none
Resetting the trust passwords between Parent-child domain

    Question

  • Hello.


    I have this problem in event viewer. of my child domain controller

    The interdomain trust account for the domain parent.domain could not be created.  The return code is the data.
     
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    and when the clients computers try to browse the domain on my network places, pop up window with  "a access denied error".

    I have tried this command.

    C:\Program Files\Support Tools>Netdom trust child.domain.com /Domain:parent.domain /U
    serD:administrator /PasswordD:xxxxxxxx /UserO:administrator /PasswordO:xxxxxx /reset
     
    Resetting the trust passwords between child.domain.com and parent.domain
     
    The specified user already exists.
     
    The command failed to complete successfully.


    I cannot remove the parent-child relationship.


    I was looking in Microsoft.com an tech net    cannot get some fix to this problem.

    any ideas.

    thanks for your help.



    Saturday, August 30, 2008 1:04 AM

Answers

  •  

    Hi,

     

    Based on the error message, I suspect that the objects have not been deleted clearly or there is other object named with the NetBIOS name of the domains. Please delete the trusted objects again in both domains and check the result. For your reference, I would like to list the steps more detailed in the following:

     

    To search if there is other object named with the NetBIOS name of the domains, type the following commands on a GC in the parent domain:

     

    ·         Ldifde –f parent.txt –t 3268 –d “” –r “(name=ParentDomainName*)” –p subtree

    ·         Ldifde –f child.txt –t 3268 –d “” –r “(name=ChildDomainName*)” –p subtree

     

    Note: Please replace the ParentDomainName with the real NetBIOS name of the parent domain, replace the ChildDomainName with the real NetBIOS name of the child domain.

     

    After that, please open the parent.txt and child.txt file and let me know the result.

     

    If there is no duplicate objects, perform the following steps to delete the trusted domain objects:

     

    1. Run ADSIEdit in the parent domain.

    2. Go to the System container.

    3. You should see a TrustedDomain object called CN=<ChildDomainName> -> Delete this object.

    4. Go to the Users container.

    5. You should see a User object called CN=<ChildDomainName$> -> Delete this object.

    6. Force Replicate throughout the parent domain so all DC's in the parent recognize this change.

    7. Perform the steps 1-6 in the child domain as well (TrustedDomain & User object will show CN=<ParentDomainName> & CN=<ParentDomainName$>)

    8. Once replicated, reboot the PDC in both domains.

    9. In the parent domain, open Active Directory Domains and Trusts, create a new trust with the child domain (create on both sides).

     

    In addition, please check the following:

     

    1.    Verify that DNS works find in both domains.

    2.    On the PDC in the parent domain, type the command nltest /dsgetdc:ChildDomain /force
    On the PDC in the child domain, type the command nltest /dsgetdc:ParentDomain /force
    and check the result.

    Verify that the firewall is configured properly:

    179442 How to configure a firewall for domains and trusts

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;179442


    Wednesday, September 03, 2008 10:09 AM
    Moderator

All replies

  •  

    Hi,

     

    Please open ADSIEDIT and check the following objects in both parent and child domains:

     

    1.    trustedDomain object, CN=trusteddomainame.domain.com Class – turstedDomain, location: CN=SYSTEM,DC=domain,DC=com

    2.    trust account object, CN=trusteddomainname$ Class – User, location: CN=Users,DC=domain,DC=com

     

    Check the CN and the SamAccountName attribute of the trust account objects, both must have the same value. If one of them differs, delete the object and then perform the "netdom trust /reset" to check the result.

     

    If the issue persists, or the attributes are the same, perform the following steps:

     

    1.    Delete both trustedDomain and trust account objects in each domain. In the Parent delete the entries for the Child, In the Child delete the entries for the Parent.

    2.    Force replicate on both domain, make sure that those objects has been deleted in both domains.

    3.    In the parent domain, recreate the two way transitive trust by using the Active Directory Domains and Trusts.

    Monday, September 01, 2008 12:09 PM
    Moderator
  •  

    Thanks for your answer.

    I just delete from ADSIedit the trustedDomain and account objects in each domain, but when I try to create the two way transitive trust in ADDT, got the error The trust relationship cannot be created because the following error occurred:

    The operation failed the error is: Access denied.
     this error is from the  parent, and when try  from the child domain.

    I got this:

    The user already exist.

