Microsoft KB Archive/102650

From BetaArchive Wiki
Knowledge Base

Reestablishing a Lost Trust Relationship

PSS ID Number: 102650

Article Last Modified on 8/8/2001

The information in this article applies to:

  • Microsoft Windows NT Advanced Server 3.1

This article was previously published under Q102650

When a trust relationship is broken at one end, whether it is due to a server going down or someone removing the relationship from User Manager, it is not enough to add the trust relationship back into the domain that the relationship was broken from. Administrators from the domains involved must remove the trust relationship and recreate the trusts again.


When a trust relationship is established between two domains, the password used to create the relationship is immediately changed by the operating system, even if there was no initial password. The controllers and servers for both domains know the new password. The new password is not visible to the users, however. This password change happens regularly to provide extra security. Because of this, once the trust relationship is broken, the only way to reestablish the trust is to reset it completely on both ends, which serves to reset the password.

One side effect of the automatic password change is that the administrator of the trusting domain gets only one chance to create the trust relationship once the administrator of the trusted domain has set up the other end. If the password is typed incorrectly, it will no longer be valid, as the system will have automatically changed it. In this situation, the administrator of the trusted domain must remove the trusting domain from his or her list of "domains permitted to trust" and add it back in again, then the administrator on the other end should try again to establish the relationship.

Additional query words: prodnt

Keywords: kbnetwork KB102650
Technology: kbWinNT310Search kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNTsearch