Microsoft KB Archive/930218

= Error message when you create the trusted side of a trust between Windows Server 2003-based domains: &quot;The parameter is incorrect&quot; =

Article ID: 930218

Article Last Modified on 1/4/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



SYMPTOMS
Consider the following scenario. You have two Windows Server 2003-based domains. The domains reside in two separate forests together with other domains. You want to create a trust between these two domains. However, when you try to create the trusted side of this trust, you receive the following error message:

The parameter is incorrect

This problem occurs when you use either the New Trust Wizard or a netdom trust command to create the trust.



CAUSE
Before the Local Security Authority (LSA) creates the trust, the LSA verifies the consistency of the parameters. Between the new trust partner and all other domains that are in the same forest as the trust partner, the following items must be unique:
 * The NetBIOS name of the domain
 * The fully qualified domain name (FQDN) of the domain
 * The security identifier (SID) of the domain

You cannot create the trust if one of the three items has duplicates.



RESOLUTION
If the names of two domains collide, you can rename one of the domains. If the SIDs of the domains are duplicate, you have to remove one of the domains. Typically, this situation occurs when one of the following scenarios exists:
 * One domain was cloned from the other domain.
 * Before a computer became the first domain controller in either of the two domains, you clone this computer without using the SYSPREP tool.

Alternatively, you can migrate one of the domains to a new domain. However, you cannot migrate a domain to a new SID by using the sIDHistory property. Even if you successfully create a trust after you migrate one of the domain SIDs, you still have duplicate SIDs in user access tokens. Then, users who have duplicate SIDs can access resources that they should be unable to access.



MORE INFORMATION
For more information about the netdom trust command, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/539c5381-db4f-445f-aac0-2df5448181c11033.mspx?mfr=true

For more information about the sIDHistory property and migration, click the following article number to view the article in the Microsoft Knowledge Base:

322970 How to troubleshoot inter-forest sIDHistory migration with ADMTv2

Keywords: kberrmsg kbtshoot kbexpertiseinter kbprb KB930218

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.