Solved

The trust relationship between the primary domain and the trusted domain failed.

Posted on 2007-12-03
13
24,617 Views
Last Modified: 2011-12-19
I am getting the following error when I try and run a program that looks up the SID of a user in a trusted domain from servers in my domain that are NOT domain controllers:

The trust relationship between the primary domain and the trusted domain failed.

If I run this command on a domain controller, I get the SID. If I run it on a workstation in my domain, I get the SID. If I run it on a server which is not a domain controller (Windows Server 2003 RC2 SP2) then I get the error.

How do I diagnose this problem!

Thanks
0
Comment
Question by:ttnetworks
  • 6
  • 6
13 Comments
 
LVL 3

Accepted Solution

by:
Aico earned 500 total points
ID: 20401700
What kind of program is it? Does it use AD to read the SID? Is there some configuration needed in the Program like defining your DC's?
0
 

Author Comment

by:ttnetworks
ID: 20401792
Nope, very very simple program, code below:

            string strUsername = @"DOMAIN\Username";

            NTAccount account = new NTAccount(strUsername);

            SecurityIdentifier sid = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));

The reason I am researching this is because my Team Foundation Server (MS Source Control Stuff) is not able to lookup users in our US domain because I believe there is a problem with the trust between the EUROPE and US domains.

However, when I go and "validate" the trust, I am told it works. The trust works for Exchange, and files etc, but on two of our other servers, I get the above error message with regard to the trust, why would it not work on these two, but work ok on an exchange server, and the DC's ?

Andrew
0
 
LVL 3

Expert Comment

by:Aico
ID: 20401797
I guess you already looked at DNS issues. Did you already check the trust relationship with NLTest for example?
0
 

Author Comment

by:ttnetworks
ID: 20401980
No and No :-) I will have a go with NLTest and see what happens. This is not my primary area of expertise, which is why I am asking here!
0
 
LVL 3

Expert Comment

by:Aico
ID: 20401988
:-), ok, check for DNS issues. Check to see if DNS resolution from the two problem server is working correctly. And post the results of the NLTest utility to look for problems.
0
 

Author Comment

by:ttnetworks
ID: 20404151
OK, Just started playing around with NLTest. An error which keeps coming up when I try and Query the US domain (I am in the EUROPE domain) is:

C:\Program Files\Support Tools>nltest.exe /SERVER:RACOON /QUERY
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

But for one of our DC's in the EUROPE domain it works OK:

C:\Program Files\Support Tools>nltest.exe /SERVER:CHICKEN /QUERY
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

So I will look into why the RPC server is not responding...

Andrew
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 3

Expert Comment

by:Aico
ID: 20409787
Maybe some firewall issues? Check if any ports are blocked between the US and Europe domains.
0
 

Author Comment

by:ttnetworks
ID: 20413536
I cant see this being a firewall issue, because on my domain controllers everythng seems to work fine.

For example, here is the results of running nltest /sc_query:fernico.us on a domain controller:

C:\Program Files\Support Tools>nltest.exe /sc_query:fernico.us
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\racoon.fernico.us
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Program Files\Support Tools>

BUT, then when I run the same command on one of my member servers:

C:\Program Files\Support Tools>nltest /sc_query:fernico.us
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Unsurprisngly I get the Error_no_such_domain on all the machines which are not able to run my SIDLookup program.

:-(
0
 
LVL 3

Expert Comment

by:Aico
ID: 20418107
Hmmmm, maybe you could read the following article. It seems to me that there is a problem with DNS resolution.

http://jeffkuespert.wordpress.com/2007/07/26/dsgetdcname-failed-status-1355-0x54b-error_no_such_domain/
0
 

Author Comment

by:ttnetworks
ID: 20426838
Thanks for the info so far....

I followed that article through, and yes, I think there is a problem with some DNS records not being present, I have run a few more tests on the US domain controller and here is what I get:

C:\Program Files\Support Tools>nltest /dcname:racoon.fernico.us
NetGetDCName failed: Status = 2453 0x995 NERR_DCNotFound

C:\Program Files\Support Tools>nltest.exe /server:racoon /sc_verify:fernico.us
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Program Files\Support Tools>nltest.exe /server:racoon /sc_verify:fernicoeurop
e.co.uk
Flags: 90 HAS_IP
Trusted DC Name \\eagle.fernicoeurope.co.uk
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

So for some reason, our US Domain Controller doesnt seem to be able to lookup information about it's own domain / itsself, but it can for the EUROPE stuff. I have run dcdiag and netdiag on it, but everything says passed....

0
 
LVL 3

Expert Comment

by:Aico
ID: 20427070
Do both domains have secondary zones on them for each other? Or are they configured to forward DNS requests to each other?
0
 

Author Comment

by:ttnetworks
ID: 20430396
They are added as secondary zones...
0
 

Expert Comment

by:vnmbo1
ID: 34197871
How can this be rated as an an 8.7 solution?There is no solution offered as far as I can see.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cannot create more new mailboxes EX2013 2 35
Joining two Windows domain into one subnet. 10 45
Windows DNS Zone for a Host 2 51
How do i move AD Contacts to O365? 2 34
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now