Dont bother looking in here unless your really know your stuff

[beatinitup]

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5513
Date: 4/2/2002
Time: 9:12:21 AM
User: N/A
Computer: SERVER
Description:
The computer CN-ICS7 tried to connect to the server \\SERVER using the trust relationship established by the ICSNET domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

---------


As you can see the SID on the client machines have been changed, the only method of assigning a new SID as far as i know is to remove the work station from the domain and then join the domain again....problem is that all the user profiles will be recreated and importing them or copying them over will not work right.

This is a all w2k network runing w2k server. This is urgent, any help would be greatly appreciated..here are a few things i attempted to do other than to remove and re-add user from the domain.

NETDOM TRUST "local_domain" /Domain:"remote_domain" /UserD:administrator
/PasswordD:* /UserO:administrator /PasswordO:* /Reset /TwoWay

obviously it didnt work because there isn't another Domain controller, i just thought there may have been a $#@& up in activedirectory

no luck...any other suggestions??

 

[stash]

I'm not sure what you mean when you say the profiles will be recreated if you remove then readd the workstation to the domain. Profiles will either be stored locally or on a server for roaming profiles. Removing the machine then readding it should have no effect on profiles.

Anyway, you have three choices:
1. Remove the workstation from the domain, reboot, then rejoin the domain.
2. In the computers container in the Active Directory users MMC, right click the workstation in question, and click reset account. Reboot the workstation.
3. Use NETDOM to reset the computers account.

 

[beatinitup]

"I'm not sure what you mean when you say the profiles will be recreated if you remove then readd the workstation to the domain. Profiles will either be stored locally or on a server for roaming profiles. Removing the machine then readding it should have no effect on profiles."

Sorry for not being going indepth im just in a big hurry to resolve this. What i meant is that if i were to remove the computer (workstation) from the domain and place it back into a workgroup, if i were to attempt to put the client back onto the domain, the local profile would be renamed to .00 etc etc, doing this would mean that the user would loose all the desktop settings, email profiles, act, autocad, etc etc...i would have to reinstall all of that again and import email 25 times =/

Copying the files and settings over through explorer doesn't work either...i just need to figure out a method of correcting the SIDS.

"Anyway, you have three choices:
1. Remove the workstation from the domain, reboot, then rejoin the domain.
2. In the computers container in the Active Directory users MMC, right click the workstation in question, and click reset account. Reboot the workstation.
3. Use NETDOM to reset the computers account. "


In the computers container in the active directory users MMC there are only 4 out of the 25 computers listed, those 4 computers are the ones that are fully functional i.e. the sids are still intact and haven't changed...

??? dunno whatelse to do

are there any tools to fix this sort of problem?? i've been searching through knowledge bases and google all morning

 

[beatinitup]

just to give you a brief background on what happened

Having redone our NT domain and created a new W2K domain of the same netbios
name, all the 2000 workstations are now causing an error to occur on the W2K
Domain Controller. The error states that the workstations are trying to
contact the DC using a SID from the old domain and that we should
"re-establish the trust relationship", I take it by re-adding the
workstation to the domain.

The problem is if we change the network ID to add the workstation, this
causes all the old user profiles to become unknown and hence cannot be
copied to the users "new" domain profile".

This is a very real problem for us. Is there any way to re-establish the
trust/add the workstations to the new 2000 domain without destroying the
users' old user profiles? Since Outlook and other MS applications keep
their settings and data in the user profile folders, making them 'unknown'
will have serious ramifications for the end users.

I have tried adding the machines manually to the Active Directory but this
doesn't seem to be solving the problem.

Any quick responses would be greatly appreciated!

 

[netsysadmin]

so you took down the NT PDC and built a new Win2k DC with the same domain name and started that up...now you are having the problems with the SID's on the workstations?....what did you do with the old NT DC's??....what about demoting your current Win2k DC then start up the old NT PDC/BDC and upgrade it to a Win2k DC and then DCPromo the new Win2k box...transfer the roles over then demote the older box

 

[beatinitup]

i tried to verify the trust connections but it failed

so i tried to rest the trusts...

C:\Program Files\Support Tools>netdom reset cn-ics10 /domain:icsnet.net /server:
server.icsnet.net /userO:administrator /PasswordO:*

results:

The trust relationship between this workstation and the primary domain failed

The command failed to complete sucessfully

 

[beatinitup]

sorry by NT i meant NT5 (w2kserver)

 

[beatinitup]

I've read up alot on this and its seems like it's happend to alot of system admins, apparently its a combination of SID & Trusts.... so removing the computer off the workgroup would establish a new SID once it joins the domain, and it would also establish a reliable trust, only problem is that i would have to figure out a way to import the user profiles that are stored locally...copy and paste didnt work =/

 

[Wizkid]

I have been doing the "copy and paste profiles" thing for years. Just don't copy the ntuser.dat file. It might not restore EVERYTHING but it's pretty close

 

[beatinitup]

thanks wizkid i'll try it out and keep you guys posted, im not sure how well it will work since we are running autocad, act, etc etc =/

 

[beatinitup]

nope, any other ideas?

 

[Wizkid]

<< nope, any other ideas? >>



What didn't work?

