locked
Removing Active Directory Domains and Trusts RRS feed

  • Question

  • Hi,

    We have a 2 way transitive forest trust setup with an internal legacy domain that we want to remove. I have checked, double checked and triple checked that no services are still using it but are there any tools or applications to determine exactly what is using a domain/forest trust?

    I don't want to turn it off on a Saturday morning and find the one critical service that I have forgotten about is still reliant on the trust.....

    Thanks
    Eddie

    Wednesday, March 20, 2013 9:22 PM

Answers

  • No there is really no good tool, other than make sure you have get rid of eventuelly SIDHistory from that domain.

    1. If the following command gives any result, determine if the SIDs listed belong to this domain you're about to remove the trust to/from:
      dsquery * -filter sidHistory=* -attr name sIDHistory
    2. You can always re-create the trust, unless you don't decomission the legacy domain.
     

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by bshwjt Thursday, March 21, 2013 5:58 AM
    • Marked as answer by Awinish Thursday, March 21, 2013 8:52 AM
    Wednesday, March 20, 2013 9:39 PM

All replies

  • No there is really no good tool, other than make sure you have get rid of eventuelly SIDHistory from that domain.

    1. If the following command gives any result, determine if the SIDs listed belong to this domain you're about to remove the trust to/from:
      dsquery * -filter sidHistory=* -attr name sIDHistory
    2. You can always re-create the trust, unless you don't decomission the legacy domain.
     

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by bshwjt Thursday, March 21, 2013 5:58 AM
    • Marked as answer by Awinish Thursday, March 21, 2013 8:52 AM
    Wednesday, March 20, 2013 9:39 PM
  • Thanks for the quick reply.

    I have run that command on both sides of the trust and neither returned any results. I will delete the trust but not decommission the old forest for a few weeks to ensure nothing breaks.

    Thanks again.

    Wednesday, March 20, 2013 9:43 PM