Trust / DNS problem between 2 domains
Two Win 2003 servers each on their own domain needing a 2-way trust between them. It has been working fine but the past couple of days nothing but trouble and the trusts keep falling over.
Get a variety of errors when trying to validate from serverA, including:
"The trust cannot be validated. The outgoing trust was successfully validated. The secure channel (SC) reset on domain controller \\domainB\serverB of domainB failed with error: There are currently no logon servers available to service the logon request."
I then get asked if I want to change the trust password. If I say yes, then i get the error:
"The trust cannot be repaired because: There are currently no logon servers available to service the request"
If I try to validate from serverB I get the error:
"Windows cannot find a domain controller for the serverA domain. Verify that a DC is available and then try again.
I've tried scrubbing the trust and re-creating it and sometime it works, but other times it fails to create. When it does eventually work after a few attempts both servers validate the trust fine. But only for a while, sooner or later users start having problems and I'm back at the beginning.
Each server is set up as a host forward lookup zone in DNS for the other and there are forwarders to each other set up also. There is also a pointer in the reverse lookup zone on each servers.
The nature of the errors seem to point to the problem being with serverA, but I'm not sure what else to try.
Heeeeeeeeeeeeeeeelp!!!!!
Get a variety of errors when trying to validate from serverA, including:
"The trust cannot be validated. The outgoing trust was successfully validated. The secure channel (SC) reset on domain controller \\domainB\serverB of domainB failed with error: There are currently no logon servers available to service the logon request."
I then get asked if I want to change the trust password. If I say yes, then i get the error:
"The trust cannot be repaired because: There are currently no logon servers available to service the request"
If I try to validate from serverB I get the error:
"Windows cannot find a domain controller for the serverA domain. Verify that a DC is available and then try again.
I've tried scrubbing the trust and re-creating it and sometime it works, but other times it fails to create. When it does eventually work after a few attempts both servers validate the trust fine. But only for a while, sooner or later users start having problems and I'm back at the beginning.
Each server is set up as a host forward lookup zone in DNS for the other and there are forwarders to each other set up also. There is also a pointer in the reverse lookup zone on each servers.
The nature of the errors seem to point to the problem being with serverA, but I'm not sure what else to try.
Heeeeeeeeeeeeeeeelp!!!!!
For the DNS, you need to check that the Active Directory registrations are correct for both domains. This is not just the A records, but also the service records.
See http://technet.microsoft.com/en-gb/library/Bb727055.aspx
See http://technet.microsoft.com/en-gb/library/Bb727055.aspx
Also, make sure you have a working and accessible global catalog in each domain.
ASKER
I don't think either syncs with an external time source. How do I set that up?
On your PDC you need to use the NET TIME /setsntp option.
Where are you based, and I can suggest some time servers.
To correct your other DCs, you need to set the time manually and from then on they should sync.
But you will also need to reset the trusts, now they are out-of-sync.
Where are you based, and I can suggest some time servers.
To correct your other DCs, you need to set the time manually and from then on they should sync.
But you will also need to reset the trusts, now they are out-of-sync.
Sorry, last comment: Should be the PDC of the forest root domain. If you are doing inter-forest trusts, then it should be both PDCs!
ASKER
I'm in the UK, so whatever is the best time server for here would be great
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note that I use the w32tm command rather than NET TIME as NET TIME doesn't let you pass the flags, and then you have to make a registry edit directly.
ASKER
Right, have just set the time server on both servers. How often do they update?
To answer some of your other questions:
Neither server upgraded recently and neither is a beta release. They are their own PDC for their own domains, with no other servers on those domains.
Have run netdiag and dcdiag on serverA but not on serverB yet. Results came back as:
dcdiag - showing an error - failed test systemlog
netdiag - no interface with ‘workstation service’ ‘messenger service’ or ‘wins’ also it says DNS entries are not registered correctly on the other server
I think all their registrations are fine in DNS, but it's not my strong point and they are both a working GC as far as I can tell.
To answer some of your other questions:
Neither server upgraded recently and neither is a beta release. They are their own PDC for their own domains, with no other servers on those domains.
Have run netdiag and dcdiag on serverA but not on serverB yet. Results came back as:
dcdiag - showing an error - failed test systemlog
netdiag - no interface with ‘workstation service’ ‘messenger service’ or ‘wins’ also it says DNS entries are not registered correctly on the other server
I think all their registrations are fine in DNS, but it's not my strong point and they are both a working GC as far as I can tell.
NetDiag NetBIOS errors are common and can be disregarded.
The DNS entries are a more serious problem and should be investigated.
You could try netdiag /fix to see if it can make the adjustments itself.
You can also try the /v option (I think it's /v) that causes more verbose output. Use /? for more info.
The DNS entries are a more serious problem and should be investigated.
You could try netdiag /fix to see if it can make the adjustments itself.
You can also try the /v option (I think it's /v) that causes more verbose output. Use /? for more info.
The DNS entries need to be examined in the DNS Management Console "dnsmgmt.msc".
1. The A records for each servers must be correct
2. The _msdcs.* records must all be correct
Check for any reference to an old server, or any missing DC reference. Compare between your two DNS servers (in each domains).
1. The A records for each servers must be correct
2. The _msdcs.* records must all be correct
Check for any reference to an old server, or any missing DC reference. Compare between your two DNS servers (in each domains).
There should be records for the relevant DCs at the following levels:
domain.com
_msdcs.domain.com
_tcp.SITENAME._sites.dc._m
_tcp.dc._msdcs.domain.com
_tcp.DOMAIN-ID.domains._ms
gc._msdcs.domain.com
_tcp.SITENAME._sites.gc._m
_tcp.gc._msdcs.domain.com
_tcp.pdc._msdcs.domain.com
domain.com
_msdcs.domain.com
_tcp.SITENAME._sites.dc._m
_tcp.dc._msdcs.domain.com
_tcp.DOMAIN-ID.domains._ms
gc._msdcs.domain.com
_tcp.SITENAME._sites.gc._m
_tcp.gc._msdcs.domain.com
_tcp.pdc._msdcs.domain.com
Check the event log to see that the time service is working. It should have logged entries by now. If not, try restarting the Windows Time service on your PDC.
ASKER
The time server seems to be working fine and they are staying within a second of each other. The trusts are now validating and have held for the whole weekend, and now users are coming onto the wystem and working fine, so it seems you may have helped me crack it Steve.
Thank you thank you, some well deserved points coming your way!!!
Thank you thank you, some well deserved points coming your way!!!
You're welcome. Glad it wasn't more complicated :)
1) Is the time on your servers in sync? Do they update from the same NTP servers?
2) Have you recently upgraded any DCs? Can they see the PDC? Do you have any beta or release-candidate DCs? Have you tried Netdiag and DCDiag in both domains?
It does sound like a time-sync issue. If this is not repaired you have to reset the trust, but then it will fail again later as the clocks skew relative to each other.