RE: Forest Trust Problem - SID Conflict (Yet another crisis)
From: Trust Worthy (TrustWorthy_at_discussions.microsoft.com)
Date: 02/12/05
- Next message: Don Wilwol: "Re: Demote 1st DC Error"
- Previous message: Moreno: "Error: 30 opening Control Panel il W2000 Domain Controller"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 12 Feb 2005 06:41:01 -0800
Brian,
Yep, such a Hot and Zesty Dill Pickle!
In fact, Microsoft Premiere Support advised the same solution as they went
back and forth stating there are no other ways. And you are exactly right
about the ghost image issue. Sounds like you have been there? :)
Anyway, to keep the impact on the low, we created a new domain controller
called pp. So, I used ADMT to migrate users, groups, service accounts (but
couldn't migrate computers). I was receiving error, so I decided to give up
on ADMT for computer migration as my activity hours were running out. I
wrote up a small script (utilizing netdom) to remove from domain preprod and
join pp domain and then reboot. I migrated around 30-40 computer that way.
I then went to each machine and added their group accounts in the local
administrators group. Let me explain a little, because there lies my current
problem....
In the pp domain (or in the preprod domain in the past), we did not create
very many users but administrative accounts. We bring all the users to
designated "Domain Local" groups within PP from the Corp domain. Corp domain
is located in its own forest. We have a one way trust between PP and Corp (PP
trusts Corp).
Working in the past: User Corp\TrustWorthy who is part of Preprod\Admins
'Domain Local group', can perform administrative duty as Preprod\Admins
group. Because, Prod\Admins group is a member of the Local Administrators
group of a member server (who is part of Preprod Domain).
In the new PP, This works if I add corp\TrustWorthy directly a member of the
PP member servers local administrative group, but not when corp\TrustWorthy
is part of PP\Admins group.
For some reason, these servers (W2K and W2k3) suddenly not recognizing
Domain Local groups anymore? That's the only way I can add Corp users to
access PP Domains resources.
Any idea? I was receiving an error initially that it couldn't apply Cross
Forest GPO, so using loopback instead when I was logging as Corp/TrustWorthy.
After enabling "Allow Cross-Forest User Policy and Roaming User Profiles"
that is not happening anymore. Also the Domain Controller, Domain, and
Product GPO are identical to Preprod domain which was working, and another
domain which is working now.
Any idea?
"Brian O'Neil" wrote:
> You are in quite the pickle!
> I have heard of this happening before, and the result was that the Root DCs
> in each forest were seeded off the same ghost image. This caused the Domain
> SID to be duplicated when generating the new domain via dcpromo. It was a
> nightmare to troubleshoot.
>
> Unfortunately you cannot change domain SID, so rebuilding the domain from a
> fresh machine install is your only option.
>
> I also read you want to migrate the users; !*do not migrate SID history*!
> You will be bringing that old domain SID along with each user and you'll have
> unpredictable user to SID mapping problems throught all 3 forests. Instead
> use the ADMT Security Translation Wizard to update the resource ACLs for the
> users. There will be a lapse however in accessibility for the end users until
> that is performed. SID History usually closes that gap.
>
> -Brian
>
> "Allen Firouz" wrote:
>
> > Trust Worthy:
> >
> > I have seen Trust inconsistencies in the past, but they are usually not so
> > intermittant. There are a slew of tools for checking replication and trust
> > issues across domain(s). Refer here: http://tinyurl.com/47yzr for the tools,
> > their usage and some excellent links to related topics.
> >
> > Good luck,
> >
> > -Allen Firouz [MentalFloss]
> >
> > "Trust Worthy" wrote:
> >
> > > Sorry for not providing enough information.
> > >
> > > Prod= 2003 Native Mode
> > > Preprod= 2003 Native Mode
> > >
> > > Corp = 2003 Mixed Mode
> > >
> > > Please do not hesitate to ask if you have any specific question. At this
> > > point, trust is working fine but I know it will break soon. By the way, your
> > > link was helpful, but will apply those if those situation come up. This one
> > > is not discussed.
> > >
> > > On a different note, I couldn't track any error other than what I explained
> > > in the original post. Other than the trust issue, we are good to go. That's
> > > why I hate to re-build the domain (at least one) from the scratch to get a
> > > new domain sid.
> > >
> > > "Mental Floss" wrote:
> > >
> > > > Hi Trust Worthy:
> > > >
> > > > A bit of a puzzling issue and there is insufficient information in your post
> > > > to effectively troubleshoot. However, maybe this site will help you narrow
> > > > your issue down:
> > > > http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Tshoot_Trusts.asp
> > > >
> > > > -MentalFloss
> > > >
> > > > "Trust Worthy" wrote:
> > > >
> > > > > Greetings folks! Hope you are having a nice year already. I wish I could
> > > > > say the same. Unfortunately, I am up against a lot of re-work and headache
> > > > > ahead :(
> > > > >
> > > > > But before telling you the problem, let me take you back few months when
> > > > > birds were still singing in these forests.
> > > > >
> > > > > It all started when 3 of our forests prod, preprod and dev started trusting
> > > > > corp which had all the user accounts (mainly). Everything were happy go
> > > > > lucky until one day people started complaining that they cannot get into
> > > > > preprod forest. They cannot get there because trust were broken between
> > > > > preprod and corp. After it was restored, people started complaining that
> > > > > they cannot get back into prod. Since then it started going back and forth
> > > > > between these two forest.
> > > > >
> > > > > We tried various approach but nothing would resolve this problem.
> > > > > Meanwhile, we have noticed that in the corp side, entry for preprod get
> > > > > replaced by prod when we re-establish prod-corp trust and vice versa when we
> > > > > re-establish preprod-corp.
> > > > >
> > > > > Could corp be thinking prod and preprod are the same guy? Well, our guess
> > > > > was proven when we ran
> > > > >
> > > > > nltest /domain_trusts /all_trusts /v
> > > > >
> > > > > Yes, it turned out that Dom Sid: for both prod and preprod are identical.
> > > > > So when preprod and prod were replacing each other, because corp thought they
> > > > > were the same forest. Now we often got an error during re-establishing the
> > > > > trust that "File Already exist".
> > > > >
> > > > > Anyway, coming back to present, we are still going through the same problem.
> > > > > But it happens intermittendly. Sometime both trust works for a period of
> > > > > one to two wees (side by side) and then suddenly one fails. We re-establish
> > > > > and everything works fine until another one breaks again. Just need to
> > > > > figure out how to change the domain sid without rebuilding the domain.
> > > > >
> > > > > Any idea?
> > > > >
> > > > > (if I have to rebuild the domain, I might take one of the domain (like
> > > > > preprod) and do some migration to another domain and re-do it from the
> > > > > scratch. But wanting to avoid it.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
- Next message: Don Wilwol: "Re: Demote 1st DC Error"
- Previous message: Moreno: "Error: 30 opening Control Panel il W2000 Domain Controller"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
