This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

The trust relationship between the primary domain and the trusted domain failed

Question
0

Sign in to vote
Hi!

Have had customers complaining that they now started to see "The trust relationship between the primary domain and the trusted domain failed" when trying to query the AD from inside EPI server. (The server in question is in the main AD)

We had a long time ago removed an old DC and haven't added any additional domains until recently and everything seems ok until now.

The old DC is still online but not used, It's location in the AD now is under Computers and not under Domain Controllers.

I've looked and it seems that the OLD DC was removed with dcpromo as it should have been but inside ADSI Edit I find the old DC and it has retained the following attributes.

CN=NTFRS Subscription and under that one CN=Domain System Volume (SYSVOL share)

Should there really be anything like this under a demoted domain controller?

Can I remove this without any issues?

Additional information, normal windows AD connections seems to work fine, netdom query and verify all looks like they should with no hints of the old DC.

The problem seems to arise when using another program like EPI server or possibly 3rd party software.

Best regards
- Edited by Imagination-shortage Tuesday, March 14, 2017 6:26 PM Additional information
Tuesday, March 14, 2017 5:40 PM

All replies

0

Sign in to vote
Hi,

>>We had a long time ago removed an old DC and haven't added any additional domains until recently and everything seems ok until now.

After demoting the DC, please using ntdsutil.exe to clean up the metadata in case unexpected issues occurred.

From how to use this tool and clean up dirty data, please refer to link below:

https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

>>"The trust relationship between the primary domain and the trusted domain failed"

Please open the cmd console on your DC, type domain then press enter, open "AD domain and trust console", right-click your domain name, selected properties,trusts-> verify that your old DC has not been there, and click properties for other trusts, click validate button.

>>Can I remove this without any issues?

Ntdsutil will automatically help you with them, if not, please manually clean up it.

Best regards,

Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Hello_2018 Monday, April 10, 2017 7:08 AM
Wednesday, March 15, 2017 6:43 AM