We help IT Professionals succeed at work.

Cross-forest trust:  The domain controllers required to find the selected objects in the following domains are not available

CommunispaceIT05
CommunispaceIT05 asked
on
I have the following domain configuration in place:

Corporate.com <- one-way trust <- qadev.local <-> dev.qadev.local

I am able to add user@corporate.com as a local administrator to machines on qadev.local, but not to machines on its child, dev.qadev.local.

When I attempt to add to the local administrators group on any machine to dev.qadev.local, I can browse corporate.com and select the user, but after this that I receive the error:


The Active Directory Domain Controllers required to find the selected objects in the following domains are not available:

corporate.com

Ensure the Active Directory Domain Controllers are available, and try to select the objects again.


Am I missing anything in this design. Should children of the root be able to piggy-back on the root's trust, or do they require their own trusts to corporate.com for this to work?
Comment
Watch Question

Commented:
it might be a name resolution issue: can you resolve corporate.com from dev?
is it a domain trust or a forest trust?
Any firewall in place?

Commented:
I think its a trust issue as there is no trust between corporate.com & dev.qadev.local.

Create a shortcut trust between corporate.com & dev.qadev.local & see if its works.

For dns use conditional forwarding for name resolution.
 

Author

Commented:
Conditional forwarding are in place, and I can ping corporate.com from dev.qadev.local.

Is a shortcut trust absolutely necessary? My trust properties on qadev.local -> corporate.com are these:

This domain: qadev.localOther domain: corporate.comTrust type: ForestName Suffix Routing: *.corporate.com enabledAuthentication: Forest-wide authentication

The General tab also lists the following, which indicates to me I should not need anything else to get this trust working:

Transitivity of trust: This trust is forest transitive. Users from indirectly trusted domains within the enterprise may authenticate in the trusting enterprise.

As far as firewalls, I've opened up all protocols between the qadev.local and corporate.com VLANs.

Author

Commented:
Here's an interesting point:

qadev.local and dev.qadev.local domain controllers as on the same VLAN (no firewall between).

When looking at trust properties between these:

This Domain: qadev.localChild Domain: dev.qadev.localTrust type: Parent-Child

When I attempt to validate this trust, I get the following response:

The trust cannot be validated for the following reasons:The outgoing trust was successfully validatedThe secure channel (SC) reset on Active Directory Domain Controller \\devdc01.dev.qadev.local of domain dev.qadev.local to domain qadev.local failed with error: There are currently no logon servers available to service the logon request.

Any idea why this would be?
what kind of trust is the one-way trust?

Not all trust are transitive.

Please refer to here:
http://technet.microsoft.com/en-us/library/cc775736(WS.10).aspx
It appears the trust between child and parent was broken.

I reset the trust username/password and am now able to add users from corporate.com to dev.qadev.local.

Thanks for the assistance.
I have the same problem but it is only happening on 1 2008 box all the other servers work fine. ??