Event ID 32772 — Trust Creation

Updated: November 25, 2009

Applies To: Windows Server 2008

yellow

You can create a trust relationship between two specified domains or forests.

Event Details

Product: Windows Operating System
ID: 32772
Source: LsaSrv
Version: 6.0
Symbolic Name: LSAEVENT_ITA_FOR_TRUST_NOT_CREATED
Message: The interdomain trust account for the domain %1 could not be created. The return code is the data.

Resolve

Reattempt trust creation

The trust was not created successfully, but it may have been created partially. Recreate the trust by removing any indication of a trust between these two domains and then creating a new trust relationship. Perform the following procedures using a domain member computer that has domain administrative tools installed.

To perform these procedures, you must have membership in Enterprise Admins, or you must have been delegated the appropriate authority.

To remove an existing trust relationship:

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start. In Start Search, type domain.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In Active Directory Domains and Trusts, right-click the object that represents the local domain, and then click Properties.
  3. On the Trusts tab, if there is a domain name listed for the trusting or trusted domain that was not created successfully, select it, and then click Remove:
    • If you have a two-way trust relationship, you can use the options in the Active Directory Domain Services dialog box to remove the incoming trust.
    • If you want to remove the incoming trust, you must enter a valid domain name\user name (for example, Contoso\TSmith) and password for an account in the remote domain with the authority to remove the trust relationship. (Typically, this is limited to the members of the Enterprise Admin group.)
    • If there is no entry related to the domain for which the trust relationship failed, go to the next procedure to create a new trust relationship.
  4. Click OK. Click Yes when you are prompted to confirm the removal of the trust relationship.

Repeat the previous procedure as needed for any other entries in either the Domains trusted by this domain (outgoing trusts) section or the Domains that trust this domain (incoming trusts) section that are related to the failed or unneeded trust relationships.

To create a new trust relationship:

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start. In Start Search, type domain.msc, and then press ENTER.
  2. In Active Directory Domains and Trusts, right-click the object that represents the local domain, and then click Properties.
  3. On the Trusts tab, click New Trust.
  4. In the New Trust Wizard, click Next.
  5. Type the name of the domain with which you want the local domain to establish a trust relationship, and then click Next.
  6. In Direction of Trust, select the appropriate direction for the trust relationship, and then click Next.
  7. In Sides of Trust, select This domain only or Both this domain and the specified domain to specify how much of the trust relationship you will create now:
    • If you select This domain only, someone must create the trust relationship from the other domain as well and they will require the trust password that you configure in the following steps. Click Next.

      If the trust direction is either Two-way or One-way: outgoing, you must select either Domain-wide authentication or Selective authentication , and then click Next. (Selective authentication restricts users to specific computers on the trusting domain for which the administrator configures groups or users from the trusted domain with the Allowed to Authenticate permission.)

      In Trust password, type a password that meets the security requirements of your domain password policy.

      In Confirm trust password, type the password again, and then click Next.

    • If you select Both this domain and the specified domain, click Next.

      In User Name and Password, you must enter the user name for the specified domain using the format of domain name\user name (for example, Contoso\TSmith) and the password. The user account must have appropriate permissions to be able to create the trust relationship (a user right that is typically limited to members of the Enterprise Admins group). Click Next.

  8. In Trust Selections Complete, click Next to create the trust. The trust is confirmed, and then you are presented with the option to configure the new trust.
  9. In Trust Selections Complete, click Next to configure the new trust:
    • If you created a Two-way or One-way: outgoing trust, in Confirm Outgoing Trust page, click either No, do not confirm the outgoing trust or Yes, confirm the outgoing trust, and then click Next. (If you partially created the trust by selecting This domain only earlier, do not confirm the trust until the other side of it is created from the trusting domain.)
    • If you created a Two-way or One-way: incoming trust, in Confirm Incoming Trust page, click either No, do not confirm the incoming trust or Yes, confirm the incoming trust, and then click Next. (If you partially created the trust by selecting This domain only earlier, do not confirm the trust until the other side of it is created from the trusted domain. You must enter credentials when you confirm the trust if you selected This domain only when you originally created the trust.)
  10. The Completing the New Trust Wizard page appears with the status of the trust confirmation operation.
  11. Click Finish. The Active Directory Domain Services dialog box may appear to inform you that security identifier (SID) filtering is enabled on this trust. Click OK.

Verify

Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Enterprise Admins, or you must have been delegated the appropriate authority.

To verify the trust relationship between the domains:

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start. In Start Search, type domain.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In Active Directory Domains and Trusts, right-click the object that represents the local domain, and then click Properties.
  3. In the Properties dialog box for the local domain, click the Trusts tab. You see a list of domains that are trusted by this domain, as well as the domains that are trusting this domain.
  4. Select the domain that has the trust relationship that you want to verify, and then click Properties.
  5. On the General tab in the Properties dialog box for the trusting or trusted domain, click Validate. If you have a two-way trust relationship, you can use options in the Active Directory Domain Services dialog box to validate the incoming trust. If you want to validate the incoming trust, you must enter a valid domain name\user name (for example, Contoso\TSmith) and password for an account in the remote domain with the authority to validate a trust relationship. (Typically, this is limited to the members of the Enterprise Admin group).
  6. Click OK. A dialog box appears that indicates the result of the trust verification. Click OK.

Related Management Information

Trust Creation

Active Directory

Community Additions

ADD
Show: