Solved

Can't Setup a Trust Between MS 2008R2 servers - The Network Address is invalid

Posted on 2010-09-09
11
1,660 Views
Last Modified: 2012-06-21
I can't setup a trust between my two domains.  I can setup a one-way trust on the newer domain's DC but can't even resolve the domain name when trying to setup the trust on the other (older) DC.  This is strange since I can resolve the new DCs hostname, FQDN and IP address from the old server which has the new DC/DNS server and namespace configured as a Stub Zone.

The full error message is as follows:
Cannot Continue
The Trust relationship cannon be created because the following error occurred:

The Local Security Authority is unable to connect to the Active Directory Domain Controller DC1.newdomainname.lcl.  The error is: The network adress is invalid.
0
Comment
Question by:ChocolateRain
  • 5
  • 5
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
How do you have DNS setup between the two domains and are there any firewalls between the two?
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
Both Domains are setup as stub zones on the DCs that are DNS servers in that other domain.  Meaning, that the DC for the new domain has the old namespace setup as a stub zone and vice versa.

All firewalls have been turned off.
0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
You really should be setting up conditional forwarders on your DCs.

Here's a DNSCMD to add AD-Integrated conditional forwarders to your DNS servers.  This will save you from having to configure the forwarder on every DNS server for the trusting domains.  You should add a forwarder to both sides of the trust:


DNSCMD /ZoneAdd domain1.com /DsForwarder 192.168.253.2 192.168.253.3



DNSCMD /ZoneAdd domain2.net /DsForwarder 192.168.253.2 192.168.253.3

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
If it's not clear from my post, the first command should be run on DOMAIN2.net DNS server, and second command should be run on DOMAIN1.com DNS server.

Remove the stub zones.
0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
Ok, I removed the stub zones and added the forwarders via the command line as you illustrated.  Interestingly enough adding conditional forwarders wouldn't work in the GUI saying that "The Server with this IP address is not authoritative for the required zone" although in the CLI they were added successfully.

If that wasn't bewildering enough now I can ping everything via FQDN between domains but when I try and establish a trust and enter the domain name of the new domain on the old domain servers Trust Wizard is says: "The Network Address is invalid".  Although from the new DC in the new domain in this same screen i can type the name of the old domain and it allows me to the next screen.  In fact, I was able to setup an External Non-Transitive Trust on the New DC to the Old Domain DCs just fine although when i go to "Validate" this connection it errors out.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
I assume that you're using the FQDN of the domains that you're trying to set up the trust for, correct?

Do you have two single-domain forests in this scenario?  They are completely different NETBIOS domain names as well?  You don't have any trusts set up in either domain currently?
0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
Check this article:  http://support.microsoft.com/kb/285692

It will generate that error if one of the FSMO role holders is missing.  Just a shot.
0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
Yes, the FQDNs i'm referring to are cross-domain FQDNs, not some other network.  So in my above post I'm referring to the fact that the servers in the old domain can ping "dc1.newdomain.lcl" and the server in the new domain can ping "olddc1.olddomain.com".

Both domains are resident in a forest with no other domains, they are single-domain forests.  The old and new domain names are completely different the old one follows a "companynameglobal.com" format and the new one follows a "companyname.lcl" format.  The NETBIOS name is simply "companynameglobal" no ".com".  Both domains are without any other trust relationships.

I run "netdom query fsmo" and I see that all FSMO role holders are accounted for and up and running.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
Comment Utility
Both NETBIOS domains are different?  And there are no other computers with a same netbios name in either domain?  

Can you check the output of a DCDIAG /v for any errors.
0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
It looks like it failed the NCSecDesc saying "Error NET AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=Schema, CN=Configuration, DC=aimcoglobal, DC=com (Schema, Version 3)"  

There is more after that, would you like me to include it?  I believe this failed only because we haven't prepped or installed any RODCs.

There WAS a computer with a same NETBIOS name as this domain but i deleted it a few days ago when it was causing other problems.  Even though it is deleted (and no longer findable in ADUC) can it still be causing problems "beyond the grave"?


0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
Well I came in this morning, sat down and proceeded to run the Domain Trust Wizard again to see that it completed without incident.  I imagine it might have been related to the fact that we had a computer account with the same name as the new domain, but no way (that i know of) to tell for sure.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Suggested Solutions

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now