Solved

Active Directory trust communication issues...

Posted on 2010-09-02
7
596 Views
Last Modified: 2012-05-10
I am having an issue with a trust relationship that I have created.

Overview of my network

Domain A/B

2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall


Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.

DNS zone transfers successfully created between both domains
WINS replication taking place between domains.

An incoming Trust has been established for domain C to trust domain B  but appears to have since broken.

From Domain C, the trust appears OK. I am told that the trust is valid and in place.

From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.

Can anyone provide any help?

DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets. The intention is to start refreshing desktop PCs in those subnets with the RPC

0
Comment
Question by:aideb
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 100 total points
ID: 33587246
These ports need to be open between at least the domain naming masters for each domain for everything which you would want a trust to do to function, including configuring the trust.


RPC endpoint mapper 135/tcp, 135/udp
LSA RPC 42020/tcp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
LDAP 389/tcp+udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
0
 
LVL 2

Accepted Solution

by:
ckbhupen earned 400 total points
ID: 33587318
It seems like you have a problem with DNS look up. Check your DNS Zone transfers and make sure they are successfully replicated. Specially, make sure that _msdcs.<your domain name> forward lookup zone is replicated for all domains to each domain's DNS.
0
 
LVL 2

Author Comment

by:aideb
ID: 33587777
MojoTech - Just going to get those ports put in place. Thanks

ckbhupen - do I need a zone transfer for the root domain too? Currently domain B and C are transferring
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 2

Author Comment

by:aideb
ID: 33587829
MojoTech - Can I just check that you mean those ports need to be open between Naming Master in domain B and Naming Master in C?
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33588353
That is correct yes aideb, that is a minumim though, ideally all dc's should be able to coomunicate on those ports.
0
 
LVL 2

Assisted Solution

by:ckbhupen
ckbhupen earned 400 total points
ID: 33588830
You are getting this error message because DC in domain C cannot find DC in Domain B/A. Domain Controller registers its services in _msdcs.<domain name> and for some reason DC in domain C cannot find DC in Domain B/A. Thats why I suggested to make sure that DC can query for services in all domains.
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33595411
For some reason the zone changes were not set to forward to the name servers. Updated that and everything seems to be OK now.

I have yet to have the firewall changes put in place but they can only help

Cheers

Aide
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Alternative access for remote users 6 86
File Server Migration from 2003 to 2008R2 3 61
Can’t delete a file 14 140
Active Directory Sync issues and orphaned server objects 12 48
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now