Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory trust communication issues...

Posted on 2010-09-02
7
598 Views
Last Modified: 2012-05-10
I am having an issue with a trust relationship that I have created.

Overview of my network

Domain A/B

2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall


Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.

DNS zone transfers successfully created between both domains
WINS replication taking place between domains.

An incoming Trust has been established for domain C to trust domain B  but appears to have since broken.

From Domain C, the trust appears OK. I am told that the trust is valid and in place.

From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.

Can anyone provide any help?

DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets. The intention is to start refreshing desktop PCs in those subnets with the RPC

0
Comment
Question by:aideb
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 100 total points
ID: 33587246
These ports need to be open between at least the domain naming masters for each domain for everything which you would want a trust to do to function, including configuring the trust.


RPC endpoint mapper 135/tcp, 135/udp
LSA RPC 42020/tcp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
LDAP 389/tcp+udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
0
 
LVL 2

Accepted Solution

by:
ckbhupen earned 400 total points
ID: 33587318
It seems like you have a problem with DNS look up. Check your DNS Zone transfers and make sure they are successfully replicated. Specially, make sure that _msdcs.<your domain name> forward lookup zone is replicated for all domains to each domain's DNS.
0
 
LVL 2

Author Comment

by:aideb
ID: 33587777
MojoTech - Just going to get those ports put in place. Thanks

ckbhupen - do I need a zone transfer for the root domain too? Currently domain B and C are transferring
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 2

Author Comment

by:aideb
ID: 33587829
MojoTech - Can I just check that you mean those ports need to be open between Naming Master in domain B and Naming Master in C?
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33588353
That is correct yes aideb, that is a minumim though, ideally all dc's should be able to coomunicate on those ports.
0
 
LVL 2

Assisted Solution

by:ckbhupen
ckbhupen earned 400 total points
ID: 33588830
You are getting this error message because DC in domain C cannot find DC in Domain B/A. Domain Controller registers its services in _msdcs.<domain name> and for some reason DC in domain C cannot find DC in Domain B/A. Thats why I suggested to make sure that DC can query for services in all domains.
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33595411
For some reason the zone changes were not set to forward to the name servers. Updated that and everything seems to be OK now.

I have yet to have the firewall changes put in place but they can only help

Cheers

Aide
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question