Announcement

Collapse
No announcement yet.

External Trust - duplicate domain SIDs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • External Trust - duplicate domain SIDs

    I just started working for a company that has about 26 different physical sites, and each site is its own forest. I was tasked with setting up trusts so that we can use our home office credentials on the remote forests. I started setting up one-way external trusts, and got about 4 trusts setup when I received the following error yesterday.

    "The operation failed. The error is: Cannot create a file when that file already exists."

    After speaking with the person that setup the other domains, I found out that some of the DCs were created from ghost images, and that sysprep was not run. So I think the problem is that some of the domains have identical SIDs. Is there anything I can do to fix this other than blowing away and recreating the domains? Could this error be caused by something else? How can I check to see what the domain SID is to see if they do in fact match?

    Thanks!

  • #2
    Re: External Trust - duplicate domain SIDs

    Oh dear. Is there a reason why they need to be seprate forests still? What IT staff do you have at each site and what security isolation do you need? Data, services etc.

    Comment


    • #3
      Re: External Trust - duplicate domain SIDs

      No they do not need to be separate forests. All IT staff is here at the home office. As far as security isolation goes, the remote domains should not have many if any permissions to the home office domain nor to other remote domains. We could certainly limit their access via firewalls, VPNs and ACLs though. I haven't put a ton of thought into it yet, but I would think having all user accounts in the home office domain and setting up the remote domains as resource-only child domains in the same forest would be the way to go. I don't think management is too hot on the idea of migrating the domains though.

      Comment


      • #4
        Re: External Trust - duplicate domain SIDs

        I suspect you've inherited an upgrade from the NT4 days.

        There's certainly no need for each office to have it's own forest, if anything that just creates far too much administration.

        Could you not just have the one forest root domain and each office a sub-domain?

        Or better still have one forest root domain and segregate the remote offices using AD sites?

        You could even utilitse UPN suffixes if the users in particular sites want to use the old domain name to access resources.

        Comment


        • #5
          Re: External Trust - duplicate domain SIDs

          You can view the SIDs a number of ways

          See here http://www.experts-exchange.com/OS/M..._23220933.html

          or here http://technet.microsoft.com/en-us/s.../bb897417.aspx for PsGetSid

          Comment


          • #6
            Re: External Trust - duplicate domain SIDs

            I agree wholeheartedly!

            Actually this was not an NT4 upgrade. The IT staff has limited knowledge and experience in AD as this was a netware shop until about 2 years ago. I don't know all the thought process that went into the current design, but my guess is that they just didn't really know what they were doing. There has been talk of recreating AD and migrating to a single forest when we upgrade to 2008, but that won't be for at least a year or two. I kind of think we should start now and just do it one domain at a time.

            I ran psgetsid and confirmed that the domains do indeed have identical SIDs. I think I already know the answer to this, but there is no way to change that sid now right? Isn't the domain sid part of every other sid on the domain? What a mess!

            Comment


            • #7
              Re: External Trust - duplicate domain SIDs

              Unfortunately you're right.

              I may be wrong but I think if you rename the domain it changes the domain portion of the SID?? Someone may be able to correct me on that.

              Failing that it's a new domain in your branch office - how many clients are in this domain?

              Comment


              • #8
                Re: External Trust - duplicate domain SIDs

                A quick Google search answers my own question


                You can also rename domains without actually impacting the trust relationships between existing domains within your Active Directory environment. When you rename domains, you can change the DNS and NetBIOS names of the domain, but the domain GUID and domain SID are left intact. This allows you to rename the domain and all associated child domains without affecting the structure of the domain tree.

                Comment


                • #9
                  Re: External Trust - duplicate domain SIDs

                  There are about 26 remote offices, each a separate forest with a 2003 server, up to 8 or so PCs and maybe 10 users.

                  Since the GUID and SID remains the same, a domain rename wouldn't help my situation right? Do you know of any good whitepapers on migrating from separate forests to child domains?

                  Thanks!

                  Comment


                  • #10
                    Re: External Trust - duplicate domain SIDs

                    Usually you setup trusts to allow the use of ADMT to migrate. However, in your case, you may have to consider setting up a separate Forest and then adding the trusts 1 at a time to each forest and migrate that way. You also want to consider whether it is feasible to remove the current PCs from each site and then join to the new domain that way. Not sure what services your running.

                    What kind of connection do you have between sites? Sounds to me that you can consider 2 domains. 1 fr the Forest route that contains the IT accounts, service accounts etc and the other for all other PCs/members of staff. You could perhaps just have the 1 domain and then use OUs for isolation as well.

                    You can make use of AD sites to control replication.

                    Comment


                    • #11
                      Re: External Trust - duplicate domain SIDs

                      It might be the right time to migrate to a single forest or even a single domain IMO.
                      ADMT 3.0
                      Last edited by L4ndy; 14th May 2009, 15:53.
                      Caesar's cipher - 3

                      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                      SFX JNRS FC U6 MNGR

                      Comment


                      • #12
                        Re: External Trust - duplicate domain SIDs

                        Thanks for the link to the ADMT guide. I will start studying. The sites are connected via VPNs, most of them are on DSL, but a few are connected via wireless 3G (mobile). It would definitely be possible to use one domain, and control replication with AD sites and services, but I think I would feel more comfortable with them being child-domains. What would be the pros and cons of each approach?

                        Comment


                        • #13
                          Re: External Trust - duplicate domain SIDs

                          Thanks a ton by the way! I really appreciate the advice you all are giving me. I have been working with this stuff forever (NT4 MCSE), but have always worked with single site small business networks until recently. This is the first time I have had to worry about trusts, replication, etc. I have read about all of it, but never have had much hands on experience.

                          Comment


                          • #14
                            Re: External Trust - duplicate domain SIDs

                            Having multiple domains would give you a considerable amount of extra admin overhead but will allow you to have different password policies at each site. Having a child domain for each site may also mean investment in extra servers to ensure optimum redundancy. Should you opt for a single forest/domain, you could perhaps get away with 1 per site and the main HQ server as the fall back DC.

                            One of the reasons for having a child domain for a site may be due to the bandwidth available to the main site. This reduces the replication traffic.

                            Generally, most implementations tend to be 1 forest, which has the 1 domain. Even if the VPN connection/3G connection is unreliable, there is the possibility of using SMTP for replication, though it does have some limitations. Can't remember them off the top of my head.

                            Personally, I would go for the single forest with single domain option and maybe use an OU structure that reflects each physical location, that of course will be the sites you define in AD Sites and Services.

                            It really depends how isolated you want some parts of the business to be. e.g. Some organisations will use a separate forest for finance and other sensitive departments and then setup a one way trust to another forest for everything else. That forest trusts the finance forest but not the other way round.

                            What sort of systems do you use at the different sites. Email, file services etc.

                            Comment


                            • #15
                              Re: External Trust - duplicate domain SIDs

                              You won't be able to use SMTP replication using the single domain model as SMTP cannot replicate the domain partition, obviously this is not a problem if the remote site is a child domain.

                              Comment

                              Working...
                              X