Link to home
Start Free TrialLog in
Avatar of NickGT20
NickGT20

asked on

Setting up a two way transitive trust between two windows 2003 servers.

My company has two offices and two separate domains. I'm trying to migrate everything to a single domain.
I moved one of my domain controller to the other and joined some newly purchased machines to the new server. We are going to slowly move all the computers to this new domain.
My question is, in the mean time I want people and applications to be able to access resources on either domain without authentication. I tried to set up a two way transitive trust but i just can't seem to get it working.
Here are the steps I've taken so far.
1. Created a secondary DNS zone on each server with the master set to the other server for their respective zones. (all records appear ok and I can ping everything so I assume this is correct)
2. Raise the domain functional level to windows 2003, since all my servers are running 2003, on both domains.
3. I can ping the domain name and the DC name of each server from each other.
4. I'm not sure if this makes a difference but I have two domain controllers in one site (my site) and the 3rd DC and the other entire domain are in another site. We are connected via a site to site VPN.
I'm using this link to set up the trust. http://technet2.microsoft.com/WindowsServer/en/library/60867a61-47d6-4731-bb01-28df99314f5d1033.mspx?mfr=true 

When I try to set up the trust I get the following message:
===================================================================================================================
" You have successfully completed the New Trust Wizard, but the newly created relationship cannot be confirmed for the following reasons:
The verification of the incoming trust failed with the following error(s):
The trust password verification failed with error 5:Access is denied. A secure channel reset will be attempted.
The secure channel reset failed with error 5: Access is denied.

The verification of the outgoing trust failed with the following error(s):
The trust password verification test was inconclusive. A secure channel reset will be attempted.
The secure channel reset failed with error 1311:There are currently no logon servers available to service the logon request.

Before this trust can function, it must also be created in the other domain. Ensure that the same trust password is used in both domains.
==================================================================================================================
When I hit finish the trust is there on both domains. But it says Trust type, external. And under transitive it says no. This is for both incoming and outgoing on both servers.

Now I've tried different ways of setting it up, like just doing a two way trust on each domain to the other instead of both though one, but I get the same error.

Any ideas?


Avatar of NickGT20
NickGT20

ASKER

Both servers list the trust as external and non transitive. When I log onto old domain, and validate the trust it says The trust has been validated. It is in place and active. I get this result for both "domains trusted by this domain (outgoing trusts)" and "domains that trust this domain (incoming trusts)".

When i log onto the other server and try the same thing i get the following error.
The trust cannot be validated for the following reasons:
The secure channel (SC) reset on domain controller
\\rootserver.newdomain.com of domain newdomain.com to domain olddomain.local failed with error: There are currently no logon servers available to service the logon request.

The incoming trust was successfully validated.

Resetting the trust passwords might solve the problem. Do you want to reset the trust passwords?
no, do not reset the trust passwords.
Yes, reset the trust passwords.
I think I figured out the problem. When i reread the error it makes sense. Basically the DC that I'm setting up the trust with is in the same location as the other domain's DC. My forest root domain is in a different location and cannot resolve the other domain name. I'm going to create the secondary zone on this server as well and all my problems should be resolved.
I added a Stub zone to my DC/forest root. Now I can ping the other DC on the other domain, but I still can't validate the trust. I'm going to let it cook over night and try again tomorrow.
Ha, now it's validating but I'm still getting a secure channel error. maybe due to it going over a VPN? or could the pix be blocking something?
ASKER CERTIFIED SOLUTION
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Now I can validate from both domains, but it still lists it as an external non transitive trust. Maybe this is the only way it can be?
It seems to be working so far so I'm going to have to say the solution was adding the stub zone to the forest root.
yes the Stub zone would have fixed it cconsidering it now knows what and where to go with DNS...as far as the trust type, i am not certain so wont comment