?
Solved

Trust / DNS problem between 2 domains

Posted on 2007-11-23
16
Medium Priority
?
4,220 Views
Last Modified: 2009-10-23
Two Win 2003 servers each on their own domain needing a 2-way trust between them.  It has been working fine but the past couple of days nothing but trouble and the trusts keep falling over.

Get a variety of errors when trying to validate from serverA, including:
"The trust cannot be validated. The outgoing trust was successfully validated. The secure channel (SC) reset on domain controller \\domainB\serverB of domainB failed with error: There are currently no logon servers available to service the logon request."
I then get asked if I want to change the trust password. If I say yes, then i get the error:
"The trust cannot be repaired because: There are currently no logon servers available to service the request"

If I try to validate from serverB I get the error:
"Windows cannot find a domain controller for the serverA domain. Verify that a DC is available and then try again.

I've tried scrubbing the trust and re-creating it and sometime it works, but other times it fails to create.  When it does eventually work after a few attempts both servers validate the trust fine. But only for a while, sooner or later users start having problems and I'm back at the beginning.

Each server is set up as a host forward lookup zone in DNS for the other and there are forwarders to each other set up also. There is also a pointer in the reverse lookup zone on each servers.

The nature of the errors seem to point to the problem being with serverA, but I'm not sure what else to try.

Heeeeeeeeeeeeeeeelp!!!!!
0
Comment
Question by:DubberDan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 4
16 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338414
Two things to consider:

1)  Is the time on your servers in sync?  Do they update from the same NTP servers?
2)  Have you recently upgraded any DCs?  Can they see the PDC?  Do you have any beta or release-candidate DCs?  Have you tried Netdiag and DCDiag in both domains?

It does sound like a time-sync issue.  If this is not repaired you have to reset the trust, but then it will fail again later as the clocks skew relative to each other.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338420
For the DNS, you need to check that the Active Directory registrations are correct for both domains.  This is not just the A records, but also the service records.

See http://technet.microsoft.com/en-gb/library/Bb727055.aspx
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338422
Also, make sure you have a working and accessible global catalog in each domain.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DubberDan
ID: 20338461
I don't think either syncs with an external time source.  How do I set that up?
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338513
On your PDC you need to use the NET TIME /setsntp option.

Where are you based, and I can suggest some time servers.

To correct your other DCs, you need to set the time manually and from then on they should sync.

But you will also need to reset the trusts, now they are out-of-sync.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338514
Sorry, last comment:  Should be the PDC of the forest root domain.  If you are doing inter-forest trusts, then it should be both PDCs!
0
 

Author Comment

by:DubberDan
ID: 20338782
I'm in the UK, so whatever is the best time server for here would be great
0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 2000 total points
ID: 20338806
We use the list in the following.  I recommend that you use this command on your PDC.  It just works!

The flags ensure that Windows syncs properly with non-Windows servers.

You should also alert the owners of these NTP servers that you are using them, but you do not need permission, they are public.
w32tm /config "/manualpeerlist:ntp2b.mcc.ac.uk,0x8 ntp.cis.strath.ac.uk,0x8 132.146.236.132,0x8" /syncfromflags:manual

Open in new window

0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338810
Note that I use the w32tm command rather than NET TIME as NET TIME doesn't let you pass the flags, and then you have to make a registry edit directly.
0
 

Author Comment

by:DubberDan
ID: 20339475
Right, have just set the time server on both servers.  How often do they update?

To answer some of your other questions:

Neither server upgraded recently and neither is a beta release. They are their own PDC for their own domains, with no other servers on those domains.

Have run netdiag and dcdiag on serverA but not on serverB yet. Results came back as:

dcdiag - showing an error - failed test systemlog
netdiag - no interface with ‘workstation service’ ‘messenger service’ or ‘wins’ also it says DNS entries are not registered correctly on the other server

I think all their registrations are fine in DNS, but it's not my strong point and they are both a working GC as far as I can tell.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339491
NetDiag NetBIOS errors are common and can be disregarded.

The DNS entries are a more serious problem and should be investigated.

You could try netdiag /fix to see if it can make the adjustments itself.

You can also try the /v option (I think it's /v) that causes more verbose output.  Use /? for more info.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339505
The DNS entries need to be examined in the DNS Management Console "dnsmgmt.msc".

1.  The A records for each servers must be correct
2.  The _msdcs.* records must all be correct

Check for any reference to an old server, or any missing DC reference.  Compare between your two DNS servers (in each domains).
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339529
There should be records for the relevant DCs at the following levels:

domain.com
_msdcs.domain.com
_tcp.SITENAME._sites.dc._msdcs.domain.com
_tcp.dc._msdcs.domain.com
_tcp.DOMAIN-ID.domains._msdcs.domain.com
gc._msdcs.domain.com
_tcp.SITENAME._sites.gc._msdcs.domain.com
_tcp.gc._msdcs.domain.com
_tcp.pdc._msdcs.domain.com

0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339532
Check the event log to see that the time service is working.  It should have logged entries by now. If not, try restarting the Windows Time service on your PDC.
0
 

Author Comment

by:DubberDan
ID: 20348832
The time server seems to be working fine and they are staying within a second of each other.  The trusts are now validating and have held for the whole weekend, and now users are coming onto the wystem and working fine, so it seems you may have helped me crack it Steve.

Thank you thank you, some well deserved points coming your way!!!
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20349497
You're welcome.  Glad it wasn't more complicated :)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question