Link to home
Start Free TrialLog in
Avatar of binnykuriakose
binnykuriakose

asked on

Cannot create forest trust

I am trying to create a two-way forest trusts between 2 windows 2003 forests that are operating at 2003 forest functional levels.  It creates fine on forest A but not forest B.  DNS Zones are appropriately created in each forest.  The only error given is:

"The trust relationship cannot be created because the following error occurred:
The operation failed.  The error is:  the parameter is incorrect."

How do I determine which parameter it is having a problem with.
Avatar of Netman66
Netman66
Flag of Canada image

Are you able to ping both the domain fqdn and servername of the other forest's Root DC?

You must create the Trusts with both Root DCs only.

Avatar of binnykuriakose
binnykuriakose

ASKER

yes.  able to ping fqdn.  trying to create the trusts with the root dcs.  not working.
any ideas?
The way I'd attempt to set it up is as follows:

1)  Rather than creating zones on opposite DNS server, we would use Conditional Forwarding for the domains in question.  This is set up on the Forwarders tab.
2)  Once done, ping fqdn and NetBIOS domain names to see if they resolve.  NetBIOS may not.
3)  Create one end of each trust on one server, then attach to the other and do the same.

Relying on secondary zones doesn't give you the SRV records you need to get proper lookups.
ok. tried that.  still no luck.  can you suggest any other methods or how the error can be narrowed down.
You're pretty fast!

So you now no longer host any zones from the opposite Forests - correct?  You need to delete them and allow replication to clean up the remaining zones from the other DNS server before moving forward.

Once added as a Forwarder, you should be able to use NSLOOKUP to do a DC lookup from the opposite domain and get a proper reply.

Once that works, then use FQDN in the Trust.  Do one end at a time to see where it falls down (if it does).

ok.  i think i got somewhere with this.  i believe the issue is that a trust somehow already exists between the forest even though none is listed in the 'domain and trusts' mmc.  i can confirm this since when I type:  "\\domain.root"  from a run command (from either forest), it opens the domain share with sysvol, etc listed.  I can browse policies etc.  Forest B is a VM on a box that is a member of a domain in Forest A.  I don't think that is the problem since the VM knows it is a member of domain in Forest B.    Any idea how the trust is getting created?

One more twist, if I create a trust such that Domain B trusts Domain A, and I type type:  "\\domain.root"  (referring domain B) from a run command (from domain A), it will error out saying that the trust failed.  

So when there are no valid trusts listed, it behaves as though there is.  When there is valid trust listed, the trust relationship fails.

Any ideas?
actually, realized that what I listed as an issue is probably ok.  by default, all DCs allow everyone to browse their directories that can access them on the network.
 
However, still can't get the trusts created.  The NSLookups of SRV records work fine.
OK, what account are you using to create the Trusts?

It is the built-in administrator account with who is a member of domain admins, enterprise admins, and schema admins.
Okay, that would work on one end, are you using the matching account on the other?

Do you have domain communication allowed through the firewall/router?

yes.  matching account on the other end.  No FW or router.
Are these on the same wire?

Perhaps a short rundown of the setup may help in the thinking process.

Yes.  All on the same wire.  
2 Forests with 2 Domains in each Forest - 2 DCs in Domain A in 1 DC in Domain B.
Domain A also has a child domain.
All DCs are Windows 2003.
A trust can be made from Domain B (trusting Domain A).
A trust cannot be made from Domain A (trusting Domain B).
I believe the problem is with Domain B.  Some issue is preventing Domain A from creating a trust with it.
How are the two subnets communicating?  Are they VLAN'd?  Is the routing between VLANs correct?

It seems like there is an access list one way that may be preventing some proper communication.

You are putting in the Root DC for Forest A when attempting the Trust from B - correct?

No VLANs and only one subnet.  Communication is not an issue.  They can see each others resources and query SRV records fine.

What do you mean by "You are putting in the Root DC for Forest A when attempting the Trust from B - correct?"

There is no place to put a 'Root DC' during configuration-only the forest name.  Am I missing a step?
Do you mean:  am I configuring the trust on the Root DC?  - I am.
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes.  This is in a test environment.  I now separated the forests to different subnets.  The error persists.  
I also tried moving to the FSMO roles in Forest A to a new DC and tried creating the trust from the new DC with the FSMO roles.  no luck.
Any thing else that could help here?
I rebuilt the DC and this resolved the issue.   Not sure what the problem was, but thanks for troubleshooting.
Wow...well, there comes a point when it's more time-effective to start fresh.  Sorry I couldn't put my finger on it for you.

I appreciate the points.

NM