How to change one domain to another
Hi all, Previously, I can log on my computer with domain account(for example:redmond\darbin). But I need to use the Active Directory, I have installed the Active Directory Domain Service and follow the installation Wizard to create another domain(forest) named "forest.corp.com" on my windows server. After that I restared my computer and use the domain account redmond\darbin to log on my windows server. At this moment, one error occured "The security database on the server does not have a computer account for this workstation trust relationship". I try to log on with local adminstrator account darbin\administrtor(darbin is my computer name) server. Failed either due to the use name and password is incorrect. I don' kown why this problem happened. Suddenly I used the forest\administrator to log on. It worked. However I want to log on my windows server with redmond\darbin account(I methioned at the frist sentence). Using search engine I found this: http://technet.microsoft.com/en-us/library/ee849847(v=WS.10).aspx Unfortunately, the illustration is too simple to I can't make it work for my problem. Could you provide more expalation for this or supply your resolution for my problem. Any reply will be appreciated.
April 30th, 2012 7:34am

Darbin, I am bit confused here. YOu said that you used to login with redmond\darbin. I assume Redmond is your computer name. That mean you used to login locally on the server. After this you have performed dcpromo on the server and installed a domain on it (Forest.corp.com). Now I assume Forest.corp.com is your domain name. when you try forest\administrator it is working. that means now its a domain controller. Remember - There is no local administrator on domain controllers. So you can not use redmond\darbin. Yoave to use forest\administrator to login. So, YOU CAN NOT LOGIN AS REDMOND\DARBIN NOW. Hope I am making some sence here. Regards, _Prashant_ MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2012 7:51am

Hello, to understand you correct, your machine is a Windows Server OS and you have run dcpromo on it for the domain name forest.corp.com? If this is correct and the amchine has before used on the domain "redmond", this is complete gone with promoting the machine as DC for the forest.corp.com domain. So please clarify above steps you have done done in detail, so we can understand what domain the machine belongs to or is DC on.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
April 30th, 2012 8:19am

Hello, Previously, I can log on my computer with domain account(for example:redmond\darbin). But I need to use the Active Directory, I have installed the Active Directory Domain Service and follow the installation Wizard to create another domain(forest) named "forest.corp.com" on my windows server. After that I restared my computer and use the domain account redmond\darbin to log on my windows server. At this moment, one error occured "The security database on the server does not have a computer account for this workstation trust relationship". Here, you were using the local SAM database to logon. Once you promoted the server as a DC, the local SAM had been overwritten by AD database. This means that the SAM database no longer exists and in this case you can no longer be able to a local account to logon because they no longer exists. Please use a domain account. Try using DomainName\darbin to logon and check results. To reset the AD admin password: http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2012 8:32am

Hi Prashant, The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand!
May 1st, 2012 10:32pm

Hello, to understand you correct, your machine is a Windows Server OS and you have run dcpromo on it for the domain name forest.corp.com? If this is correct and the amchine has before used on the domain "redmond", this is complete gone with promoting the machine as DC for the forest.corp.com domain. So please clarify above steps you have done done in detail, so we can understand what domain the machine belongs to or is DC on. Yes, I use the redmond\darbin to log on my machine before running the dcpromo. And after running the dcpromo, a domain naming forest.corp.com created and it's a domain controller. But I still need to log on with redmond\darbin account. How can do that?
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 10:37pm

Here, you were using the local SAM database to logon. Once you promoted the server as a DC, the local SAM had been overwritten by AD database. This means that the SAM database no longer exists and in this case you can no longer be able to a local account to logon because they no longer exists. Please use a domain account. Try using DomainName\darbin to logon and check results. I'm using domain account(redmond\darbin) to log on not the local account.
May 1st, 2012 10:39pm

Hi Prashant, The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand! what is redmond here? Is it your domain ? how about forest ? Is it also a domain? I am not understanding how did you run dcpromo on a server which is already a member of redmond domain and made it as domain controller of forest domain. Please explain the scenario in bit descriptive way. Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 1:34am

Hi Prashant, The redmond\darbin is a domain account not he local account. As you mentioned, after performing dcpromo on my server. the forest\administrator is working and its a domain controller. But I still need to log on my computer with redmon\darbin(domain account). Hope you understand! what is redmond here? Is it your domain ? how about forest ? Is it also a domain? I am not understanding how did you run dcpromo on a server which is already a member of redmond domain and made it as domain controller of forest domain. Firstly, my windows server has a administrator account(computername\administrator) and I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin. I can log on my server with domain account(redmond\darbin) or adminstrator account(computername\administrator) . After logging on with domain account(redmond\darbin), I run the server manager and open the "add roles" and select "Active Directory Domain Service". Follow the installation Wizard, one new domain "forest(forest.corp.com)" is create and at the end of installation wizard, it requires to restart computer and I do that. Now I can't log on my server with redmond\darbin and computername\administrator. For redmond\darbind, the error I mentioned at my initial post occurs, for the computername\administrator, it occurs username and password is incorrect. After trying sometimes, I log on my server successfully with forest\administrator. But I want to log on my server with redmond\darbin account.
May 2nd, 2012 2:04am

