Hi. I'm trying to convert a one-way external trust to two-way, but the admin doing the other side is getting the error: "cannot continue. there is a trust to the windows domain yet the domain cannot be contacted. the trust is in an inconsistent state. to fix this problem delete and recreate the trust" when trying to go throught the 'new trust, convert one-way to two-way' procedure. I'm not keen to reset the trust unncessarily, in case it breaks altogether (still appears to function at the moment), and not keen to delete and recreate in case there are underlying AD problems that prevent its being recreated quickly. Does anyone have any experience of this/advice Also, if we try to 'validate' the trust in AD Domains and Trusts, might it break the trust in trying to reset it? The blurb says 'validate and reset', so I'm cautious. Any advice much appreciated. EdT.

What kind of trust are we talking about here? Within the Forest or Forest to Forest trust? I don't recall ever hearing of "converting" a trust. I suspect your issue is due to not deleting the existing trust and then simply creating a two way trust. Perhaps this will help http://technet.microsoft.com/en-us/...

Thanks for the reply. These are two domains in separate Windows 2003 forests, and the existing one-way trust between them is an external, nontransitive, trust between the two domains, rather than a forest trust. The MS documentation I've read talks of 'converting' this to a two-way trust (which is what the customer wants) via the domains and trusts GUI. The method is to select 'New trust' and enter the domain name, at which point Windows detects the existing trust and asks if you want to convert it to two-way. If you say 'no', it won't progress. I suspect it actually creates a second, independent one-way trust in the other direction, because you can use a different password to that used for the original trust, and the two appear in the 'trusted' and 'trusting' windows, apparently as separate entities which can then be validated, deleted etc., independently. I tried this in the lab, and all went smoothly. However, n live, the customer's side is giving the 'inconsistent state' error. I don't have admin access to diagnose it, and I'm concerned that it may be symptomatic of an underlying AD issue that may prevent the trust being recreated, if we delete and recreate it as the error message advises. So I wondered whether anyone had encountered it and could advise whether the implications of the error message are dire or trivial.

External Trusts An external trust is a trust relationship that can be created between Active Directory domains that are in different forests or between an Active Directory domain and a Windows NT 4.0 or earlier domain. An external trust relationship has the following characteristics: It is nontransitive. It must be established manually in each direction to create a two-way external trust relationship. In Windows Server 2003 you can create both sides of the external two-way trust at once by using the New Trust Wizard. It enforces SID filter quarantining by default in Windows Server 2003. External trusts created from the trusting domain use SID filter quarantining to verify that incoming authentication requests made from security principals in the trusted domain contain only SIDs of security principals in the trusted domain. SID filter quarantining ensures that any misuse of the SID history attribute on security principals (including inetOrgPerson) in the trusted forest cannot pose a threat to the integrity of the trusting forest. From here http://technet.microsoft.com/en-us/... Appears to me that you are to leave the existing trust alone and manually create the 2nd trust.