To help administrators of Windows Server 2019 and 2022 deal with corrupt, orphaned, or outdated Trust objects in Active Directory, Microsoft has published KB5040758.

KB5040758: Deleting a stale, corrupt, or orphaned Trust object in Active Directory

Introduction

Objects that are stored in Active Directory may become stale, corrupt, or orphaned caused by replication conflicts.

This article focuses on trust objects which can be identified by the “INTERDOMAIN_TRUST_ACCOUNT” bit in the userAccountControl attribute. For detailed information on this bit, see  userAccountControl Bits.

Symptoms

Trust relationships are represented in Active Directory by the following:

• A user account affixed by a trailing $ character.

• A trusted domain object (TDO) stored in the System container of the domain directory partition.

Creating duplicate trusts will create two objects that have duplicate Security Account Manager (SAM) account names. On the second object, SAM resolves the conflict by renaming the object to $DUPLICATE-<Account RID>. The duplicate object cannot be deleted and becomes "orphaned."

Cause

This issue occurs because trust objects are owned by the system and can only be modified or deleted by administrators who use the Active Directory Domains and Trusts MMC. This functionality is by design.

Resolution

After installing the May 14, 2024 Windows Updates on domain controllers running Windows Server 2019 or a later version of Windows Server, it is now possible to delete orphaned trust accounts by using the  schemaUpgradeInProgress operation. 

KB5040758: Deleting a stale, corrupt, or orphaned Trust object in Active Directory - Microsoft Support