Unfortunately, the Active Directory Domains and Trusts MMC Snap-in (domain.msc) lets you create an outgoing trust to a Domain Controller (in other words: specifying the name of a Domain Controller as the name of the Domain to trust). Even more unfortunately, you are not able to revert this change by the GUI. If you try to remove this trust, you will get a warning pop-up with the following message:
An internal error occured.
Trying to delete it via netdom
:
netdom trust my.domain.local /domain:dc1 /oneside:trusting /remove /force
also fails with the same message:
An internal error occured.
So how can I delete such a trust object?
The creation of a trust creates at least two objects in the domain partition:
Trusted Domain
(classtrustedDomain
) that has the name of the trusted domain.User
(classuser
) with the name<NetBIOS name of the domain>$
. This hidden user account (only viewable by ADSI editor or similar "raw" tools) will contain the trust password provided during the creation of the trust object.When providing the name of a Domain Controller as the name of a Domain to trust, the second object cannot be created, because the name already exists in the computer account of the Domain Controller, thus leaving the trust object corrupted.
To delete this corrupted trust object, go to the System container and delete it manually. You have to be a member of the
Enterprise Admins
group or have corresponding delegated access rights to perform this deletion. You can access the System container by the Active Directory Users and Computers MMC Snap-in (dsa.msc) when enabling Advanced Features in the View menu OR by using the ADSI editor and accessing the domain partition.