none
How to change one domain to another

    Question

  • Hi all,

    Previously, I can log on my computer with domain account(for example:redmond\darbin). But I need to use the Active Directory, I have installed the Active Directory Domain Service and follow the installation Wizard to create another domain(forest) named "forest.corp.com" on my windows server. After that I restared my computer and use the domain account redmond\darbin to log on my windows server. At this moment, one error occured "The security database on the server does not have a computer account for this workstation trust relationship". I try to log on with local adminstrator account darbin\administrtor(darbin is my computer name) server. Failed either due to the use name and password is incorrect. I don' kown why this problem happened. Suddenly I used the forest\administrator to log on. It worked. However I want to log on my windows server with redmond\darbin account(I methioned at the frist sentence). Using search engine I found this:

    http://technet.microsoft.com/en-us/library/ee849847(v=WS.10).aspx

    Unfortunately, the illustration is too simple to I can't make it work for my problem. Could you provide more expalation for this or supply your resolution for my problem.

    Any reply will be appreciated.

    Monday, April 30, 2012 11:34 AM

Answers

  • Clarify "I just have a domain account with "redmond\darbind". Without admin privilege". I assume you have a computer, and now you want to add your computer to one domain(i.e:redmond), to do that obviously you need  a domain account like "redmond\darbin". How can you have the admin privilege for the redmond domain?

     This is not true if none of the group policy have been defined for this. By default domain users who dont have admin access can join 10 computers to the domain

    Refer below link

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/17d7053e-4433-4f51-a7be-c58164c84990

    Check if the group polciy is defined for this (Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain) , If it is defined then Yes they need an admin access to join the computer account

    I hope I am making sense here

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 12:05 PM

All replies

  • Darbin,

      I am bit confused here. YOu said that you used to login with redmond\darbin. I assume Redmond is your computer name. That mean you used to login locally on the server.

    After this you have performed dcpromo on the server and installed a domain on it (Forest.corp.com). Now I assume Forest.corp.com is your domain name.

    when you try forest\administrator it is working. that means now its a domain controller.

    Remember - There is no local administrator on domain controllers. So you can not use redmond\darbin. Yoave to use forest\administrator to login.

    So, YOU CAN NOT LOGIN AS REDMOND\DARBIN NOW.

    Hope I am making some sence here.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Monday, April 30, 2012 11:51 AM
  • Hello,

    to understand you correct, your machine is a Windows Server OS and you have run dcpromo on it for the domain name forest.corp.com? If this is correct and the amchine has before used on the domain "redmond", this is complete gone with promoting the machine as DC for the forest.corp.com domain.

    So please clarify above steps you have done done in detail, so we can understand what domain the machine belongs to or is DC on.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, April 30, 2012 12:19 PM
  • Hello,

    Previously, I can log on my computer with domain account(for example:redmond\darbin). But I need to use the Active Directory, I have installed the Active Directory Domain Service and follow the installation Wizard to create another domain(forest) named "forest.corp.com" on my windows server. After that I restared my computer and use the domain account redmond\darbin to log on my windows server. At this moment, one error occured "The security database on the server does not have a computer account for this workstation trust relationship".

    Here, you were using the local SAM database to logon. Once you promoted the server as a DC, the local SAM had been overwritten by AD database. This means that the SAM database no longer exists and in this case you can no longer be able to a local account to logon because they no longer exists.

    Please use a domain account. Try using DomainName\darbin to logon and check results.

    To reset the AD admin password: http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, April 30, 2012 12:32 PM
  • Hi Prashant,

    The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand!


    Wednesday, May 02, 2012 2:32 AM
  • Hello,

    to understand you correct, your machine is a Windows Server OS and you have run dcpromo on it for the domain name forest.corp.com? If this is correct and the amchine has before used on the domain "redmond", this is complete gone with promoting the machine as DC for the forest.corp.com domain.

    So please clarify above steps you have done done in detail, so we can understand what domain the machine belongs to or is DC on.



    Yes, I use the redmond\darbin to log on my machine before running the dcpromo. And after running the dcpromo, a domain naming forest.corp.com created and it's a domain controller. But I still need to log on with redmond\darbin account. How can do that?
    Wednesday, May 02, 2012 2:37 AM
  • Here, you were using the local SAM database to logon. Once you promoted the server as a DC, the local SAM had been overwritten by AD database. This means that the SAM database no longer exists and in this case you can no longer be able to a local account to logon because they no longer exists.

    Please use a domain account. Try using DomainName\darbin to logon and check results.



    I'm using domain account(redmond\darbin) to log on not the local account.
    Wednesday, May 02, 2012 2:39 AM
  • Hi Prashant,

    The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand!


    what is redmond here? Is it your domain ? how about forest ? Is it also a domain? I am not understanding how did you run dcpromo on  a server which is already a member of redmond domain and made it as domain controller of forest domain.

