mysubdc and start
again or is there an easier way? thanks for any help.


--
Gary Roach
ADB Services

Once you demolished your old DC for mysubdc and built a new DC, then ran
dcpromo again, you built a new domain, and therefore, a netdom /resetpwd
won't work. You need to rebuild the trust over again from scratch, if I am
understanding you correctly.

--
Todd J Heron, MCSE
Windows 2003/2000/NT

"Gary Roach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm running two windows server 2003 machines. one is called mydc and is
the
> only domain controller in the ad-integrated domain called foo.local. the
> other is called mysubdc and is the only domain controller in the domain
> sub.foo.local. something went wrong with mysubdc and i reinstalled the os
> without demoting it or doing anything to indicate on mydc that mysubdc was
> no longer functional. i then promoted mysubdc back to the domain
controller
> for sub.foo.local. no i get the following error message in mysubdc's event
> log:
>
> The computer mydc tried to connect to the server \\mysubdc using the trust
> relationship established by the SUB domain. However, the computer lost the
> correct security identifier (SID) when the domain was reconfigured.
> Reestablish the trust relationship.
>
> i investingated this in the microsoft KB and found this article:
>
> http://support.microsoft.com/default...N-US;q260575#2
>
> which describes using netdom to reset machine account passwords. however,
> when i try to use it on mysubdc with the following command line:
>
> netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator
/passwordd:*
>
> i get:
>
> The machine account password for the local machine could not be reset.
>
> No mapping between account names and security IDs was done.
>
> The command failed to complete successfully.
>
>
> the article says:
>
> This behavior is also applicable to replication between domain controllers
> of the same domain. If the domain controllers that are not replicating
> reside in two different domains, you should inspect the trust relationship
> more closely.
>
> but it doesn't say how to do this. do i have to demote mysubdc and start
> again or is there an easier way? thanks for any help.
>
>
> --
> Gary Roach
> ADB Services
>
>

You can not delete/recreate Intraforest trusts. If you are having an issue
you might need to demote the existing sub DC, clean up AD of all references
to the old domain/DC then repromote the sub DC. This will again create a new
sub.foo.local domain, but once AD is cleaned of the old information then it
should be fine. If you had objects/resources in the sub domain that you need
back at this point you will need to restore from backup.

Phil

"Todd J Heron" wrote:

> Once you demolished your old DC for mysubdc and built a new DC, then ran
> dcpromo again, you built a new domain, and therefore, a netdom /resetpwd
> won't work. You need to rebuild the trust over again from scratch, if I am
> understanding you correctly.
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
> "Gary Roach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I'm running two windows server 2003 machines. one is called mydc and is
> the
> > only domain controller in the ad-integrated domain called foo.local. the
> > other is called mysubdc and is the only domain controller in the domain
> > sub.foo.local. something went wrong with mysubdc and i reinstalled the os
> > without demoting it or doing anything to indicate on mydc that mysubdc was
> > no longer functional. i then promoted mysubdc back to the domain
> controller
> > for sub.foo.local. no i get the following error message in mysubdc's event
> > log:
> >
> > The computer mydc tried to connect to the server \\mysubdc using the trust
> > relationship established by the SUB domain. However, the computer lost the
> > correct security identifier (SID) when the domain was reconfigured.
> > Reestablish the trust relationship.
> >
> > i investingated this in the microsoft KB and found this article:
> >
> > http://support.microsoft.com/default...N-US;q260575#2
> >
> > which describes using netdom to reset machine account passwords. however,
> > when i try to use it on mysubdc with the following command line:
> >
> > netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator
> /passwordd:*
> >
> > i get:
> >
> > The machine account password for the local machine could not be reset.
> >
> > No mapping between account names and security IDs was done.
> >
> > The command failed to complete successfully.
> >
> >
> > the article says:
> >
> > This behavior is also applicable to replication between domain controllers
> > of the same domain. If the domain controllers that are not replicating
> > reside in two different domains, you should inspect the trust relationship
> > more closely.
> >
> > but it doesn't say how to do this. do i have to demote mysubdc and start
> > again or is there an easier way? thanks for any help.
> >
> >
> > --
> > Gary Roach
> > ADB Services
> >
> >
>
>
>

Ooops, you are correct Phil, I was mis-reading him and thinking of an
inter-forest trust in his scenario! Thanks.

