locked
How Do I Remove Broken or Stale Trust Relationships between Two Domains? RRS feed

  • Question

  • Hello All,

    I came new into an existing AD environment. I wish to know the procedure by which I can remove all broken or stale Active Directory Trust Relationship between two domains.

    I am getting errors in SCOM (AD Monitor Trust) on some DCs stating: The trusts between this domain(my domain) and the following domains(s) are in an error state: external-domain(inbound), the error is: The specified domain either does not exist or could not be contacted. (0x54B)

    I dont want to set overrides but I just want to spot all these broken trusts and flush them from AD.

    Thanks.

    
    
    • Changed type Cicely Feng Friday, November 9, 2012 4:51 AM
    Thursday, November 8, 2012 5:29 PM

Answers

  • Hello All,

    I came new into an existing AD environment. I wish to know the procedure by which I can remove all broken or stale Active Directory Trust Relationship between two domains.

    I am getting errors in SCOM (AD Monitor Trust) on some DCs stating: The trusts between this domain(my domain) and the following domains(s) are in an error state: external-domain(inbound), the error is: The specified domain either does not exist or could not be contacted. (0x54B)

    I dont want to set overrides but I just want to spot all these broken trusts and flush them from AD.

    Thanks.

    You can also remove trust using adsiedit.msc tool. If you are confortable, you can use netdom tool.

    Oopen adsiedit.msc > Expand the Domain NC container>Expand DC=<var>Your Domain</var>, DC=COM > Expand CN=System

    Right-click the Trust Domain object, and then click Delete.

    netdom trust domain.com /Domain:domain.com /Oneside:trusted /remove /force

    http://social.technet.microsoft.com/Forums/pl-PL/winserverDS/thread/3eccd491-3152-4f38-8295-608cad139f3f


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 9:25 AM
  • Hi,

    See this:
    Managing Trusts
    http://technet.microsoft.com/en-us/library/bb727050.aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by Cicely Feng Friday, November 9, 2012 4:55 AM
    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Thursday, November 8, 2012 5:49 PM
    • Proposed as answer by Cicely Feng Friday, November 9, 2012 4:55 AM
    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Thursday, November 8, 2012 5:51 PM
  • Hi,

    Netdom trust command could be used to verify and remove trust relationship between domains:
    http://technet.microsoft.com/en-us/library/cc835085(v=ws.10).aspx

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 4:56 AM
  • Remove the trust from AD domain & trust console, delete the trust.You can also remove trust information from the ADSIEDIT.MSC tool as below.

    If the stale trustDomain object is still present in AD. You can maunally remove TDO this way - use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    Click Start, click Run, type adsiedit.msc, and then click OK
    Expand the Domain NC container.
    Expand DC=<var>Your Domain</var>, DC=COM
    Expand CN=System.
    Right-click the Trust Domain object, and then click Delete.
    Let me know if this resolves your issue!

    You can also use netdom command to remove the same. 
    http://technet.microsoft.com/en-us/library/cc776286(v=ws.10).aspx

    Refer below link for manual removal of the not longer existing trust.
    http://support.microsoft.com/kb/235416

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 5:43 AM

All replies

  • Hi,

    See this:
    Managing Trusts
    http://technet.microsoft.com/en-us/library/bb727050.aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by Cicely Feng Friday, November 9, 2012 4:55 AM
    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Thursday, November 8, 2012 5:49 PM
    • Proposed as answer by Cicely Feng Friday, November 9, 2012 4:55 AM
    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Thursday, November 8, 2012 5:51 PM
  • Hi,

    Netdom trust command could be used to verify and remove trust relationship between domains:
    http://technet.microsoft.com/en-us/library/cc835085(v=ws.10).aspx

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 4:56 AM
  • Remove the trust from AD domain & trust console, delete the trust.You can also remove trust information from the ADSIEDIT.MSC tool as below.

    If the stale trustDomain object is still present in AD. You can maunally remove TDO this way - use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
    Click Start, click Run, type adsiedit.msc, and then click OK
    Expand the Domain NC container.
    Expand DC=<var>Your Domain</var>, DC=COM
    Expand CN=System.
    Right-click the Trust Domain object, and then click Delete.
    Let me know if this resolves your issue!

    You can also use netdom command to remove the same. 
    http://technet.microsoft.com/en-us/library/cc776286(v=ws.10).aspx

    Refer below link for manual removal of the not longer existing trust.
    http://support.microsoft.com/kb/235416

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 5:43 AM
  • Hello All,

    I came new into an existing AD environment. I wish to know the procedure by which I can remove all broken or stale Active Directory Trust Relationship between two domains.

    I am getting errors in SCOM (AD Monitor Trust) on some DCs stating: The trusts between this domain(my domain) and the following domains(s) are in an error state: external-domain(inbound), the error is: The specified domain either does not exist or could not be contacted. (0x54B)

    I dont want to set overrides but I just want to spot all these broken trusts and flush them from AD.

    Thanks.

    You can also remove trust using adsiedit.msc tool. If you are confortable, you can use netdom tool.

    Oopen adsiedit.msc > Expand the Domain NC container>Expand DC=<var>Your Domain</var>, DC=COM > Expand CN=System

    Right-click the Trust Domain object, and then click Delete.

    netdom trust domain.com /Domain:domain.com /Oneside:trusted /remove /force

    http://social.technet.microsoft.com/Forums/pl-PL/winserverDS/thread/3eccd491-3152-4f38-8295-608cad139f3f


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Cicely Feng Monday, November 19, 2012 9:10 AM
    Friday, November 9, 2012 9:25 AM
  • I am going to start all these processes .. Thanks guys.

    I would revert to let you know how it goes.

    Thanks once again.

    Monday, November 12, 2012 12:36 PM
  • Hi Folks,

    I have a similar issue where I joined a company where the previous sysad had shut down and removed the old domain, then used AD Domain and Trusts to remove the trust from the remaining domain.

    However, SCOM is reporting the same problem as this poster.

    In AD Domains and Trusts there are no domains showing. If I run "netdom query trust"  I can see the old domain still listed as a Direct Trusted Type.

    All attempts to remove this have failed. I keep seeing "the specified domain either does not exist or could not be contacted"

    I have attempted pretty much every variance of "netdom trust"

    I also keep seeing "The system cannot find the file specified" when I try to run this.

    ADSIEdit does not show this trust.

    Has anyone come across this problem before ?

    Thanks,

    Chris.

    Tuesday, July 2, 2013 5:27 AM
  • Please open a new thread as this one has been marked as answered and activity on it will be low.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, July 2, 2013 11:58 AM