User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » weird AD trust problems Page [1]  
evan
All American
27701 Posts
user info
edit post

so i'm trying to create a forest trust between two domains

dns is fine, netdiag/dcdiag come back fine.

both of the domain controllers for each domain are VMs running on ESX 3.5

when i go to create the trust (on either DC), i get all the way to the end where it's about to create the trust and then it errors out and simply says "this operation can not be performed on the current domain"

nothing in the NTDS logs, system logs, etc... just that.

i've regenerated the SIDs of all domain controllers thinking that maybe someone forgot to sysprep one of them when it was imaged, no go.

one of the domains has some child domains and all of those trusts are working fine.

if i try and make a trust from a physical DC to a virtual DC, that works fine. it's just virtual to virtual that doesn't work. each of the DCs is on a separate host so it's not a shared networking thing, and i'm able to access the other DC from one DC via its FQDN. i raised both domains/forests to 2003 functional level. i was gonna put the hostnames for each into lmhosts but i thought 2003 stopped using netbios for hosts, so...

any ideas? google seems to know nothing except for when the netbios names for both domains are the same and/or there is no secondary zone to let the domains resolve host records in the other domain... and i'm out of ideas...

2/25/2009 3:58:39 PM

Shaggy
All American
17820 Posts
user info
edit post

run portqryui's trust test suite to double check ur network stuff.

So you have Domain A and Domain B. Physical DC in domain A can do the trust with virtual DC in domain B but virtual DC in domain A cant do a trust with virtual DC in domain B?

2/25/2009 5:10:28 PM

evan
All American
27701 Posts
user info
edit post

nah, i haven't tried it with a domain that has both physical and virtual DCs, we don't have any. it's either all physical or all virtual.

virtual <-> physical and physical <-> virtual work fine on every domain we have

virtual <-> virtual does not, however

2/25/2009 5:35:37 PM

evan
All American
27701 Posts
user info
edit post

heh, i just figured it out

someone didn't sysprep the VMs after they were cloned, as i suspected... since the domain SID is generated based off of the first domain controller's machine SID when a new domain is created, all of the virtual domains have the exact same domain SID...

*sigh*

if i change the domain SID, regenerate SIDs in objectSIDfor all the objects, and put the object's old SID into sIDHistory, will that work? or, alternatively, create new domains and import all the objects into the new domain (pretty sure it would put the old SID into sIDHistory automatically in this case)

i'd really like to avoid recreating these domains if at all possible...

2/25/2009 5:40:04 PM

Shaggy
All American
17820 Posts
user info
edit post

wierd

2/25/2009 5:52:56 PM

 Message Boards » Tech Talk » weird AD trust problems Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.