--
Todd J Heron, MCSE
Windows 2003/2000/NT

"Phillip Renouf" <(E-Mail Removed)> wrote in message
news:498FD19B-B275-40AA-9D13-(E-Mail Removed)...
> You can not delete/recreate Intraforest trusts. If you are having an issue
> you might need to demote the existing sub DC, clean up AD of all
references
> to the old domain/DC then repromote the sub DC. This will again create a
new
> sub.foo.local domain, but once AD is cleaned of the old information then
it
> should be fine. If you had objects/resources in the sub domain that you
need
> back at this point you will need to restore from backup.
>
> Phil
>
> "Todd J Heron" wrote:
>
> > Once you demolished your old DC for mysubdc and built a new DC, then ran
> > dcpromo again, you built a new domain, and therefore, a netdom /resetpwd
> > won't work. You need to rebuild the trust over again from scratch, if I
am
> > understanding you correctly.
> >
> > --
> > Todd J Heron, MCSE
> > Windows 2003/2000/NT
> >
> > "Gary Roach" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I'm running two windows server 2003 machines. one is called mydc and
is
> > the
> > > only domain controller in the ad-integrated domain called foo.local.
the
> > > other is called mysubdc and is the only domain controller in the
domain
> > > sub.foo.local. something went wrong with mysubdc and i reinstalled the
os
> > > without demoting it or doing anything to indicate on mydc that mysubdc
was
> > > no longer functional. i then promoted mysubdc back to the domain
> > controller
> > > for sub.foo.local. no i get the following error message in mysubdc's
event
> > > log:
> > >
> > > The computer mydc tried to connect to the server \\mysubdc using the
trust
> > > relationship established by the SUB domain. However, the computer lost
the
> > > correct security identifier (SID) when the domain was reconfigured.
> > > Reestablish the trust relationship.
> > >
> > > i investingated this in the microsoft KB and found this article:
> > >
> > > http://support.microsoft.com/default...N-US;q260575#2
> > >
> > > which describes using netdom to reset machine account passwords.
however,
> > > when i try to use it on mysubdc with the following command line:
> > >
> > > netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator
> > /passwordd:*
> > >
> > > i get:
> > >
> > > The machine account password for the local machine could not be reset.
> > >
> > > No mapping between account names and security IDs was done.
> > >
> > > The command failed to complete successfully.
> > >
> > >
> > > the article says:
> > >
> > > This behavior is also applicable to replication between domain
controllers
> > > of the same domain. If the domain controllers that are not replicating
> > > reside in two different domains, you should inspect the trust
relationship
> > > more closely.
> > >
> > > but it doesn't say how to do this. do i have to demote mysubdc and
start
> > > again or is there an easier way? thanks for any help.
> > >
> > >
> > > --
> > > Gary Roach
> > > ADB Services
> > >
> > >
> >
> >
> >

thanks - i ended up demoting the mysubdc controller and deleting the trust
manually using netdom and then promoting it again. this seemed to work
better but still gives some KDC "duplicate account" errors that i'm trying
to figure out.


"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Once you demolished your old DC for mysubdc and built a new DC, then ran
> dcpromo again, you built a new domain, and therefore, a netdom /resetpwd
> won't work. You need to rebuild the trust over again from scratch, if I
> am
> understanding you correctly.
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
> "Gary Roach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I'm running two windows server 2003 machines. one is called mydc and is
> the
>> only domain controller in the ad-integrated domain called foo.local. the
>> other is called mysubdc and is the only domain controller in the domain
>> sub.foo.local. something went wrong with mysubdc and i reinstalled the os
>> without demoting it or doing anything to indicate on mydc that mysubdc
>> was
>> no longer functional. i then promoted mysubdc back to the domain
> controller
>> for sub.foo.local. no i get the following error message in mysubdc's
>> event
>> log:
>>
>> The computer mydc tried to connect to the server \\mysubdc using the
>> trust
>> relationship established by the SUB domain. However, the computer lost
>> the
>> correct security identifier (SID) when the domain was reconfigured.
>> Reestablish the trust relationship.
>>
>> i investingated this in the microsoft KB and found this article:
>>
>> http://support.microsoft.com/default...N-US;q260575#2
>>
>> which describes using netdom to reset machine account passwords. however,
>> when i try to use it on mysubdc with the following command line:
>>
>> netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator
> /passwordd:*
>>
>> i get:
>>
>> The machine account password for the local machine could not be reset.
>>
>> No mapping between account names and security IDs was done.
>>
>> The command failed to complete successfully.
>>
>>
>> the article says:
>>
>> This behavior is also applicable to replication between domain
>> controllers
>> of the same domain. If the domain controllers that are not replicating
>> reside in two different domains, you should inspect the trust
>> relationship
>> more closely.
>>
>> but it doesn't say how to do this. do i have to demote mysubdc and start
>> again or is there an easier way? thanks for any help.
>>
>>
>> --
>> Gary Roach
>> ADB Services
>>
>>
>
>

