Solved

Trust / DNS problem between 2 domains

Posted on 2007-11-23
16
3,950 Views
Last Modified: 2009-10-23
Two Win 2003 servers each on their own domain needing a 2-way trust between them.  It has been working fine but the past couple of days nothing but trouble and the trusts keep falling over.

Get a variety of errors when trying to validate from serverA, including:
"The trust cannot be validated. The outgoing trust was successfully validated. The secure channel (SC) reset on domain controller \\domainB\serverB of domainB failed with error: There are currently no logon servers available to service the logon request."
I then get asked if I want to change the trust password. If I say yes, then i get the error:
"The trust cannot be repaired because: There are currently no logon servers available to service the request"

If I try to validate from serverB I get the error:
"Windows cannot find a domain controller for the serverA domain. Verify that a DC is available and then try again.

I've tried scrubbing the trust and re-creating it and sometime it works, but other times it fails to create.  When it does eventually work after a few attempts both servers validate the trust fine. But only for a while, sooner or later users start having problems and I'm back at the beginning.

Each server is set up as a host forward lookup zone in DNS for the other and there are forwarders to each other set up also. There is also a pointer in the reverse lookup zone on each servers.

The nature of the errors seem to point to the problem being with serverA, but I'm not sure what else to try.

Heeeeeeeeeeeeeeeelp!!!!!
0
Comment
Question by:DubberDan
  • 12
  • 4
16 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338414
Two things to consider:

1)  Is the time on your servers in sync?  Do they update from the same NTP servers?
2)  Have you recently upgraded any DCs?  Can they see the PDC?  Do you have any beta or release-candidate DCs?  Have you tried Netdiag and DCDiag in both domains?

It does sound like a time-sync issue.  If this is not repaired you have to reset the trust, but then it will fail again later as the clocks skew relative to each other.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338420
For the DNS, you need to check that the Active Directory registrations are correct for both domains.  This is not just the A records, but also the service records.

See http://technet.microsoft.com/en-gb/library/Bb727055.aspx
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338422
Also, make sure you have a working and accessible global catalog in each domain.
0
 

Author Comment

by:DubberDan
ID: 20338461
I don't think either syncs with an external time source.  How do I set that up?
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338513
On your PDC you need to use the NET TIME /setsntp option.

Where are you based, and I can suggest some time servers.

To correct your other DCs, you need to set the time manually and from then on they should sync.

But you will also need to reset the trusts, now they are out-of-sync.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338514
Sorry, last comment:  Should be the PDC of the forest root domain.  If you are doing inter-forest trusts, then it should be both PDCs!
0
 

Author Comment

by:DubberDan
ID: 20338782
I'm in the UK, so whatever is the best time server for here would be great
0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 500 total points
ID: 20338806
We use the list in the following.  I recommend that you use this command on your PDC.  It just works!

The flags ensure that Windows syncs properly with non-Windows servers.

You should also alert the owners of these NTP servers that you are using them, but you do not need permission, they are public.
w32tm /config "/manualpeerlist:ntp2b.mcc.ac.uk,0x8 ntp.cis.strath.ac.uk,0x8 132.146.236.132,0x8" /syncfromflags:manual

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338810
Note that I use the w32tm command rather than NET TIME as NET TIME doesn't let you pass the flags, and then you have to make a registry edit directly.
0
 

Author Comment

by:DubberDan
ID: 20339475
Right, have just set the time server on both servers.  How often do they update?

To answer some of your other questions:

Neither server upgraded recently and neither is a beta release. They are their own PDC for their own domains, with no other servers on those domains.

Have run netdiag and dcdiag on serverA but not on serverB yet. Results came back as:

dcdiag - showing an error - failed test systemlog
netdiag - no interface with ‘workstation service’ ‘messenger service’ or ‘wins’ also it says DNS entries are not registered correctly on the other server

I think all their registrations are fine in DNS, but it's not my strong point and they are both a working GC as far as I can tell.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339491
NetDiag NetBIOS errors are common and can be disregarded.

The DNS entries are a more serious problem and should be investigated.

You could try netdiag /fix to see if it can make the adjustments itself.

You can also try the /v option (I think it's /v) that causes more verbose output.  Use /? for more info.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339505
The DNS entries need to be examined in the DNS Management Console "dnsmgmt.msc".

1.  The A records for each servers must be correct
2.  The _msdcs.* records must all be correct

Check for any reference to an old server, or any missing DC reference.  Compare between your two DNS servers (in each domains).
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339529
There should be records for the relevant DCs at the following levels:

domain.com
_msdcs.domain.com
_tcp.SITENAME._sites.dc._msdcs.domain.com
_tcp.dc._msdcs.domain.com
_tcp.DOMAIN-ID.domains._msdcs.domain.com
gc._msdcs.domain.com
_tcp.SITENAME._sites.gc._msdcs.domain.com
_tcp.gc._msdcs.domain.com
_tcp.pdc._msdcs.domain.com

0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20339532
Check the event log to see that the time service is working.  It should have logged entries by now. If not, try restarting the Windows Time service on your PDC.
0
 

Author Comment

by:DubberDan
ID: 20348832
The time server seems to be working fine and they are staying within a second of each other.  The trusts are now validating and have held for the whole weekend, and now users are coming onto the wystem and working fine, so it seems you may have helped me crack it Steve.

Thank you thank you, some well deserved points coming your way!!!
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20349497
You're welcome.  Glad it wasn't more complicated :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now