Solved

Active Directory trust communication issues...

Posted on 2010-09-02
7
595 Views
Last Modified: 2012-05-10
I am having an issue with a trust relationship that I have created.

Overview of my network

Domain A/B

2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall


Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.

DNS zone transfers successfully created between both domains
WINS replication taking place between domains.

An incoming Trust has been established for domain C to trust domain B  but appears to have since broken.

From Domain C, the trust appears OK. I am told that the trust is valid and in place.

From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.

Can anyone provide any help?

DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets. The intention is to start refreshing desktop PCs in those subnets with the RPC

0
Comment
Question by:aideb
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:MojoTech
MojoTech earned 100 total points
Comment Utility
These ports need to be open between at least the domain naming masters for each domain for everything which you would want a trust to do to function, including configuring the trust.


RPC endpoint mapper 135/tcp, 135/udp
LSA RPC 42020/tcp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
LDAP 389/tcp+udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
0
 
LVL 2

Accepted Solution

by:
ckbhupen earned 400 total points
Comment Utility
It seems like you have a problem with DNS look up. Check your DNS Zone transfers and make sure they are successfully replicated. Specially, make sure that _msdcs.<your domain name> forward lookup zone is replicated for all domains to each domain's DNS.
0
 
LVL 2

Author Comment

by:aideb
Comment Utility
MojoTech - Just going to get those ports put in place. Thanks

ckbhupen - do I need a zone transfer for the root domain too? Currently domain B and C are transferring
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Author Comment

by:aideb
Comment Utility
MojoTech - Can I just check that you mean those ports need to be open between Naming Master in domain B and Naming Master in C?
0
 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
That is correct yes aideb, that is a minumim though, ideally all dc's should be able to coomunicate on those ports.
0
 
LVL 2

Assisted Solution

by:ckbhupen
ckbhupen earned 400 total points
Comment Utility
You are getting this error message because DC in domain C cannot find DC in Domain B/A. Domain Controller registers its services in _msdcs.<domain name> and for some reason DC in domain C cannot find DC in Domain B/A. Thats why I suggested to make sure that DC can query for services in all domains.
0
 
LVL 2

Author Closing Comment

by:aideb
Comment Utility
For some reason the zone changes were not set to forward to the name servers. Updated that and everything seems to be OK now.

I have yet to have the firewall changes put in place but they can only help

Cheers

Aide
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now