evan All American 27701 Posts user info edit post |
so i'm trying to create a forest trust between two domains
dns is fine, netdiag/dcdiag come back fine.
both of the domain controllers for each domain are VMs running on ESX 3.5
when i go to create the trust (on either DC), i get all the way to the end where it's about to create the trust and then it errors out and simply says "this operation can not be performed on the current domain"
nothing in the NTDS logs, system logs, etc... just that.
i've regenerated the SIDs of all domain controllers thinking that maybe someone forgot to sysprep one of them when it was imaged, no go.
one of the domains has some child domains and all of those trusts are working fine.
if i try and make a trust from a physical DC to a virtual DC, that works fine. it's just virtual to virtual that doesn't work. each of the DCs is on a separate host so it's not a shared networking thing, and i'm able to access the other DC from one DC via its FQDN. i raised both domains/forests to 2003 functional level. i was gonna put the hostnames for each into lmhosts but i thought 2003 stopped using netbios for hosts, so...
any ideas? google seems to know nothing except for when the netbios names for both domains are the same and/or there is no secondary zone to let the domains resolve host records in the other domain... and i'm out of ideas...
] 2/25/2009 3:58:39 PM |
Shaggy All American 17820 Posts user info edit post |
run portqryui's trust test suite to double check ur network stuff.
So you have Domain A and Domain B. Physical DC in domain A can do the trust with virtual DC in domain B but virtual DC in domain A cant do a trust with virtual DC in domain B? 2/25/2009 5:10:28 PM |
evan All American 27701 Posts user info edit post |
nah, i haven't tried it with a domain that has both physical and virtual DCs, we don't have any. it's either all physical or all virtual.
virtual <-> physical and physical <-> virtual work fine on every domain we have
virtual <-> virtual does not, however 2/25/2009 5:35:37 PM |
evan All American 27701 Posts user info edit post |
heh, i just figured it out
someone didn't sysprep the VMs after they were cloned, as i suspected... since the domain SID is generated based off of the first domain controller's machine SID when a new domain is created, all of the virtual domains have the exact same domain SID...
*sigh*
if i change the domain SID, regenerate SIDs in objectSIDfor all the objects, and put the object's old SID into sIDHistory, will that work? or, alternatively, create new domains and import all the objects into the new domain (pretty sure it would put the old SID into sIDHistory automatically in this case)
i'd really like to avoid recreating these domains if at all possible... 2/25/2009 5:40:04 PM |
Shaggy All American 17820 Posts user info edit post |
wierd 2/25/2009 5:52:56 PM |