You Cannot Create a Trust Relationship and a STATUS_OBJECT_NAME_COLLISION Error Occurs

Symptoms

If you add a Windows NT 4.0 trusting domain from a Windows 2000 domain, you may not be able to create a trust relationship, and you may receive the following error message:

Windows Title: Active Directory
The trust relationship cannot be modified. This could be caused by network problem or the objects that represent the trust relationship have become damaged. If the later, then the trust must be removed and recreated.
If you use a command-line utility (for example, Trustdom.exe) to add a trusting domain, you may receive the following error message:

...
LsaCreateTrustedDomainEx on trusted_domain for trusting_domain failed with 0xc0000035
...
The command failed : err 0xc0000035
The 0xc0000035 error code is mapped to STATUS_OBJECT_NAME_COLLISION. The STATUS_OBJECT_NAME_COLLISION error may occur if a duplicate domain security identifier (SID) is detected.

Cause

This problem may occur if the domain to which you are adding a new trusting domain already has already a trust with another domain, and the two domains have the same domain SID. Consider the following scenario:

  • You use a Windows 2000 domain that acts as the account domain, which is named "AccountDom."
  • You use two other Windows NT 4.0 domains that act as resources domains, which are named "ResourceDom1" and "ResourceDom2."
In this scenario, ResourceDom1 and ResourceDom2 both have the same domain SID. The domains may have the same SID if you either clone the installation or you split an original Windows NT 4.0 domain into two domains. The Windows 2000 domain already has a trust relationship with one of these domains, for example, ResourceDom1 already trusts AccountDom. If you try to add a new trusting domain (ResourceDom2) from the AccountDom domain, you receive the error message that is described in the "Summary" section of this article.

More Information

If you add a new trusting domain from a Windows 2000 domain, the domain controller for which you define the new trust performs the following tasks:

  1. The domain controller sends name queries about Trusting_domain_1c.

    The domain controller eventually sends name queries about Trusting_domain_1b).
  2. The domain controller sends the security account manager (SAM) logon request
  3. The domain controller sends a query for the primary domain controller (PDC).
  4. The domain controller establishes a Server Message Block Protocol (SMB) session to IPC$ of one domain controller from the trusting domain.

    If this procedure fails, the domain controller establishes an SMB session without using credentials (it establishes an anonymous connection).
  5. The domain controller creates a \LSARPC pipe.
  6. The following data describes the Microsoft Remote Procedure Call (RPC) traffic that is related to LSA:

    Bind to UUID12345678-1234-ABCD-EF00-0123456789AB (is related to LSARPC)
    Calls Lsarpc:LsarOpenPolicy2 (Opnum : 0x2C)
    Calls Lsarpc: LsarQueryInformationPolicy2 (OpNum : 0x2E)
    NOTE: The preceding call occurs twice if the return code is 0x1c010002.


    Calls Lsarpc:LsarQueryInformationPolicy (Opnum : 0x7)
    NOTE: This preceding call allows you to retrieve the name and SID of the system's primary domain.

  7. The domain controller logs off the SMB session, and then disconnects.
In this scenario, if you add the trusting domain while all trusting domain controllers are unreachable (for example, if the trusting domain SID cannot be collected by the process that is described in the preceding section), the trust object is created successfully but the trust type is set to "Non-Windows Kerberos Realm."


A Windows trusting domain cannot use this trust. The network trace lists the trusting domain SID. Use the following command line to retrieve the SIDs for all the domains for which a given domain has trusts:

trustdom -sidlist
If you compare the trusts, you can determine if duplicate SIDs exist.



Propriedades

ID do Artigo: 311242 - Última Revisão: 1 de mar de 2007 - Revisão: 1

Comentários