A request failed from client realm %1 for a ticket in realm %2

Posted on 2008-11-19
Last Modified: 2012-05-05
Hi there,

We have 1 forest, with 2 domains.  A primary and a subdomain. and  I've started getting errors in the event log saying "A request failed from client realm XYZ.ABC.COM for a ticket in realm XYZ$. This failed because a trust link between the realms is non transitive."

The trusts between the 2 domains validate fine using AD Domains and Trusts.  We're not having any serious issues that I know about at this time.  There is an article from MS at saying I need to delete the trust and recreate a realm trust.  I'm not super keen to delete the current trusts, because my understanding is that a parent child domain trust is different from a Kerberos realm trust.  Also, the error isn't making any mention of the parent domain.  Just the child domain and a realm which is the child domain's name with a $.  Anybody know more about this, and if I should address it.  

Thanks in advance,

Question by:Dunny21
    LVL 1

    Expert Comment

    Firstly all domains within a single Forest should have transitive trusts, given the trust  validates fine using AD Domains and Trusts it is probably some other cause. You don't say if it is always the same client and whether it is intermittent. Can you force the error to happen?

    A couple of things I would try to do, in order to collect more data. One, run kebtray (2003 resource Kit tool) , an easy way to see kerberos tickets on client machines - if you have an idea which machine it is causing the event this might narrow things down is there a machine that cannot get a ticket?.
    Failing that I would run NetMon and

    Also grab the latest parsers from to ensure you can decode the MS Protocols. You could use Wireshark as an alternative but Netmon has better parsers for Microsoft issues.

    With Netmon, if you can reproduce the error then you could get a capture of the network transaction which would gratly narrow down the cause.
    LVL 1

    Author Comment

    Thanks for the reply.

    I am getting this error on the domain controllers in the parent domain.  Haven't seen it on the child domain DCs, but haven't looked extensively.  Not sure if that helps.
    LVL 1

    Accepted Solution

    Not a lot, it might be worth switching on kerberos debugging, see

    The other thing that is worth saying, is that often Kerberos errors relate to time synchronization. All the machine need to be synch'd to a single time source.

    This technet article is worth a read.

    Right now though I would just try and get some more specific information about the problem.
    What account (computer/user/etc) is causing the problem, Netmon is the best bet for that

    LVL 1

    Author Comment

    Thanks for the help.  We logged a call with MS for another issue that may or may not have been related to this, and it got sorted out.  The MS Support engineer said that we didn't need to worry too much about this issue.
    LVL 1

    Author Closing Comment

    Thanks for the help.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now