    I have tried to find any other reference on ADSIedit about the account objects but I do not find any thing else.

    any idea.

    thanks a lot for your help.

    Monday, September 01, 2008 5:07 PM
  •  

    Hello again.

    after erase the trust relationship with ADSIedit, and get the errors above.

    I check this tool and get this result.

    C:\Program Files\Support Tools>NLTEST /server:myserver /trusted_domains /v
    List of domain trusts:
        0: child-domain2 child-domain2.forest-domain.local (NT 5) (Forest: 1) (Direct Outbound) (Direct Inbound) ( Attr: 0x20 )
           Dom Guid: cdad8793-ce41-42aa-8d76-93b1982cd314
           Dom Sid: S-1-5-21-427041594-1445064485-258800173
        1: forest-domain.local (NT 5) (Forest Tree Root)        -----------------------------> this is the trust relationship that I remove with ADSIedit.
           Dom Guid: bbd292d6-71b3-4483-884b-8afc2df70fd5
           Dom Sid: S-1-5-21-2667612140-1804968164-540123761
        2: child-domain1 child-domain1.forest-domain.local  (NT 5) (Forest: 1) (Primary Domain) (Native)
           Dom Guid: 94ab9b10-1a8e-41d2-af20-0730a9f65d5d
           Dom Sid: S-1-5-21-1697841174-1665552675-1238779560
    The command completed successfully

    The relationship with the problem is still there.

    Do you know how to remove o what tools can I use to.

    thanks a lot.

    regards.

    Tuesday, September 02, 2008 12:22 AM
  •  

    Hi,

     

    How many DCs are there in the domains? What operating system is being used on the DCs?

     

    Have you forced replication in both domains after the objects are deleted?

     

    Additionally, search for NetBIOS name of the child domain on the parent domain and the NetBIOS name of the parent domain on the childe domain, ensure that there is no other account with this name.

     

    The trust relationship still exists in the output of command because the cache is not cleared. Please reboot the PDCs in both domains and then create the trust again in Active Directory Domains and Trusts.

     

    If the issue persists, please capture the whole error message to me for further research.

    Tuesday, September 02, 2008 3:49 AM
    Moderator
  • Thanks for your Help Joson.

    I have 4 DC on the parent Domain in 2 different sites, 2 Dc for the child domain with the problem, an 2 Dc for the other child domain without problem.

    I have only Windows 2003 SP2 on all servers, After remove the the Trust objets an ADSIedit I restart all the DC on the parent an child domain wit problem.

    I create the trust relationship from the parent but the wizard show this errors

    The verification of the incoming trust failed with the following error(s):
    The trust password verification failed with error 1355: The specified domain either does not exist or could not be contacted.
    A secure channel reset will be attempted.
    The secure channel reset failed with error 1355: The specified domain either does not exist or could not be contacted.
     
    The verification of the outgoing trust failed with the following error(s):
    The trust password verification failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.
    A secure channel reset will be attempted.
    The secure channel reset failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.

    but the two way trust was created, and when I try to validate show the same above message and ask to reset the trust password, and when I try to reset the password " The parameter is incorrect ", and do not work.

    when I try to create the relationship from the child domain I get the error " The user already exist"

    I have done some researc on Microsoft but still no luck.

    any help will be appreciate.

    thanks a lot.




    Tuesday, September 02, 2008 5:16 AM
  •  

    Hi,

     

    Based on the error message, I suspect that the objects have not been deleted clearly or there is other object named with the NetBIOS name of the domains. Please delete the trusted objects again in both domains and check the result. For your reference, I would like to list the steps more detailed in the following:

     

    To search if there is other object named with the NetBIOS name of the domains, type the following commands on a GC in the parent domain:

     

    ·         Ldifde –f parent.txt –t 3268 –d “” –r “(name=ParentDomainName*)” –p subtree

    ·         Ldifde –f child.txt –t 3268 –d “” –r “(name=ChildDomainName*)” –p subtree

     

    Note: Please replace the ParentDomainName with the real NetBIOS name of the parent domain, replace the ChildDomainName with the real NetBIOS name of the child domain.

     

    After that, please open the parent.txt and child.txt file and let me know the result.

