need to rebuild trust relationship b/w domain controllers

G

Gary Roach

I'm trying to upgrade a couple of domain controllers that were running NT
4.0. both were in the same domain - one was a pdc, one a bdc. i upgraded the
pdc to windows server 2003 without incident. however, when i upgraded the
bdc and specified in the active directory installation wizard that it was to
be a second domain controller in an existing domain, it seemed to work
properly except that when it rebooted for the final time and tried to boot
up, i got the following:

lsass.exe

Security Accounts Manager initialization failed because of the following
error: The specified domain either does not exist or could not be contacted.
Error Status: 0xc00000df. Please click OK to shutdown this system and reboot
into Domain Services Restore Mode, check the event log for more detailed
information.

I rebooted into DSRM and checked the event log and found nothing much of
interest in the old bdc machine, but i found the following in the upgraded
pdc:

The computer BDC tried to connect to the server PDC using the trust
relationship established by the NTDOMAIN domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured.
Reestablish the trust relationship.

This SID must have been lost when the bdc was upgraded because after the pdc
was upgraded the bdc worked find and i could run service manager on it and
see both machines. now my question is: how do i reestablish the trust
relationship? i tried demoting the bdc machine using dcpromo but it told me
i couldn't run it from DSRM. i can't boot into normal mode because i keep
getting the original error message. i looked at the "computer name" page of
the system properties to see if i could rejoin the domain that way but the
domain is listed as "unknown" and both it and the computer name are greyed
out. what do i do?

thanks for any help
 
U

Ulf B. Simon-Weidner [MVP]

Gary Roach said:
The computer BDC tried to connect to the server PDC using the trust
relationship established by the NTDOMAIN domain. However, the computer
lost
the correct security identifier (SID) when the domain was reconfigured.
Reestablish the trust relationship.

This SID must have been lost when the bdc was upgraded because after the
pdc
was upgraded the bdc worked find and i could run service manager on it and
see both machines. now my question is: how do i reestablish the trust
relationship?
Click to expand...

Hello Gary,

The event is not talking about a trust relationship between domains,
it's talking about the secure channel between the computer and the
domain.

You should be able to reset the computer with it's account by using the
command "netdom resetpwd".

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
 
G

Gary Roach

Thanks for the reply. i tried using netdom resetpwd on the old bdc that's
giving the problem. when i use

The parameter Domain was unexpected.

netdom resetpwd /server:<pdc> /userd:ntdomain\administrator /passwordd:*

i get:

Parameter /Domain is required for this operation

when i try:

netdom resetpwd /domain:ntdomain /server:<pdc> /userd:ntdomain\administrator
/passwordd:*

i get:

The parameter Domain was unexpected.


sounds like the system doesn't know if the upgraded bdc is in a domain or
not. (or maybe i just can't do it from directory services restore mode,
which is the only mode i can use since i can't boot into normal mode.)

this is just a test - i read that this is the correct way to upgrade an NT
domain to windows server 2003. i'm glad i ran this test because it seems
there's a problem upgrading bdc's. maybe a better way is to take the bdc's
out of the domain before anything is upgraded and then upgrade the pdc in
order to convert the SAM to AD and retain whatever resources need keeping
and then do clean reinstalls on the bdc's and rejoin them to the new AD
domain. any thoughts?
 
P

ptwilliams

Try this instead, it's less confusing with regards to which credential flags
to use:

nltest /sc_reset:domainName.com


If you are not interactively logged onto the server, use the /server
parameter to stipulate which server to reset the channel on.

Obviously, if you do not wish to reset the channel, you can use the
/sc_change_pwd:domainName parameter instead.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Thanks for the reply. i tried using netdom resetpwd on the old bdc that's
giving the problem. when i use

The parameter Domain was unexpected.

netdom resetpwd /server:<pdc> /userd:ntdomain\administrator /passwordd:*

i get:

Parameter /Domain is required for this operation

when i try:

netdom resetpwd /domain:ntdomain /server:<pdc> /userd:ntdomain\administrator
/passwordd:*

i get:

The parameter Domain was unexpected.


sounds like the system doesn't know if the upgraded bdc is in a domain or
not. (or maybe i just can't do it from directory services restore mode,
which is the only mode i can use since i can't boot into normal mode.)

this is just a test - i read that this is the correct way to upgrade an NT
domain to windows server 2003. i'm glad i ran this test because it seems
there's a problem upgrading bdc's. maybe a better way is to take the bdc's
out of the domain before anything is upgraded and then upgrade the pdc in
order to convert the SAM to AD and retain whatever resources need keeping
and then do clean reinstalls on the bdc's and rejoin them to the new AD
domain. any thoughts?
 
G

Gary Roach

thanks for the advice - i wish i could try it but in the meantime i tried
booting with the "last good configuration". apparently this had a temporary
administrator password (perhaps set by the dcpromo program) because now i
can't log on. it seems the only way to reset the password (i had no other
administrator accounts set up except the "administrator" account) is to do a
complete re-install. good thing this is just an experiment because the whole
thing has gone horribly wrong!
 
P

ptwilliams

I'm sorry to hear it all went wrong : (

When you promote a machine the administrator account only exists as a one
off entry in a cut-down SAM for the Directory Services Restore Mode
(offline-AD). This is probably what happened with the accounts.

There are ways to reset the passwords, but you've already deleted the
account now, so maybe next time...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


thanks for the advice - i wish i could try it but in the meantime i tried
booting with the "last good configuration". apparently this had a temporary
administrator password (perhaps set by the dcpromo program) because now i
can't log on. it seems the only way to reset the password (i had no other
administrator accounts set up except the "administrator" account) is to do a
complete re-install. good thing this is just an experiment because the whole
thing has gone horribly wrong!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Trust to NT4 Domain 3
Domain Controllers Out of Sync 7
Windows NT Upgrade to Windows 2000 3
Problems with transfering PDC emulator role 3
Migration Approach in NT4 to Win2K3 AD 1
windows 2000 domain connected to NT4 domain 2
Replacing original PDC 5
Reestablish Trust 1

Top