Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trust problem - help

3 views
Skip to first unread message

Peter Martin

unread,
Nov 21, 1997, 3:00:00 AM11/21/97
to

We run a small NT network with 4 servers (2 x 3.51 & 2x 4.0) all in the
same domain but in two locations connected via ISDN router.

I decided to change the PDC from a 3.5.1 server to a 4.0 server - as the 4.0
server wasn't originally configured as a BDC I reloaded NT4.0, made it a BDC
and then used Server Manager to promote it to the PDC. It all went well
except that all the clients running NT Workstation seem to have lost valid
accounts - the event log on the new PDC is full of entries like

"The computer DELLPBM tried to connect to the server NEPTUNE using the trust
relationship established by the DEVADMIN domain. However, the computer lost
the correct security identifier (SID) when the domain was reconfigured.
Reestablish the trust relationship. "

How do I do this? I tried deleting the old client computer account on the
PDC and then adding the client computer, I tried changing the client
computer name and adding a client account for the new name - no luck.
Any ideas??
Please email me with the answer as I cannot get newsfeeds often - thanks
pma...@aspen-internet.net

PeterM

USCA_ServNet

unread,
Nov 21, 1997, 3:00:00 AM11/21/97
to

Hello Peter,

I assume you reinstalled your entire domain by converting it to 4.0 or did
you upgrade your 3.51 DC to 4.0.

If you upgraded then you shouldn't be having this problem unless your domain
is not synchronized. If that is the case you may need to Synch the entire
domain from the PDC's Server Manager.

If the former is true then recreating the account on the PDC is only half
the battle. You would actually need to have the workstations join a
workgroup, reboot and then join the domain again. Unfortunately this is a
limitation with member workstations and servers when you change the Domain.
The member machines will actually have to reacquire a new secure channel
with the DC's.

Hope this helps!

Richard Wong

unread,
Nov 25, 1997, 3:00:00 AM11/25/97
to

Ok to break down the situation here, this is what you should have done.

On your PDC, upgraded from NT 351 to 40. Do not rebuild. This way it
keeps everything intact. Also, don't understand why you rebuilt it to
a BDC and then promote to PDC?

You should never rebuild, unless required, because all your machines
authenticate to your PDC. If your PDC isn't valid anymore or doesn't
reflect all your workstation accounts, you're screwed!

So in hindsight, what you should have done was to take a temporary PC
and install NT 3.51 or 4.0 it doesn't matter. Make it a BDC. Then
promote that temporarily as you did your work. Then after you JOINED
to the EXISTING DOMAIN, repromote the PDC to its own status.

If ANY of your servers are BDCs, you could have promoted that one, and
then demoted after your work is done. This is how it's described in
all the lab work, and it works as expected in all the server situations
I've gone through.

There's no way to fix it now EXCEPT by manually going to each PC and
changing to WORKSTATION, and then ADD to DOMAIN. This will reinitialize
each PC back to the new PDC. The domain name is the same, but in effect
it is a NEW domain with the same name.


: We run a small NT network with 4 servers (2 x 3.51 & 2x 4.0) all in the

0 new messages