Re: reestablish trust relationship

hello again. Man, I'm doing this for a client. It's like looking at cave
drawings and wondering how they did it. Actually I have changed an old
intranet domain name to a registered domain, but I think from what you said I
should still disconnect and rejoin the domain...silly me, it's always the
little things. That should initiate a new key with kerebos SPN...right?

"Ace Fekay [MVP]" wrote:

> In news:F414ABDD-7D9E-488E-B774-9AD4A132E848@xxxxxxxxxxxxx,
> Skip <Skip@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented on
> below:
> > I recently reconfigured a new DC ( the old one was removed) with a new
> > domain. I now have a workstation that has issues when accessing this
> > new server/domain. Apparently the trust relationship is lost due to
> > SID issues.
> >
> > The workstation event log tells me that it lost the correct SID when
> > the domain was recofigured.
> >
> > How do I reestablish this trust?
>
> The workstation would need to be disjoined, then rejoined to the domain. But
> you will need to deal with your users' lost profiles.
>
> I am assuming "reconfigured" means you rebuilt it from scratch and you
> renamed the new domain controller the same exact domain and machine name as
> the old one. Intra-forest trusts between DCs and/or member machines (joined
> clients) are not based on the computer name, but rather the Kerberos Service
> Principal Name (SPN, which is based on the FQDN) and the initial trust
> established that utilizes the machine's SID for identification purposes to
> authenticate any communications between the machines. If you rebuilt the DC
> from scratch, a totally new domain along with new SIDs were created.
>
> I hope that helps.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
.

Relevant Pages

  • Re: reestablish trust relationship
    ... I now have a workstation that has issues when accessing this ... Apparently the trust relationship is lost due to ... > SID issues. ... Intra-forest trusts between DCs and/or member machines (joined ...
    (microsoft.public.windows.server.dns)
  • Re: SID History and SID Filtering questions (netdom)
    ... group policies rebooted the lab DC's and tried the command, netdom ... ... Oh and by the way the Technet doc on how to create a SID mapping file ... SID filtering is enabled automatically on any trust relationships created by domain controllers running Windows 2000 Service Pack 4 or Windows Server 2003. ...
    (microsoft.public.windows.server.migration)
  • Re: SID History and SID Filtering questions (netdom)
    ... SID filtering is enabled automatically on any trust relationships created ... by domain controllers running Windows 2000 Service Pack 4 or Windows Server ... you can manually enable it by using the Netdom trust command line ... To disable SID ...
    (microsoft.public.windows.server.migration)
  • Re: Change the RID Pool on a DC
    ... You imply that for some reason the client backup up the system and then ... you need to alter the RID pool." ... sure we ship each server with unique SID... ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID History and SID Filtering questions (netdom)
    ... Thanks for the information, you are correct in what you are saying and it is our migration strategy, We have 2 outbound domains one has the quarantine disabled and the other (where SID history is not working) has it enabled. ... I went to out lab environment and we had the same issue, I disabled the group policies rebooted the lab DC's and tried the command, netdom ... ... I then tried loading ADSIedit.msc looking at the trust object and tried to change the trustArrribute manually however this seems to be some sort of protected object and cannot be changed. ...
    (microsoft.public.windows.server.migration)