    Please explain the scenario in bit descriptive way.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 5:34 AM
  • Hi Prashant,

    The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand!


    what is redmond here? Is it your domain ? how about forest ? Is it also a domain? I am not understanding how did you run dcpromo on  a server which is already a member of redmond domain and made it as domain controller of forest domain.


    Firstly, my windows server has a administrator account(computername\administrator) and I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin. I can log on my server with domain account(redmond\darbin) or adminstrator account(computername\administrator) . After logging on with domain account(redmond\darbin), I run the server manager and open the "add roles" and select "Active Directory Domain Service". Follow the installation Wizard, one new domain "forest(forest.corp.com)" is create  and at the end of installation wizard, it requires to restart computer and I do that. Now I can't log on my server with redmond\darbin and computername\administrator. For redmond\darbind, the error I mentioned at my initial post occurs, for the computername\administrator, it occurs username and password is incorrect. After trying sometimes, I log on my server successfully with forest\administrator. But I want to log on my server with redmond\darbin account.



    • Edited by Darbin Wednesday, May 02, 2012 6:11 AM
    Wednesday, May 02, 2012 6:04 AM
  • firstly, my windows server has a administrator account(computername\administrator) and I add one domain account(redmond\darbin) on my server. I can log on my server with domain account(redmond\darbin) or adminstrator account(computername\administrator) . After logging on with domain account(redmond\darbin), I run the server manager and open the "add roles" and select "Active Directory Domain Service". Follow the installation Wizard, one new domain "forest(forest.corp.com)" is create  and at the end of installation wizard, it requires to restart computer and I do that. Now I can't log on my server with redmond\darbin and computername\administrator. For redmond\darbind, the error I mentioned at my initial post occurs, for the computername\administrator, it occurs username and password is incorrect. After trying sometimes, I log on my server successfully with forest\administrator. But I want to log on my server with redmon\darbin account.

    OK ,

     I add one domain account(redmond\darbin) on my server

    How did you add this domain account. You said it was a server not a domain controller. You can not add any domain account of member servers.I am confused here.

    and REDMOND is your domain ? Naming convention redmond\darbin is even more confusing to me.

    I Understand comptuername\administrator will not work as now the server is acting as a domain contorller tand there is no local administrator account.

    So my question is,

    Was this server a member server before or it was acting as a domain controller or it was a server in workgroup?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 6:13 AM
  • I add one domain account(redmond\darbin) on my server


    I edit my previous reply. Sorry for this.  I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin.
    Wednesday, May 02, 2012 6:55 AM
  • I add one domain account(redmond\darbin) on my server


    I edit my previous reply. Sorry for this.  I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin.

    NO Problem.

     So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com).

    Now it is a domain controller of a domain forest.corp.com.

    SO is your redmond domain still exists ? How many domains you have in your forest?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 7:03 AM
  •  So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com).

    Now it is a domain controller of a domain forest.corp.com.

    SO is your redmond domain still exists ? How many domains you have in your forest?

    Since it is a domain controller of a domain forest.corp.com now. The redmond domain still exists exactly. The redmond domain is not relative with forest.

    I just have a domain account redmond\darbin and can use it add my server to redmond domain. So the redmond domain exists all the time.

    Wednesday, May 02, 2012 7:14 AM
  •  So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com).

    Now it is a domain controller of a domain forest.corp.com.

    SO is your redmond domain still exists ? How many domains you have in your forest?

    Since it is a domain controller of a domain forest.corp.com now. The redmond domain still exists exactly. The redmond domain is not relative with forest.

    I just have a domain account redmond\darbin and can use it add my server to redmond domain. So the redmond domain exists all the time.

    So,

     I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/

    If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 7:26 AM
  • So,

    I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/ 

    If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains

    Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain. 

    I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin.

    Wednesday, May 02, 2012 7:45 AM
  • So,

    I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/ 

    If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains

    Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain. 

    I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin.

    If these are different forest , then you need to create the trust between both , to get the user authenticated between the forest

    http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html

    DC Locator across the forest

    http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx

    Client authentication in a forest trust over firewall

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1b60243e-e5a8-4e13-bc4b-b134caf127a6

    Kerberos authentication and trust

    http://technet.microsoft.com/en-us/library/cc960648.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 7:55 AM
  • Hello,

    "Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain.

    I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin."

    As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, May 02, 2012 8:58 AM
  • I am trying the methods you provided. I will post my result later.
    Wednesday, May 02, 2012 9:06 AM
  • If these are different forest , then you need to create the trust between both , to get the user authenticated between the forest

    http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html


    Follow the steps above. But I still can't solve my issue. My OS is windows server 2008 R2. Open the Active Directory Domains and Trusts. On the left panel, right click forest.corp.com and select the properties. The forest.corp.com properties dialog opens, and I locate the Trusts tab. Click the new trust, the New Trust Wizard dialog occurs. Follow the Wizard: click the "next" button, type the "redmond.corp.com" in the trust name step and click "Next" button. At the Direction or Trust I select "Two-way" and click "Next". Select "this domain only" at Sides of Trust step and click "Next". At the Outgoing Trust Authentication Level step I select "Selective authentication" and click "Next". Type the Trust Password twice and click "Next". Trust Selections Complete occurs and click the "next" twice. Now I select "Yes, confirm the outgoing trust" at the Confirm Outgoing Trust step. and click "Next". At last I click the "Finish". All look like fine. But how to use redmond\darbind account to log on my server?
    Wednesday, May 02, 2012 10:22 AM

  • As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain.

