locked
Trust relationship - Cannot create trust between two different domains RRS feed

  • Question

  • Hello,

     

    I have an organization that is build in the following hierarchy:

     

    Existing forest:

    • mydomain.corp (forest name)
      • a.mydomain.corp
      • b.mydomain.corp
      • c.mydomain.corp
    • anotherdomain.corp

     

    Another Forest:

    • anotherdomain.anotherdomain

     

    I want to create a trust relationship between anotherdomain.corp which is a tree under my existing forest and with anotherdomain.anotherdomain which is an old domain which I want to migrate users and computer from it to the new domain.

    the FQDN name is different, but the NetBIOS name is the same and in the New trust wizard i'm entering the FQDN of the old Forest.

    when I try to create a trust between anotherdomain.corp and anotherdomain.anotherdomain I get an error that says:

     

      "Cannot Continue

            The trust relationship cannot be created because the following error occurred

            The operation failed. The error is: This operation cannot be performed on the current domain."

     

    • I have Ping between the servers
    • I can telnet on port 389, 53 and 3268
    • I've already set a secondary DNS on each one of them
    • both forest and domain functional level are windows 2003
    • nothing appears under the event log
    • DNS services are function correctly and running

     

    Any other ideas?

    Best Regards,
    Ploni.

    Wednesday, January 28, 2009 9:45 PM

Answers

  • Hi,

    This error may be caused by same NetBIOS name on DCs. It’s not possible to create a Trust between two DC with same NetBIOS name.

    You may have to rename a DC to solve this issue.  For your reference:

    Rename a domain controller
    http://technet.microsoft.com/en-us/library/cc782761.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Tuesday, February 3, 2009 1:08 AM
    Thursday, January 29, 2009 10:57 AM

All replies

  • Hi,

    This error may be caused by same NetBIOS name on DCs. It’s not possible to create a Trust between two DC with same NetBIOS name.

    You may have to rename a DC to solve this issue.  For your reference:

    Rename a domain controller
    http://technet.microsoft.com/en-us/library/cc782761.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Tuesday, February 3, 2009 1:08 AM
    Thursday, January 29, 2009 10:57 AM
  • Hi Mervyn,

        Can you elaborate what is the reason for that? Did you mean DCs with the same netbios names or domains with the same netbios names?

    Thursday, March 31, 2011 8:57 AM
  • Hi

     

    I have done the same thing i have different netbios name ie: server30  and server10      My server name are  contoso.com  &  and treyresearch.net  with domain and forest functional level are 2008 .

     

    where as contoso  DNS have stub zone   & treyrsearch have conditional forwarder.  Both are ping with FQDN Name perfectly no problem . Even in  interfaces i have given the ip as secondry in both domain .

    Like  server30.contoso.com        ip 10.0.0.11    Primary .Dns  10.0.0.11   Sec.Dns 10.0.0.111

            server10.treyresearch.net  ip 10.0.0.111  Primary .Dns  10.0.0.111  Sec.Dns 10.0.0.11

                                                                                      GW both 10.0.0.1                     

    Getting the same error.  But if i use Realm it create trust but thats not relevant.

    Need your best answer please .   

    S.S.Ali


    Thursday, August 18, 2011 12:06 AM
  • I had a similar problem and the cause was that i was using cloned servers on a test enviroment. The problem was not the name but the similar SIDs.

    Use sysprep before prepare the servers. Hope it helps.

    Saturday, January 7, 2012 8:31 PM
  • I had a similar problem and the cause was that i was using cloned servers on a test enviroment. The problem was not the name but the similar SIDs.

    Use sysprep before prepare the servers. Hope it helps.

    OK so I, remembering that Mark Russinovich told us back in 2008, "There's no need to sysprep anymore", built my DC's in both domains from non-sysprepped images. Apparently, I missed the last paragraph where he said, "Except for Domain Controllers"!!! I have built a second DC on "Domain2", sysprepped it, renamed it, and "DCPromo-ed, it.  Then I demoted the first DC in "Domain2", removed it from the domain, sysprepped it, brought it back into the domain, promoted it, then attempted the trust again with the same result.

    So, now that we all know that you should sysprep BEFORE building a Domain Controller in a new domain, what can we do to rectify it for existing DC's and domains?

    Sunday, June 21, 2015 7:08 PM
  • Thanx
    Friday, July 15, 2016 11:50 AM