Domain trust failed with an authentication error

Hi
I had the same error message on my win2003 machine as in the following question
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22975172.html

I tried the solution and now I got an even worse problem. First of all the command didn't succedd. I got an error, "The specified user already exists"
The trust between my domain are not working at all now. In the eventvwr I see the following error
Source:LSASRV
Event ID: 40960
Category:SPNEGO
Description:The Security System detected an authentication error for the server cifs/servername.domain.net.  The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.
 (0xc000006d)".

I also got;
Source NETLOGON
Category:None
Event ID:3210
Description:This computer could not authenticate with \\servername.domain.net, a Windows domain controller for domain "Domain", and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

When I check the replication with dcdiag or repadmin I see that the replications failes. I tried to verify the domain trust but I can't. I get the error message "The specified user already exists" and then "The trust cannot be repaired because:The specified user already exists."

I have the exact same setup as in the previous solution that I followed and I also got the exact same error messages.

Regards
U_mansson
LVL 8
U_ManssonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

U_ManssonAuthor Commented:
Hi, some more information on my problem.

On one of my DC (TRR30.trrnet.se) I got this in the eventlog. It can'tconnect to my server in my other domain trrab.net

Source: NTDS KCC
Event ID: 1566
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=RM,CN=Sites,CN=Configuration,DC=trrnet,DC=se
Directory partition:
DC=DomainDnsZones,DC=trrab,DC=net
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=trrnet,DC=se


I also got;
Source: LsaSrv
Event:32772
Description: The interdomain trust account for the domain trrab.net could not be created.  The return code is the data.

When I run dcdiag on my DC in TRRAB.NET I got errors on KCC;
 Starting test: kccevent
    An Warning Event occured.  EventID: 0x8000061E
       Time Generated: 04/29/2008   21:24:53
       Event String: All domain controllers in the following site that
    An Warning Event occured.  EventID: 0x8000061E
       Time Generated: 04/29/2008   21:24:53
       Event String: All domain controllers in the following site that
    ......................... TRRABMAIL failed test kccevent

I guess something is very wrong with my kerberos but how do I fix it?
0
ChiefITCommented:
The problems you are seeing is usually a result of a Netbios error. Typically, this stems from having a multihomed computer. Multihomed is defined as a computer with multiple nics, and therefore multiple IPs. It can also be defined as multiple IPs on the same NIC.

What happens is this. A computer will request a netbios translation from the server. The server sees the first nic as being busy and spits out the Netbios reply on the wrong NIC. In doing so, the reply will not go to the client and complete the query/reply process. So the Netbios translation was not completed.

Netbios is used for multiple services:
DNS
Master browser
WINS
WSUS
Kerberos Authentication
DC replication

The effects of fualty netbios translation can vary from one multihomed server to another.

The best fix for this is to disable one nic. Most networks only require one nic per server to function, especially if you have a router. Seeing your problems tells me that one nic is on a subnet and the other nic is probably on a second subnet. Be careful of this setup as it can cause multiple problems throughout your domain.

I have a lot of examples and fixes of this problem. I think this one closely resembles yours.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23356031.html

0
U_ManssonAuthor Commented:
Got this solution from MS

---
Heres a procedure to reset the machine account passwords, and to restore the interdomain trust relationships.

1)      Make sure that theres no connectivity problems between the DCs, for example by pinging.
2)      Ensure that the time on both DCs is synched.
3)      Check the current trust status between the domains according to http://support.microsoft.com/kb/228477 . NLtest (included in the Windows Support Tools) output should look something like this:
NLTEST /SC_VERIFY:DomainName  ( - Verifies the security channel in the specified domain for a local or remote workstation, server, or domain controller.)

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\server.windows2000.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Test this in both directions.

4)      If there is a problem (and in all likelihood there is), you could start by resetting the machine accounts on both the DCs. This is documented in http://support.microsoft.com/kb/260575 . Please note that the KDC service needs to be stopped and set to manual for this to work, and that the procedure also involves rebooting the DC (and restarting the KDC and setting it back to auto).

5)      Recheck for trust relationships. If there are still errors, follow http://support.microsoft.com/default.aspx/kb/938702 . Run the following command on the root domain controllers of the parent domain and of the child domain. This command resets the trust relationship between the parent and child domain.

Netdom trust trusting_domain_name /Domain:trusted_domain_name /UserD:user /PasswordD:* /UserO:user /PasswordO:* /reset

6)      If the problem still persists, the current trust object can be deleted from the AD, and recreated with the wizard.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.