• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1121
  • Last Modified:

Unable to login from Member server to Trusted domain

Hi  ,

We have two Domain (A, B) in different forests.
all systems are windows 2003 SP2
I created  one way trust between A--- B, B trusted A , so  all resources in B can be accessed by users in A.
opened below ports between Domain controllers only.

Here is the problem,

Unable to login to Member server of domain B by using user of Domain A.
Unable to Brouse user list of Domain A from Member server of domain B

 I Havent opened any ports form this member server to DC's of Domain A

Do i need to open any ports from member server of Domain B  to DC's of Domain A ?

Error :--
The specified domain either does not exist or could not be contacted..

Thanks in advance,

  • 2
  • 2
1 Solution
Henrik JohanssonSystems engineerCommented:
Can you validate the trust on the DC?

How is DNS configured?
Is conditional forwarding configured on the local DNS so it can resolve the other domain?

As you opened RPC port mapper  (135), you also nead to open the dynamic ports
If you want to minimize the number of dynamic ports, it can be done on the server side as described in http://support.microsoft.com/kb/154596
You're missing the GC ports (3268, 3269). See KB for list of necessary ports
Peddu_bhanuAuthor Commented:
Hi Henjoh09,

Trust validation is good, I am able to validate trust.

DNS is also working fine, i enabled forwards between domains
I used Wireshark to check DNS queries and its working fine.

One more thing i am able to login to DC of Domain B by using user of Domain A.

Problem here is only with Member servers.

Do i need to open Any ports between member server of Domain B and DC of Domain A?
If so what are those ports.

Henrik JohanssonSystems engineerCommented:
Kerberos port 88 nead to be open from client/member server to DC.
See the table at the end of following technet article for how to configure firewall rules for different area of actions in the trust.
Peddu_bhanuAuthor Commented:
Thank you for this info.. I think it will help me ..

I will update you once i impliment this ..

Can you telnet below port from domain A to domain B.
Check is there any firewall which is dropping logon packets.
Since you are not able to browse user,open ldap(389) as well as GC(3268) port on member server.
Give a try opening all the port on the member server & see if it works.
You can use netstat -abnov to see the list of port utilized or port moniter.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now