yeah - i figured i'd have to demote the dc and start again. i tried getting
rid of the trust relationship using netdom (i had to use the force option)
and then repromote the dc. i'm getting some errors due to the fact that
there are duplicate ad entries (as you mentioned). i'm now attempting to rid
ad of the redundant entries.


"Phillip Renouf" <(E-Mail Removed)> wrote in message
news:498FD19B-B275-40AA-9D13-(E-Mail Removed)...
> You can not delete/recreate Intraforest trusts. If you are having an issue
> you might need to demote the existing sub DC, clean up AD of all
> references
> to the old domain/DC then repromote the sub DC. This will again create a
> new
> sub.foo.local domain, but once AD is cleaned of the old information then
> it
> should be fine. If you had objects/resources in the sub domain that you
> need
> back at this point you will need to restore from backup.
>
> Phil
>
> "Todd J Heron" wrote:
>
>> Once you demolished your old DC for mysubdc and built a new DC, then ran
>> dcpromo again, you built a new domain, and therefore, a netdom /resetpwd
>> won't work. You need to rebuild the trust over again from scratch, if I
>> am
>> understanding you correctly.
>>
>> --
>> Todd J Heron, MCSE
>> Windows 2003/2000/NT
>>
>> "Gary Roach" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > I'm running two windows server 2003 machines. one is called mydc and is
>> the
>> > only domain controller in the ad-integrated domain called foo.local.
>> > the
>> > other is called mysubdc and is the only domain controller in the domain
>> > sub.foo.local. something went wrong with mysubdc and i reinstalled the
>> > os
>> > without demoting it or doing anything to indicate on mydc that mysubdc
>> > was
>> > no longer functional. i then promoted mysubdc back to the domain
>> controller
>> > for sub.foo.local. no i get the following error message in mysubdc's
>> > event
>> > log:
>> >
>> > The computer mydc tried to connect to the server \\mysubdc using the
>> > trust
>> > relationship established by the SUB domain. However, the computer lost
>> > the
>> > correct security identifier (SID) when the domain was reconfigured.
>> > Reestablish the trust relationship.
>> >
>> > i investingated this in the microsoft KB and found this article:
>> >
>> > http://support.microsoft.com/default...N-US;q260575#2
>> >
>> > which describes using netdom to reset machine account passwords.
>> > however,
>> > when i try to use it on mysubdc with the following command line:
>> >
>> > netdom /resetpwd /server:mydc.foo.local /userd:foo\adminstrator
>> /passwordd:*
>> >
>> > i get:
>> >
>> > The machine account password for the local machine could not be reset.
>> >
>> > No mapping between account names and security IDs was done.
>> >
>> > The command failed to complete successfully.
>> >
>> >
>> > the article says:
>> >
>> > This behavior is also applicable to replication between domain
>> > controllers
>> > of the same domain. If the domain controllers that are not replicating
>> > reside in two different domains, you should inspect the trust
>> > relationship
>> > more closely.
>> >
>> > but it doesn't say how to do this. do i have to demote mysubdc and
>> > start
>> > again or is there an easier way? thanks for any help.
>> >
>> >
>> > --
>> > Gary Roach
>> > ADB Services
>> >
>> >
>>
>>
>>