Recently I had to remove an External Trust between two domains and replace it with a Forest Trust. Simple work for an Active Directory consultant, you might think, but as with most consultancy work, it’s the simple stuff that catches you out!
After removing the external trust, I validated that it had indeed been removed by checking in Active Directory Domains & Trusts, and also by running netdom query trust. However when trying to create the new Forest Trust, an error message was shown stating that an external trust still existed. More specifically, the error stated:
A trust relationship with the domain you specified already exists
It turned out that, although both the GUI and the netdom commands showed that the trust had been deleted, a stale object still existed. To remove this object, ADSIEdit.msc was used, which is always a risky business! The process for this was:
- Open ADSIEdit.msc – If you are running Server 2003, you must install the Windows Server 2003 Support Tools
- Connect to the Domain partition
- Expand the System container
- Find the stale object, the name of this will be of the domain being trusted, and the class is trustedDomain
- Delete this trust object
This should allow you to create the new trust object.