Dont bother looking in here unless your really know your stuff

[beatinitup]

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5513
Date: 4/2/2002
Time: 9:12:21 AM
User: N/A
Computer: SERVER
Description:
The computer CN-ICS7 tried to connect to the server \\SERVER using the trust relationship established by the ICSNET domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

---------


As you can see the SID on the client machines have been changed, the only method of assigning a new SID as far as i know is to remove the work station from the domain and then join the domain again....problem is that all the user profiles will be recreated and importing them or copying them over will not work right.

This is a all w2k network runing w2k server. This is urgent, any help would be greatly appreciated..here are a few things i attempted to do other than to remove and re-add user from the domain.

NETDOM TRUST "local_domain" /Domain:"remote_domain" /UserD:administrator
/PasswordD:* /UserO:administrator /PasswordO:* /Reset /TwoWay

obviously it didnt work because there isn't another Domain controller, i just thought there may have been a $#@& up in activedirectory

no luck...any other suggestions??

 

[beatinitup]

just some background info


Having redone our NT domain and created a new W2K domain of the same netbios
name, all the 2000 workstations are now causing an error to occur on the W2K
Domain Controller. The error states that the workstations are trying to
contact the DC using a SID from the old domain and that we should
"re-establish the trust relationship", I take it by re-adding the
workstation to the domain.

The problem is if we change the network ID to add the workstation, this
causes all the old user profiles to become unknown and hence cannot be
copied to the users "new" domain profile".

This is a very real problem for us. Is there any way to re-establish the
trust/add the workstations to the new 2000 domain without destroying the
users' old user profiles? Since Outlook and other MS applications keep
their settings and data in the user profile folders, making them 'unknown'
will have serious ramifications for the end users.

I have tried adding the machines manually to the Active Directory but this
doesn't seem to be solving the problem.

Any quick responses would be greatly appreciated

 

[beatinitup]

update:

i tried some verify commands and they faild =\

i tried to reset the trusts but this is what happened


C:\Program Files\Support Tools>netdom reset cn-ics10 /domain:icsnet.net /server:
server.icsnet.net /userO:administrator /PasswordO:*

results:

The trust relationship between this workstation and the primary domain failed

The command failed to complete sucessfully

 

[Yoshitoshi]

Surely you don't have to move all of your users onto the new domain do you? If you set up a trust between the two domains you can add your global groups to the local groups on the second server. I'm not completely up to speed with 2k's Active Directory yet but surely the trust must work in a similar fashion to NT's trusts?

i.e. make 'OLD_DOMAIN\Global Domain Admins' part of the 'NEW_DOMAIN\Local Admins' and so forth for users etc.

Once the trust is operating the NEW_DOMAIN should be able to allow users to logon even if the OLD_DOMAIN is unavailable?

I'm not an Admin btw.. but I set up a friends (small) company win2k server this weekend and we had no option but to make it a 'PDC' with a different domain name as the existing NT PDC would not allow us to demote it to a BDC and let the 2k server take over, so we had no option but to set up a trust, and make the 2k global groups part of the NT local groups - 2k wouldnt allow me to do this the other way btw as the old domain was greyed out for some reason, but it worked!

In this case there were so few users we just deleted the NT ones and made new 2k users. I don't know how you could 'move' them though and retain the same SID's and profiles. The 2k domain users can now pick up mail from Exchange running on the NT server without any problems.

I hope some of that helps.. good luck.

Yoshi. (not an Admin)

 

[beatinitup]

"Having redone our NT domain and created a new W2K domain of the same netbios
name, all the 2000 workstations are now causing an error to occur on the W2K
Domain Controller. The error states that the workstations are trying to
contact the DC using a SID from the old domain and that we should
"re-establish the trust relationship", I take it by re-adding the
workstation to the domain.

The problem is if we change the network ID to add the workstation, this
causes all the old user profiles to become unknown and hence cannot be
copied to the users "new" domain profile".

This is a very real problem for us. Is there any way to re-establish the
trust/add the workstations to the new 2000 domain without destroying the
users' old user profiles? Since Outlook and other MS applications keep
their settings and data in the user profile folders, making them 'unknown'
will have serious ramifications for the end users.

I have tried adding the machines manually to the Active Directory but this
doesn't seem to be solving the problem.

Any quick responses would be greatly appreciated "

Im sorry i meant to put in NT5 rather than NT

 

[Saltin]

Welcome to the wonderful world of profiles.
Don't sweat the computer accounts/AD too much. Pay attention to your real problem. Which is learning how to manipulate profiles effectively.
It's a real problem on any network, and if you can get your head around it, everyone will think you are a magician.

 

[Abzstrak]

if you dont have too many users than switch their profile to roaming and copy it to the new dc... it should work fine then and you can take them back off of roaming if U want.

for issues like this, i've found it easier (but ugly) to promote a new nt bdc to a pdc then upgrade it to 2k.... keeps all these damn stupid little settings right.

 

[JustinLerner]

<< if you dont have too many users than switch their profile to roaming and copy it to the new dc... it should work fine then and you can take them back off of roaming if U want. . . . >>

I agree, that's exactly what I previously recommended on his previous thread by the same name . . .

What happened Beatintup, have problems again?

Hey I ran across this alternate method on clients, can't remember if I installed this option separate or what. From the 2000/XP client MMC, add the MS snap-in called SIDWalker.
This is what it does: "Set the access control lists on objects previously owned by accounts that were moved, orphaned, or deleted."

On the DC there is the ADSIEdit snap-in for the MMC.