     

    If there is no duplicate objects, perform the following steps to delete the trusted domain objects:

     

    1. Run ADSIEdit in the parent domain.

    2. Go to the System container.

    3. You should see a TrustedDomain object called CN=<ChildDomainName> -> Delete this object.

    4. Go to the Users container.

    5. You should see a User object called CN=<ChildDomainName$> -> Delete this object.

    6. Force Replicate throughout the parent domain so all DC's in the parent recognize this change.

    7. Perform the steps 1-6 in the child domain as well (TrustedDomain & User object will show CN=<ParentDomainName> & CN=<ParentDomainName$>)

    8. Once replicated, reboot the PDC in both domains.

    9. In the parent domain, open Active Directory Domains and Trusts, create a new trust with the child domain (create on both sides).

     

    In addition, please check the following:

     

    1.    Verify that DNS works find in both domains.

    2.    On the PDC in the parent domain, type the command nltest /dsgetdc:ChildDomain /force
    On the PDC in the child domain, type the command nltest /dsgetdc:ParentDomain /force
    and check the result.

    Verify that the firewall is configured properly:

    179442 How to configure a firewall for domains and trusts

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;179442


    Wednesday, September 03, 2008 10:09 AM
    Moderator
  • Hello.

    thank you for your help.

    I have run the ldifde on the child1 domain and get this entrys in the file.

    Ldifde -f child.txt -t 3268 -d "" -r "(name=child1*)" -p subtree

    dn: CN=CHILD1$,CN=Users,DC=child2,DC=parent,DC=com
    changetype: add
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: CHILD1$
    distinguishedName: CN=CHILD1$,CN=Users,DC=child2,DC=parent,DC=com
    instanceType: 0
    whenCreated: 20080901192718.0Z
    whenChanged: 20080901233905.0Z
    uSNCreated: 16685295
    uSNChanged: 16685295
    name: CHILD1$
    objectGUID:: QRJUvBiiuUqHMqGsAJl8xw==
    userAccountControl: 2080
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAAOiN0GSXvIVYt+mwPuRAAAA==
    sAMAccountName: CHILD1$
    sAMAccountType: 805306370
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=parent,DC=com

    when I run this commando Ldifde -f child.txt -t 3268 -d "" -r "(name=planta1*)" -p subtree
    and the  Ldifde -f parent.txt -t 3268 -d "" -r "(name=parent*)" -p subtree
     in the parent domain controler  and get no entries found.

    I have 2 childs domain, between the child1 ( problem domain ) and the child2 have a shortcut relationship, I think this the duplicate object is because this shortcut relationship, the user name already exist with this relationship.

    any idea.

    is safe to remove la the shortcut relationship? and recreate it ?

    or how can recreate the parent, child1 relationship?

    thanks a lot for your help and sorry to take so long to replay, I was fixing anther issue.

    thanks.
    Tuesday, September 09, 2008 1:10 AM
  • Hi,

     

    Based on the DN of that Child1$ object, it is an object in the domain child2. Therefore, it is normal.

     

    In this case, there should be no duplicate object. You can re-create the shortcut trust relationship between the parent and child1 domains now by using the steps in my previous post. When the shortcut trust is being created, the system will verify if they are the parent-child relationship automatically.

     

    However, it is strange that no entries were found when you typed the command Ldifde -f parent.txt -t 3268 -d "" -r "(name=parent*)" -p subtree, at lease it should find out the partition entry. Do you type the both commands in the parent domain (on a GC of the parent domain could be better)?

     

    Thanks.

    Thursday, September 11, 2008 1:34 AM
    Moderator
  • Hello.

    thanks for your help.

    and sorry for la late, I ran the two command on the DC and GC of the patent domain, and get no entries.

    I try some time to recreate the trust relationship but still no luck.

    any more ideas.

    thanks for your help.


    Wednesday, September 24, 2008 4:53 AM
  • Dear Joson,

    Nice Article. How to interpret the parent.txt and child.txt and what to do if duplicate objects are found?

    Recently our child domain failed and Microsoft premium support seized roles on one of the DC while demoted and promoted the rest of three DCs back to join the domain. Since then we are receiving event ID 5722 (Source NETLOGON). We are also not able to validate the trust between Child Domain and Parent Domain (from AD Sites and Services).

    Can you please guide how to escalate the issue. and what are the consequences if I try delete the Trust Account and Trust Domain and then I am not able to create the Trust again due to any reason? (all of the user and computer accounts reside on child domain, root domain only has enterprise administration accounts)

    Your guidance is needed on quick basis.

    Thanks


    Junaid Ahmed
    Monday, August 08, 2011 9:53 AM