Error Message When You Change the Trust to Bidirectional After an In-Place Migration (306101)

SYMPTOMS

After an in-place migration of a trusted domain from Microsoft Windows NT 4.0 to Windows 2000, when you create a trust relationship in the opposite direction by using the Domain and Trusts Management console, you receive the following error message:

Active Directory cannot verify the trust.

If the other side of the trust relationship doesn't exist yet, you must create it.

If the passwords for both sides of the trust relationship don't match, you must remove this trust and re-create it using the correct password.

The error returned was: The specified domain either does not exist or could not be contacted.

You can use the Ldp.exe tool or the ADSIEdit Microsoft Management Console (MMC) snap-in to view the trust object. If the security identifier attribute does not exist, you must break the trust and rebuild it in Active Directory Domains and Trusts.

RESOLUTION

To provide the missing SID, delete and re-create the inbound trust. After you do this, you can establish an outbound trust to the trusting domain (a bidirectional trust).

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in Microsoft Windows XP.

MORE INFORMATION

Inbound-only trusts do not have a SID after an upgrade from Windows NT 4.0 to Windows 2000. Outbound and two-way trusts do have SIDs after an upgrade, because in Windows NT 4.0, they have an inter-domain trust account with a SID.

You can use Netdom.exe to automate the re-creation of the trust.

Error Message When You Change the Trust to Bidirectional After an In-Place Migration (306101)

SYMPTOMS

CAUSE

RESOLUTION

STATUS

MORE INFORMATION