?
Solved

Active Directory trust communication issues...

Posted on 2010-09-02
7
Medium Priority
?
602 Views
Last Modified: 2012-05-10
I am having an issue with a trust relationship that I have created.

Overview of my network

Domain A/B

2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall


Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.

DNS zone transfers successfully created between both domains
WINS replication taking place between domains.

An incoming Trust has been established for domain C to trust domain B  but appears to have since broken.

From Domain C, the trust appears OK. I am told that the trust is valid and in place.

From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.

Can anyone provide any help?

DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets. The intention is to start refreshing desktop PCs in those subnets with the RPC

0
Comment
Question by:aideb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 400 total points
ID: 33587246
These ports need to be open between at least the domain naming masters for each domain for everything which you would want a trust to do to function, including configuring the trust.


RPC endpoint mapper 135/tcp, 135/udp
LSA RPC 42020/tcp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
LDAP 389/tcp+udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
0
 
LVL 2

Accepted Solution

by:
ckbhupen earned 1600 total points
ID: 33587318
It seems like you have a problem with DNS look up. Check your DNS Zone transfers and make sure they are successfully replicated. Specially, make sure that _msdcs.<your domain name> forward lookup zone is replicated for all domains to each domain's DNS.
0
 
LVL 2

Author Comment

by:aideb
ID: 33587777
MojoTech - Just going to get those ports put in place. Thanks

ckbhupen - do I need a zone transfer for the root domain too? Currently domain B and C are transferring
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 2

Author Comment

by:aideb
ID: 33587829
MojoTech - Can I just check that you mean those ports need to be open between Naming Master in domain B and Naming Master in C?
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33588353
That is correct yes aideb, that is a minumim though, ideally all dc's should be able to coomunicate on those ports.
0
 
LVL 2

Assisted Solution

by:ckbhupen
ckbhupen earned 1600 total points
ID: 33588830
You are getting this error message because DC in domain C cannot find DC in Domain B/A. Domain Controller registers its services in _msdcs.<domain name> and for some reason DC in domain C cannot find DC in Domain B/A. Thats why I suggested to make sure that DC can query for services in all domains.
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33595411
For some reason the zone changes were not set to forward to the name servers. Updated that and everything seems to be OK now.

I have yet to have the firewall changes put in place but they can only help

Cheers

Aide
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question