Friday, March 21, 2008

what to do: parent/child domain trust is lost, TDO object is corrupted

Here is a nice tip.

We had a lot of issues where customer is losing the parent/child trust, this is caused by a lot of reasons, either a corrupted TDO object, faulty AD or an admin who is playing with the wrong tools, so here is 2 things to do:

-          Search the TDO about similar accounts with the same name that may cause the trust to be lost and remove them:

o   Use the ldifde -r (saMAccountName=domainname*)

o   Check the ldifde dump for the accounts that has the same SAMACCOUNTNAME of the domain and might be conflicting with the TDO object “don’t ask what causes that”

-          Now delete the trust from the parent domain and from the child domain. You might need to delete the TDO object, those are here:


-          Make sure that changes has been replicated.

-          For the parent domain do the folloing command : netdom trust / UserD:parent_admin /PasswordD:*
/UserO:child_admin /PasswordO:* /add

-          Make sure that changes has been replicated.

-          Not sure from the restart requirement, in my case I had to reboot the PDC

1 comment:

Dr.Kernel said...

man, that's awesome !

and Yes you have to restart, that AFAIk it will be a shortcut trust first, then after the restart it will be again the transitive-unbreakable parent-child trust

please keep the good work up dude