firstly, my windows server has a administrator account(computername\administrator) and I add one domain account(redmond\darbin) on my server. I can log on my server with domain account(redmond\darbin) or adminstrator account(computername\administrator) . After logging on with domain account(redmond\darbin), I run the server manager and open the "add roles" and select "Active Directory Domain Service". Follow the installation Wizard, one new domain "forest(forest.corp.com)" is create and at the end of installation wizard, it requires to restart computer and I do that. Now I can't log on my server with redmond\darbin and computername\administrator. For redmond\darbind, the error I mentioned at my initial post occurs, for the computername\administrator, it occurs username and password is incorrect. After trying sometimes, I log on my server successfully with forest\administrator. But I want to log on my server with redmon\darbin account. OK , I add one domain account(redmond\darbin) on my server How did you add this domain account. You said it was a server not a domain controller. You can not add any domain account of member servers.I am confused here. and REDMOND is your domain ? Naming convention redmond\darbin is even more confusing to me. I Understand comptuername\administrator will not work as now the server is acting as a domain contorller tand there is no local administrator account. So my question is, Was this server a member server before or it was acting as a domain controller or it was a server in workgroup? Regards, _Prashant_ MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 2:13am

I add one domain account(redmond\darbin) on my server I edit my previous reply. Sorry for this. I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin.
May 2nd, 2012 2:55am

I add one domain account(redmond\darbin) on my server I edit my previous reply. Sorry for this. I add my server to one domain(redmond.corp.com), namely my server is the member of redmond.corp.com and the domain account is redmond\darbin. NO Problem. So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com). Now it is a domain controller of a domain forest.corp.com. SO is your redmond domain still exists ? How many domains you have in your forest? Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 3:03am

So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com). Now it is a domain controller of a domain forest.corp.com. SO is your redmond domain still exists ? How many domains you have in your forest? Since it is a domain controller of a domain forest.corp.com now. The redmond domain still exists exactly. The redmond domain is not relative with forest. I just have a domain account redmond\darbin and can use it add my server to redmond domain. So the redmond domain exists all the time.
May 2nd, 2012 3:14am

So that means it was previosuly member of remond.corp.com now on the same server you ran dcrpromo and installed new domain in it (Forest.corp.com). Now it is a domain controller of a domain forest.corp.com. SO is your redmond domain still exists ? How many domains you have in your forest? Since it is a domain controller of a domain forest.corp.com now. The redmond domain still exists exactly. The redmond domain is not relative with forest. I just have a domain account redmond\darbin and can use it add my server to redmond domain. So the redmond domain exists all the time. So, I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/ If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 3:26am

So, I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/ If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain. I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin.
May 2nd, 2012 3:45am

So, I assume you have 2 child domains with redmond.corp.com and forest.corp.com right? IF this is the case , no need of manual configuration , automatically there will be trust between them , you can login. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/191c3ba8-b625-42c2-82c2-77a205edc8ac/ If this is not the case , then please explain your enviroment clearly. How many forest , how many Child domains Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain. I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin. If these are different forest , then you need to create the trust between both , to get the user authenticated between the forest http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html DC Locator across the forest http://blogs.technet.com/b/askds/archive/2008/09/24/domain-locator-across-a-forest-trust.aspx Client authentication in a forest trust over firewall http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1b60243e-e5a8-4e13-bc4b-b134caf127a6 Kerberos authentication and trust http://technet.microsoft.com/en-us/library/cc960648.aspx Regards, _Prashant_ MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 3:55am

Hello, "Firstly, the redmond.corp.com is a separate domain and it's not related to forest.corp.com. The forest.corp.com is created with installation wizard and now my server is the domain controller of forest.corp.com. The forest and redmond are not the child domains of one domain. I just have a domain account redmond\darbind, and I can add my server to redmond domain with redmond\darbin." As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
May 2nd, 2012 4:58am

I am trying the methods you provided. I will post my result later.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 5:06am

If these are different forest , then you need to create the trust between both , to get the user authenticated between the forest http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html Follow the steps above. But I still can't solve my issue. My OS is windows server 2008 R2. Open the Active Directory Domains and Trusts. On the left panel, right click forest.corp.com and select the properties. The forest.corp.com properties dialog opens, and I locate the Trusts tab. Click the new trust, the New Trust Wizard dialog occurs. Follow the Wizard: click the "next" button, type the "redmond.corp.com" in the trust name step and click "Next" button. At the Direction or Trust I select "Two-way" and click "Next". Select "this domain only" at Sides of Trust step and click "Next". At the Outgoing Trust Authentication Level step I select "Selective authentication" and click "Next". Type the Trust Password twice and click "Next". Trust Selections Complete occurs and click the "next" twice. Now I select "Yes, confirm the outgoing trust" at the Confirm Outgoing Trust step. and click "Next". At last I click the "Finish". All look like fine. But how to use redmond\darbind account to log on my server?
May 2nd, 2012 6:22am