    How to demote the new installed DC and add it as member to the redmond domain again? I just find the "Raise Domain Functional Level".

    To create a truse between the redmond domain and the forest. I follow the steps below(detail steps please check my reply above):

    http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html

    But I still can't log on my server with redmond\darbind.

    Wednesday, May 02, 2012 10:27 AM

  • As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain.

    How to demote the new installed DC and add it as member to the redmond domain again? I just find the "Raise Domain Functional Level".

    To create a truse between the redmond domain and the forest. I follow the steps below(detail steps please check my reply above):

    http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html

    But I still can't log on my server with redmond\darbind.

    Hello,

    demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, May 02, 2012 10:34 AM

  • demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain.


    I just have a domain account with "redmond\darbin". Without admin privilege.
    Wednesday, May 02, 2012 11:02 AM
  • Hello,

    "I just have a domain account with "redmond\darbin". Without admin privilege"

    Then you have to go to your admins.

    And without being admin you can also not configure the DNS requirements and the trust for both sites of the forest trust. So this result in no option to logon to the other forest.

    Seems for me that you are messing around with company stuff without knowing what you are doing, just my 2 cent.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.



    Wednesday, May 02, 2012 11:17 AM

  • demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain.


    I just have a domain account with "redmond\darbin". Without admin privilege.

    Darbin,

    I seariously think , You are not understanding the concept here .

     From above statement , I dont understand how you have only one domain account in entire domain. when you create a domain by default administrator account will be created.

    So,

    •  Run a dcpromo on server which you have promoted as a domain controller of a domain Forest.corp.com. It will remove the domain from it
    • Join that server to redmond.corp.com domain with administrator account of redmond.corp.com
    • once done try with your redmon\darbin account to login

    Let us know the results

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 11:19 AM

  • demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain.


    I just have a domain account with "redmond\darbin". Without admin privilege.

    Darbin,

    I seariously think , You are not understanding the concept here .

     From above statement , I dont understand how you have only one domain account in entire domain. when you create a domain by default administrator account will be created.

    So,

    •  Run a dcpromo on server which you have promoted as a domain controller of a domain Forest.corp.com. It will remove the domain from it
    • Join that server to redmond.corp.com domain with administrator account of redmond.corp.com
    • once done try with your redmon\darbin account to login

    Let us know the results


    For those steps above I has already done and it does work certainly. 

    And I check those references you provided. Why don't you check my reply above, now I provide the its copy below:

    Follow the steps above. But I still can't solve my issue. My OS is windows server 2008 R2. Open the Active Directory Domains and Trusts. On the left panel, right click forest.corp.com and select the properties. The forest.corp.com properties dialog opens, and I locate the Trusts tab. Click the new trust, the New Trust Wizard dialog occurs. Follow the Wizard: click the "next" button, type the "redmond.corp.com" in the trust name step and click "Next" button. At the Direction or Trust I select "Two-way" and click "Next". Select "this domain only" at Sides of Trust step and click "Next". At the Outgoing Trust Authentication Level step I select "Selective authentication" and click "Next". Type the Trust Password twice and click "Next". Trust Selections Complete occurs and click the "next" twice. Now I select "Yes, confirm the outgoing trust" at the Confirm Outgoing Trust step. and click "Next". At last I click the "Finish". All look like fine. But how to use redmond\darbind account to log on my server?

    Clarify "I just have a domain account with "redmond\darbind". Without admin privilege". I assume you have a computer, and now you want to add your computer to one domain(i.e:redmond), to do that obviously you need  a domain account like "redmond\darbin". How can you have the admin privilege for the redmond domain?


    • Edited by Darbin Wednesday, May 02, 2012 11:32 AM
    Wednesday, May 02, 2012 11:30 AM
  • Clarify "I just have a domain account with "redmond\darbind". Without admin privilege". I assume you have a computer, and now you want to add your computer to one domain(i.e:redmond), to do that obviously you need  a domain account like "redmond\darbin". How can you have the admin privilege for the redmond domain?

     This is not true if none of the group policy have been defined for this. By default domain users who dont have admin access can join 10 computers to the domain

    Refer below link

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/17d7053e-4433-4f51-a7be-c58164c84990

    Check if the group polciy is defined for this (Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain) , If it is defined then Yes they need an admin access to join the computer account

    I hope I am making sense here

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, May 02, 2012 12:05 PM