Error Message When You Change the Trust to Bidirectional After an In-Place Migration

After an in-place migration of a trusted domain from Microsoft Windows NT 4.0 to Windows 2000, when you create a trust relationship in the opposite direction by using the Domain and Trusts Management console, you receive the following error message: You can use the Ldp.exe tool or the ADSIEdit Microsoft Management Console (MMC) snap-in to view the trust object. If the security identifier attribute does not exist, you must break the trust and rebuild it in Active Directory Domains and Trusts.

The trusted domain object in the System container for the migrated one-way trust does not have a security identifier (SID).

To provide the missing SID, delete and re-create the inbound trust. After you do this, you can establish an outbound trust to the trusting domain (a bidirectional trust).

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in Microsoft Windows XP.

Inbound-only trusts do not have a SID after an upgrade from Windows NT 4.0 to Windows 2000. Outbound and two-way trusts do have SIDs after an upgrade, because in Windows NT 4.0, they have an inter-domain trust account with a SID.

You can use Netdom.exe to automate the re-creation of the trust.