As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain. How to demote the new installed DC and add it as member to the redmond domain again? I just find the "Raise Domain Functional Level". To create a truse between the redmond domain and the forest. I follow the steps below(detail steps please check my reply above): http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html But I still can't log on my server with redmond\darbind.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 6:27am

As your server is now DC for a complete different forest/domain you are NOT longer able to logon with the user redmond\darbin. If this account should be used either demote the new installed DC and add it as member to the redmond domain again or create a trust between the redmond domain and the forest.corpcom domain. How to demote the new installed DC and add it as member to the redmond domain again? I just find the "Raise Domain Functional Level". To create a truse between the redmond domain and the forest. I follow the steps below(detail steps please check my reply above): http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html But I still can't log on my server with redmond\darbind. Hello, demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
May 2nd, 2012 6:34am

demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain. I just have a domain account with "redmond\darbin". Without admin privilege.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 7:02am

Hello, "I just have a domain account with "redmond\darbin". Without admin privilege" Then you have to go to your admins. And without being admin you can also not configure the DNS requirements and the trust for both sites of the forest trust. So this result in no option to logon to the other forest. Seems for me that you are messing around with company stuff without knowing what you are doing, just my 2 cent. Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
May 2nd, 2012 7:17am

demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain. I just have a domain account with "redmond\darbin". Without admin privilege. Darbin, I seariously think , You are not understanding the concept here . From above statement , I dont understand how you have only one domain account in entire domain. when you create a domain by default administrator account will be created. So, Run a dcpromo on server which you have promoted as a domain controller of a domain Forest.corp.com. It will remove the domain from itJoin that server to redmond.corp.com domain with administrator account of redmond.corp.comonce done try with your redmon\darbin account to login Let us know the results Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 7:19am

demoting the DC is done with running dcpromo again. And adding the demoted computer back to redmond domain requires at least domain admin permissions in the redmond domain. I just have a domain account with "redmond\darbin". Without admin privilege. Darbin, I seariously think , You are not understanding the concept here . From above statement , I dont understand how you have only one domain account in entire domain. when you create a domain by default administrator account will be created. So, Run a dcpromo on server which you have promoted as a domain controller of a domain Forest.corp.com. It will remove the domain from itJoin that server to redmond.corp.com domain with administrator account of redmond.corp.comonce done try with your redmon\darbin account to login Let us know the results For those steps above I has already done and it does work certainly. And I check those references you provided. Why don't you check my reply above, now I provide the its copy below: Follow the steps above. But I still can't solve my issue. My OS is windows server 2008 R2. Open the Active Directory Domains and Trusts. On the left panel, right click forest.corp.com and select the properties. The forest.corp.com properties dialog opens, and I locate the Trusts tab. Click the new trust, the New Trust Wizard dialog occurs. Follow the Wizard: click the "next" button, type the "redmond.corp.com" in the trust name step and click "Next" button. At the Direction or Trust I select "Two-way" and click "Next". Select "this domain only" at Sides of Trust step and click "Next". At the Outgoing Trust Authentication Level step I select "Selective authentication" and click "Next". Type the Trust Password twice and click "Next". Trust Selections Complete occurs and click the "next" twice. Now I select "Yes, confirm the outgoing trust" at the Confirm Outgoing Trust step. and click "Next". At last I click the "Finish". All look like fine. But how to use redmond\darbind account to log on my server? Clarify "I just have a domain account with "redmond\darbind". Without admin privilege". I assume you have a computer, and now you want to add your computer to one domain(i.e:redmond), to do that obviously you need a domain account like "redmond\darbin". How can you have the admin privilege for the redmond domain?
May 2nd, 2012 7:30am

Clarify "I just have a domain account with "redmond\darbind". Without admin privilege". I assume you have a computer, and now you want to add your computer to one domain(i.e:redmond), to do that obviously you need a domain account like "redmond\darbin". How can you have the admin privilege for the redmond domain? This is not true if none of the group policy have been defined for this. By default domain users who dont have admin access can join 10 computers to the domain Refer below link http://social.technet.microsoft.com/Forums/en/winserverGP/thread/17d7053e-4433-4f51-a7be-c58164c84990 Check if the group polciy is defined for this (Computer Configuration | Windows settings | Security Settings | User Rights Assignment | Add Workstations to the Domain) , If it is defined then Yes they need an admin access to join the computer account I hope I am making sense here Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 8:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics