Solved

The trust relationship between the primary domain and the trusted domain failed.

Posted on 2007-12-03
13
24,560 Views
Last Modified: 2011-12-19
I am getting the following error when I try and run a program that looks up the SID of a user in a trusted domain from servers in my domain that are NOT domain controllers:

The trust relationship between the primary domain and the trusted domain failed.

If I run this command on a domain controller, I get the SID. If I run it on a workstation in my domain, I get the SID. If I run it on a server which is not a domain controller (Windows Server 2003 RC2 SP2) then I get the error.

How do I diagnose this problem!

Thanks
0
Comment
Question by:ttnetworks
  • 6
  • 6
13 Comments
 
LVL 3

Accepted Solution

by:
Aico earned 500 total points
Comment Utility
What kind of program is it? Does it use AD to read the SID? Is there some configuration needed in the Program like defining your DC's?
0
 

Author Comment

by:ttnetworks
Comment Utility
Nope, very very simple program, code below:

            string strUsername = @"DOMAIN\Username";

            NTAccount account = new NTAccount(strUsername);

            SecurityIdentifier sid = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));

The reason I am researching this is because my Team Foundation Server (MS Source Control Stuff) is not able to lookup users in our US domain because I believe there is a problem with the trust between the EUROPE and US domains.

However, when I go and "validate" the trust, I am told it works. The trust works for Exchange, and files etc, but on two of our other servers, I get the above error message with regard to the trust, why would it not work on these two, but work ok on an exchange server, and the DC's ?

Andrew
0
 
LVL 3

Expert Comment

by:Aico
Comment Utility
I guess you already looked at DNS issues. Did you already check the trust relationship with NLTest for example?
0
 

Author Comment

by:ttnetworks
Comment Utility
No and No :-) I will have a go with NLTest and see what happens. This is not my primary area of expertise, which is why I am asking here!
0
 
LVL 3

Expert Comment

by:Aico
Comment Utility
:-), ok, check for DNS issues. Check to see if DNS resolution from the two problem server is working correctly. And post the results of the NLTest utility to look for problems.
0
 

Author Comment

by:ttnetworks
Comment Utility
OK, Just started playing around with NLTest. An error which keeps coming up when I try and Query the US domain (I am in the EUROPE domain) is:

C:\Program Files\Support Tools>nltest.exe /SERVER:RACOON /QUERY
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

But for one of our DC's in the EUROPE domain it works OK:

C:\Program Files\Support Tools>nltest.exe /SERVER:CHICKEN /QUERY
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

So I will look into why the RPC server is not responding...

Andrew
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 3

Expert Comment

by:Aico
Comment Utility
Maybe some firewall issues? Check if any ports are blocked between the US and Europe domains.
0
 

Author Comment

by:ttnetworks
Comment Utility
I cant see this being a firewall issue, because on my domain controllers everythng seems to work fine.

For example, here is the results of running nltest /sc_query:fernico.us on a domain controller:

C:\Program Files\Support Tools>nltest.exe /sc_query:fernico.us
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\racoon.fernico.us
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Program Files\Support Tools>

BUT, then when I run the same command on one of my member servers:

C:\Program Files\Support Tools>nltest /sc_query:fernico.us
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Unsurprisngly I get the Error_no_such_domain on all the machines which are not able to run my SIDLookup program.

:-(
0
 
LVL 3

Expert Comment

by:Aico
Comment Utility
Hmmmm, maybe you could read the following article. It seems to me that there is a problem with DNS resolution.

http://jeffkuespert.wordpress.com/2007/07/26/dsgetdcname-failed-status-1355-0x54b-error_no_such_domain/
0
 

Author Comment

by:ttnetworks
Comment Utility
Thanks for the info so far....

I followed that article through, and yes, I think there is a problem with some DNS records not being present, I have run a few more tests on the US domain controller and here is what I get:

C:\Program Files\Support Tools>nltest /dcname:racoon.fernico.us
NetGetDCName failed: Status = 2453 0x995 NERR_DCNotFound

C:\Program Files\Support Tools>nltest.exe /server:racoon /sc_verify:fernico.us
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Program Files\Support Tools>nltest.exe /server:racoon /sc_verify:fernicoeurop
e.co.uk
Flags: 90 HAS_IP
Trusted DC Name \\eagle.fernicoeurope.co.uk
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

So for some reason, our US Domain Controller doesnt seem to be able to lookup information about it's own domain / itsself, but it can for the EUROPE stuff. I have run dcdiag and netdiag on it, but everything says passed....

0
 
LVL 3

Expert Comment

by:Aico
Comment Utility
Do both domains have secondary zones on them for each other? Or are they configured to forward DNS requests to each other?
0
 

Author Comment

by:ttnetworks
Comment Utility
They are added as secondary zones...
0
 

Expert Comment

by:vnmbo1
Comment Utility
How can this be rated as an an 8.7 solution?There is no solution offered as far as I can see.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now