binnykuriakose
asked on
Cannot create forest trust
I am trying to create a two-way forest trusts between 2 windows 2003 forests that are operating at 2003 forest functional levels. It creates fine on forest A but not forest B. DNS Zones are appropriately created in each forest. The only error given is:
"The trust relationship cannot be created because the following error occurred:
The operation failed. The error is: the parameter is incorrect."
How do I determine which parameter it is having a problem with.
"The trust relationship cannot be created because the following error occurred:
The operation failed. The error is: the parameter is incorrect."
How do I determine which parameter it is having a problem with.
ASKER
yes. able to ping fqdn. trying to create the trusts with the root dcs. not working.
any ideas?
any ideas?
The way I'd attempt to set it up is as follows:
1) Rather than creating zones on opposite DNS server, we would use Conditional Forwarding for the domains in question. This is set up on the Forwarders tab.
2) Once done, ping fqdn and NetBIOS domain names to see if they resolve. NetBIOS may not.
3) Create one end of each trust on one server, then attach to the other and do the same.
Relying on secondary zones doesn't give you the SRV records you need to get proper lookups.
1) Rather than creating zones on opposite DNS server, we would use Conditional Forwarding for the domains in question. This is set up on the Forwarders tab.
2) Once done, ping fqdn and NetBIOS domain names to see if they resolve. NetBIOS may not.
3) Create one end of each trust on one server, then attach to the other and do the same.
Relying on secondary zones doesn't give you the SRV records you need to get proper lookups.
ASKER
ok. tried that. still no luck. can you suggest any other methods or how the error can be narrowed down.
You're pretty fast!
So you now no longer host any zones from the opposite Forests - correct? You need to delete them and allow replication to clean up the remaining zones from the other DNS server before moving forward.
Once added as a Forwarder, you should be able to use NSLOOKUP to do a DC lookup from the opposite domain and get a proper reply.
Once that works, then use FQDN in the Trust. Do one end at a time to see where it falls down (if it does).
So you now no longer host any zones from the opposite Forests - correct? You need to delete them and allow replication to clean up the remaining zones from the other DNS server before moving forward.
Once added as a Forwarder, you should be able to use NSLOOKUP to do a DC lookup from the opposite domain and get a proper reply.
Once that works, then use FQDN in the Trust. Do one end at a time to see where it falls down (if it does).
ASKER
ok. i think i got somewhere with this. i believe the issue is that a trust somehow already exists between the forest even though none is listed in the 'domain and trusts' mmc. i can confirm this since when I type: "\\domain.root" from a run command (from either forest), it opens the domain share with sysvol, etc listed. I can browse policies etc. Forest B is a VM on a box that is a member of a domain in Forest A. I don't think that is the problem since the VM knows it is a member of domain in Forest B. Any idea how the trust is getting created?
One more twist, if I create a trust such that Domain B trusts Domain A, and I type type: "\\domain.root" (referring domain B) from a run command (from domain A), it will error out saying that the trust failed.
So when there are no valid trusts listed, it behaves as though there is. When there is valid trust listed, the trust relationship fails.
Any ideas?
One more twist, if I create a trust such that Domain B trusts Domain A, and I type type: "\\domain.root" (referring domain B) from a run command (from domain A), it will error out saying that the trust failed.
So when there are no valid trusts listed, it behaves as though there is. When there is valid trust listed, the trust relationship fails.
Any ideas?
ASKER
actually, realized that what I listed as an issue is probably ok. by default, all DCs allow everyone to browse their directories that can access them on the network.
However, still can't get the trusts created. The NSLookups of SRV records work fine.
However, still can't get the trusts created. The NSLookups of SRV records work fine.
OK, what account are you using to create the Trusts?
ASKER
It is the built-in administrator account with who is a member of domain admins, enterprise admins, and schema admins.
Okay, that would work on one end, are you using the matching account on the other?
Do you have domain communication allowed through the firewall/router?
Do you have domain communication allowed through the firewall/router?
ASKER
yes. matching account on the other end. No FW or router.
Are these on the same wire?
Perhaps a short rundown of the setup may help in the thinking process.
Perhaps a short rundown of the setup may help in the thinking process.
ASKER
Yes. All on the same wire.
2 Forests with 2 Domains in each Forest - 2 DCs in Domain A in 1 DC in Domain B.
Domain A also has a child domain.
All DCs are Windows 2003.
A trust can be made from Domain B (trusting Domain A).
A trust cannot be made from Domain A (trusting Domain B).
I believe the problem is with Domain B. Some issue is preventing Domain A from creating a trust with it.
2 Forests with 2 Domains in each Forest - 2 DCs in Domain A in 1 DC in Domain B.
Domain A also has a child domain.
All DCs are Windows 2003.
A trust can be made from Domain B (trusting Domain A).
A trust cannot be made from Domain A (trusting Domain B).
I believe the problem is with Domain B. Some issue is preventing Domain A from creating a trust with it.
How are the two subnets communicating? Are they VLAN'd? Is the routing between VLANs correct?
It seems like there is an access list one way that may be preventing some proper communication.
You are putting in the Root DC for Forest A when attempting the Trust from B - correct?
It seems like there is an access list one way that may be preventing some proper communication.
You are putting in the Root DC for Forest A when attempting the Trust from B - correct?
ASKER
No VLANs and only one subnet. Communication is not an issue. They can see each others resources and query SRV records fine.
What do you mean by "You are putting in the Root DC for Forest A when attempting the Trust from B - correct?"
There is no place to put a 'Root DC' during configuration-only the forest name. Am I missing a step?
Do you mean: am I configuring the trust on the Root DC? - I am.
What do you mean by "You are putting in the Root DC for Forest A when attempting the Trust from B - correct?"
There is no place to put a 'Root DC' during configuration-only the forest name. Am I missing a step?
Do you mean: am I configuring the trust on the Root DC? - I am.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. This is in a test environment. I now separated the forests to different subnets. The error persists.
I also tried moving to the FSMO roles in Forest A to a new DC and tried creating the trust from the new DC with the FSMO roles. no luck.
Any thing else that could help here?
I also tried moving to the FSMO roles in Forest A to a new DC and tried creating the trust from the new DC with the FSMO roles. no luck.
Any thing else that could help here?
ASKER
I rebuilt the DC and this resolved the issue. Not sure what the problem was, but thanks for troubleshooting.
Wow...well, there comes a point when it's more time-effective to start fresh. Sorry I couldn't put my finger on it for you.
I appreciate the points.
NM
I appreciate the points.
NM
You must create the Trusts with both Root DCs only.