RE: Domain Trust issue

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Ok, problem solved. Someone has created a computer account in an OU and named
this machine the same as the netbios domain name of the 2nd domain..... grmpf

Thanks for help to all.

Have all a nice weekend.
woisch

"Milun Jevremovic" wrote:

Definitelly sounds like problem on second domain.

Let say that NETBIOS names of your domains are UNLIMITED and HEAVEN

So, on heaventest.com you are sure that you do not have user account named
unlimited or computer account UNLIMITED, as well you do not have UNLIMITED$
in Users container (leftover of previous trust). It is not problem to have
HEAVEN computer on HEAVEN domain, but name of oposite domain.

PLease check Lost and Found container via ADSIEDIT or LDP, as well Deleted
Object (via LDP, after enabling Control option to return deleted objects),
for any of those options.

Only other option I see at present moment is:
- as somebody mentioned, your UNLIMITED NETBIOS domain name is "protected"
name which cannot be used in trusts (like INTERNET, DOMAIN, SYSTEM, not sure
what others are). Usualy they were created in NT time where no protection was
set and upgraded to 2000/2003 without renaming

Milun

"woisch" wrote:

Okay, i`ve now tried in a virtual environment to create a trust. I tried it
on two fresh domains and it works.

I removed the trust once more.

Then i created a computer account on both domains with the same name and
additional a user account witth same name on both domains.

I created the trust again and it works?! Why ??

In the real domain we used also wins server and i checked them. No
duplicated items.

That`s strange.....

@ Milun Jevremovic
I`ve a look at both domains in adsiedit and checked the CN=Users vor a
account with $ . No account found.

I`ve also checked the Active Directory Container "System" for a folder with
the type "trust" ..... but nothing.

If i make a:

DSQUERY COMPUTER -SAMID <DOMAIN-NAME>$
DSQUERY COMPUTER -NAME <DOMAIN-NAME>

i got an empty line on the command line....

The other strange thing is:

domain a: unlimitedttest.co.uk (not the real name)
domain b: heaventest.com (not the real name)

If i created a trust from unlimitedtest.co.uk:

1. External Trust
2. Two-Way
3. This domain only (not both this domain and the specified domain)
4. Domain-wide authentication
5. Trust password

the trust works from this side. If i configure it from the other side, it
didnt work....

And if i creat the trust from unlimitedtest.co.uk WITH "Both this domain and
the specified domain" i got the same error with the specified user.

I`m a little bit confused now. ;) Is the failure on the "heaventest.com"
domain? Because from the other domain i can create a trust....

Hope for help ;)

Thx
Woisch

"Milun Jevremovic" wrote:

Hello,

when trust is created, In AD 2 objects are created:
- TDO (trusted domain object), which is usualy not creating problems
- User object (in Users container), containing NETBIOS name of
trusted/trusting domain with $ at the end. This user object is not visible in
ADUC, but it is in ADSIEdit.

Usualy when you get this error, on side where you are getting it you already
have object with identical username. Since we have $ at end, that is probably
COMPUTER object, although we possibly have earlier, not properly removed
trust with the same domain.

Regards,

Milun

"woisch" wrote:

Hi,

i`ve a problem creating a external trust between two domains.

1st: Windows Server 2003 (Windows Server 2003 SP2)
2nd: Windows 200 native (Windows Server 2003 R2 SP2)

DNS is configured with conditional dns and the dns resolution is not the
problem i think.

If i click finish to create the trust i got the error with "the specified
user already exists"

But i don`t know which user is meant ?!

There are no duplicatet user or computer accounts.

How could i solve this problem?

I`ve already read

http://support.microsoft.com/?scid=kb%3Ben-us%3B295335&x=8&y=8
http://support.microsoft.com/?scid=kb%3Ben-us%3B266633&x=12&y=10

Thx and regards
woisch

.

Relevant Pages

  • Re: Seperate Domain Trusts
    ... The user account and the computer account only logs in the Domain where they belong, however with a trust, you can grant permissions to users from other domain. ... > login and password to connect to the network drive. ...
    (microsoft.public.windows.server.active_directory)
  • ERR3:7075 Failed to change domain affiliation, hr=800706fb
    ... I have redone the trust and I'm grasping for straws. ... running ADMT I see the computer account, but on one of our other DCs in ... the 2k3 AD I don't see the computer account. ... the profile is in use for other reasons. ...
    (microsoft.public.windows.server.migration)
  • RE: Domain Trust issue
    ... Let say that NETBIOS names of your domains are UNLIMITED and HEAVEN ... unlimited or computer account UNLIMITED, as well you do not have UNLIMITED$ ... I removed the trust once more. ...
    (microsoft.public.windows.server.active_directory)
  • Re: trust relationship
    ... "The trust relationship...." ... the workstation's computer account in the Domain is corrupt or lost. ... may need to change the workstation computer name, or go to the Domain Server ... > several new Pentium 4's with Windows XP. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: TRUSTS - 3 domains, 2 with the same netbios domain name. HELP!!!!
    ... AD namespace - france.company.local ... netbios domain name = company **same as domain 3 ... Is there any way that Domain 1 can create a Trust to domain 2 and domain 3 ... Microsoft MVP - Directory Services ...
    (microsoft.public.windows.server.active_directory)