A request failed from client realm %1 for a ticket in realm %2

Hi there,

We have 1 forest, with 2 domains.  A primary and a subdomain.  abc.com and xyz.abc.com.  I've started getting errors in the event log saying "A request failed from client realm XYZ.ABC.COM for a ticket in realm XYZ$. This failed because a trust link between the realms is non transitive."

The trusts between the 2 domains validate fine using AD Domains and Trusts.  We're not having any serious issues that I know about at this time.  There is an article from MS at http://technet.microsoft.com/en-us/library/cc733958.aspx saying I need to delete the trust and recreate a realm trust.  I'm not super keen to delete the current trusts, because my understanding is that a parent child domain trust is different from a Kerberos realm trust.  Also, the error isn't making any mention of the parent domain.  Just the child domain and a realm which is the child domain's name with a $.  Anybody know more about this, and if I should address it.  

Thanks in advance,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Firstly all domains within a single Forest should have transitive trusts, given the trust  validates fine using AD Domains and Trusts it is probably some other cause. You don't say if it is always the same client and whether it is intermittent. Can you force the error to happen?

A couple of things I would try to do, in order to collect more data. One, run kebtray (2003 resource Kit tool) , an easy way to see kerberos tickets on client machines - if you have an idea which machine it is causing the event this might narrow things down is there a machine that cannot get a ticket?.
Failing that I would run NetMon and

Also grab the latest parsers from http://www.codeplex.com/nmparsers to ensure you can decode the MS Protocols. You could use Wireshark as an alternative but Netmon has better parsers for Microsoft issues.

With Netmon, if you can reproduce the error then you could get a capture of the network transaction which would gratly narrow down the cause.
Dunny21Author Commented:
Thanks for the reply.

I am getting this error on the domain controllers in the parent domain.  Haven't seen it on the child domain DCs, but haven't looked extensively.  Not sure if that helps.
Not a lot, it might be worth switching on kerberos debugging, see

The other thing that is worth saying, is that often Kerberos errors relate to time synchronization. All the machine need to be synch'd to a single time source.

This technet article is worth a read.

Right now though I would just try and get some more specific information about the problem.
What account (computer/user/etc) is causing the problem, Netmon is the best bet for that

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dunny21Author Commented:
Thanks for the help.  We logged a call with MS for another issue that may or may not have been related to this, and it got sorted out.  The MS Support engineer said that we didn't need to worry too much about this issue.
Dunny21Author Commented:
Thanks for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.