 

[beatinitup]

copy and pasteing over the profiles worked (excluding ntuser.dat and ntuser.ini etc) but auto cad gets reg errors =/

 

[Saltin]

Geeze, I thought this was going to be something tough

 

[beatinitup]

i would rather fix it the proper way rather than jury rigging it

 

[JustinLerner]

Sorry, I'm not familiar with your SID problem. I've never experienced it, but then again, I don't know anything about SIDs. So I don't know if this is the 'best way' or some 'mickey mouse' method, but I think it should work for you.

I've used a following method to retain USERPROFILES. Since you have a small network, this should work just fine. I found this method worked in the past when I didn't want to 'backup' and restore when doing a new OS installation. I found it works best on the OS client used, but will even translate over to other Windows OS'es like Win9x/ME and NT4 clients. Unfortunately, this requires the work of 'copying and pasting' everything in each %userprofile% directory and I've only used this with NT4 PDC's, but it may work with a 2000 DC. (Additionally, I setup a two-way, non-transitive trust between NT4 PDC and NT2000 DC, which worked fine for the purposes, but still, I must state that my knowledge of SID's is nil).

Setup ROAMING PROFILES from the USER MANAGER on the DC. (I did this on NT 4 Server SP6a with 2000 and 9x clients, just fine.)
Copy everything in the %userprofile% directory of each PC to a Network Drive (share) that each user can Authenticate to (individual authentication permissions for each user required on the network drive shares).
Rename each USERPROFILE on EACH PC to %userprofileOLD%, so that the new profile is written with the same name as the original and copies on the network drive or DC.
On the DC/PDC setup ROAMING PROFILES for each user and userprofile.
Redirect each current default directory in the User Manager in the Domain Controller to point to each copied %userprofile% directory, specifically by UNC or if on the DC, the actual directory.
When the first logon is attempted, on any PC their whole previous DESKTOP, USERSETTINGS (in NTUSER.DAT), everything in the USERPROFILE directory will be copied to the PC they are using, by the DC from the network share or DC directory.
Then after each person has logged onto their own PC, disable ROAMING Profiles from EACH PC and then the DC. (Some disadvantages, longer boot times each time a person first uses a new PC and if ROAMING is not disable on the DC and each PC, then each time they logoff, USERPROFILEs are backed up to the network drive (for userprofiles) or the directories on the DC and each logon can take extra time. The main advantages to retain ROAMING profiles [if they are small in size] is the retention of user settings across multiple PC's [consistency] for workers that may need to move around to multiple locations.)
You can leave the USERPROFILES on the NETWORK for future backup, but just disable ROAMING on EACH PC and the DC.
You should also be able to delete the OLD %userprofile% directory on each PC and the DC (when you reset or delete the user default boot directory.) I never do, because this is always a nice 'realtime backup' feature for users. (Hey I've never tried this on a production system, only goofing around with a way to retain all my User settings like the desktop, colors, Network and Dial-UP settings, etc.

Apparently XP has a nice 'import' feature that allows new OS installations to retrieve old/previous userprofiles.

----

Using this in conjuction with the deleting and re-adding each PC to the domain should allow all original user settings to be retained while ensuring the PC is properly authenticated in the domain.

----

I would try these two methods in conjuction on one PC first.

 

[JustinLerner]

<< <<Saltin
Geeze, I thought this was going to be something tough >>

Hey, tell us what the correct way to do this is. Isn't there some SID migration utility from MS? Comes with some server version or something?

Let him know. I don't remember where I saw the SID migration utility (which CD). :\
I always like learning something new even if I'm not a system pro.

 

[beatinitup]

interesting concept, i never thought of doing that, i'll give it a shot and let u know

 

[beatinitup]

i've been a network admin for about 2 years and im still learning...then again im only 20

 

[JustinLerner]

Don't ever stop learning. Learning is a lifelong process (I'm not old, but not young.). I make a habit of trying to learn two to three new things each day and this always keeps work interesting and eventually makes me one of the best in everything I do. Oh yeah, the ability to remember/recall and acurately and effectively use what you learn is also very important. (Some people 'achieve' certain plateaus and are satisfied where they are, that's why the willingness to continually learn and adapt to changes will set one worker apart from another.)

Still can't remember where I saw that SID migration utility.

 

[beatinitup]

very well said, i was able to resolve the issue but not through any of the methods listed below....lets just say that i was a little hacker back in the day

thanks for all the suggestions everyone =)

 

[Zoltarc]

http://www.sysinternals.com/ntw2k/source/newsid.shtml


The problem is fixed now but it could be very useful in the future

 

[Woodie]

SidHistory is the tool you're talking about...I can't find the name of the executable.

 

[JustinLerner]

Hey I ran across this alternate method on clients, can't remember if I installed this option separate or what.

From the MMC, add the MS snap-in called SIDWalker.

This is what it does: "Set the access control lists on objects previously owned by accounts that were moved, orphaned, or deleted."

On the DC there is the ADSIEdit snap-in for the MMC.

 

[beatinitup]

Thanks justinlerner and all the anandtech members that helped me out, just wanted to let everyone know that everything is up and running now.....and thanks to everyone here we have about 5 different way of solving the problem