Solved

Active Directory trust communication issues...

Posted on 2010-09-02
7
599 Views
Last Modified: 2012-05-10
I am having an issue with a trust relationship that I have created.

Overview of my network

Domain A/B

2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall


Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.

DNS zone transfers successfully created between both domains
WINS replication taking place between domains.

An incoming Trust has been established for domain C to trust domain B  but appears to have since broken.

From Domain C, the trust appears OK. I am told that the trust is valid and in place.

From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.

Can anyone provide any help?

DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets. The intention is to start refreshing desktop PCs in those subnets with the RPC

0
Comment
Question by:aideb
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 100 total points
ID: 33587246
These ports need to be open between at least the domain naming masters for each domain for everything which you would want a trust to do to function, including configuring the trust.


RPC endpoint mapper 135/tcp, 135/udp
LSA RPC 42020/tcp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
LDAP 389/tcp+udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
0
 
LVL 2

Accepted Solution

by:
ckbhupen earned 400 total points
ID: 33587318
It seems like you have a problem with DNS look up. Check your DNS Zone transfers and make sure they are successfully replicated. Specially, make sure that _msdcs.<your domain name> forward lookup zone is replicated for all domains to each domain's DNS.
0
 
LVL 2

Author Comment

by:aideb
ID: 33587777
MojoTech - Just going to get those ports put in place. Thanks

ckbhupen - do I need a zone transfer for the root domain too? Currently domain B and C are transferring
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 2

Author Comment

by:aideb
ID: 33587829
MojoTech - Can I just check that you mean those ports need to be open between Naming Master in domain B and Naming Master in C?
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33588353
That is correct yes aideb, that is a minumim though, ideally all dc's should be able to coomunicate on those ports.
0
 
LVL 2

Assisted Solution

by:ckbhupen
ckbhupen earned 400 total points
ID: 33588830
You are getting this error message because DC in domain C cannot find DC in Domain B/A. Domain Controller registers its services in _msdcs.<domain name> and for some reason DC in domain C cannot find DC in Domain B/A. Thats why I suggested to make sure that DC can query for services in all domains.
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33595411
For some reason the zone changes were not set to forward to the name servers. Updated that and everything seems to be OK now.

I have yet to have the firewall changes put in place but they can only help

Cheers

Aide
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question