Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error message when you create the trusted side of a trust between Windows Server 2003-based domains: "The parameter is incorrect"

Error message when you create the trusted side of a trust between Windows Server 2003-based domains: "The parameter is incorrect"

View products that this article applies to.

Symptoms

Consider the following scenario. You have two Windows Server 2003-based domains. The domains reside in two separate forests together with other domains. You want to create a trust between these two domains. However, when you try to create the trusted side of this trust, you receive the following error message:
The parameter is incorrect
This problem occurs when you use either the New Trust Wizard or a netdom trust command to create the trust.

↑ Back to the top

Cause

Before the Local Security Authority (LSA) creates the trust, the LSA verifies the consistency of the parameters. Between the new trust partner and all other domains that are in the same forest as the trust partner, the following items must be unique:
  • The NetBIOS name of the domain
  • The fully qualified domain name (FQDN) of the domain
  • The security identifier (SID) of the domain
You cannot create the trust if one of the three items has duplicates.

↑ Back to the top

Resolution

If the names of two domains collide, you can rename one of the domains. If the SIDs of the domains are duplicate, you have to remove one of the domains. Typically, this situation occurs when one of the following scenarios exists:
  • One domain was cloned from the other domain.
  • Before a computer became the first domain controller in either of the two domains, you clone this computer without using the SYSPREP tool.
Alternatively, you can migrate one of the domains to a new domain. However, you cannot migrate a domain to a new SID by using the sIDHistory property. Even if you successfully create a trust after you migrate one of the domain SIDs, you still have duplicate SIDs in user access tokens. Then, users who have duplicate SIDs can access resources that they should be unable to access.

↑ Back to the top

More information

For more information about the netdom trust command, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/539c5381-db4f-445f-aac0-2df5448181c11033.mspx?mfr=true
For more information about the sIDHistory property and migration, click the following article number to view the article in the Microsoft Knowledge Base:
322970� How to troubleshoot inter-forest sIDHistory migration with ADMTv2

↑ Back to the top

Keywords: KB930218, kbprb, kbexpertiseinter, kbtshoot, kberrmsg

↑ Back to the top

Article Info
Article ID : 930218
Revision : 2
Created on : 1/4/2007
Published on : 1/4/2007
Exists online : False
Views : 250