Solved

Can't Setup a Trust Between MS 2008R2 servers - The Network Address is invalid

Posted on 2010-09-09
11
1,726 Views
Last Modified: 2012-06-21
I can't setup a trust between my two domains.  I can setup a one-way trust on the newer domain's DC but can't even resolve the domain name when trying to setup the trust on the other (older) DC.  This is strange since I can resolve the new DCs hostname, FQDN and IP address from the old server which has the new DC/DNS server and namespace configured as a Stub Zone.

The full error message is as follows:
Cannot Continue
The Trust relationship cannon be created because the following error occurred:

The Local Security Authority is unable to connect to the Active Directory Domain Controller DC1.newdomainname.lcl.  The error is: The network adress is invalid.
0
Comment
Question by:ChocolateRain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33638769
How do you have DNS setup between the two domains and are there any firewalls between the two?
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33638948
Both Domains are setup as stub zones on the DCs that are DNS servers in that other domain.  Meaning, that the DC for the new domain has the old namespace setup as a stub zone and vice versa.

All firewalls have been turned off.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639508
You really should be setting up conditional forwarders on your DCs.

Here's a DNSCMD to add AD-Integrated conditional forwarders to your DNS servers.  This will save you from having to configure the forwarder on every DNS server for the trusting domains.  You should add a forwarder to both sides of the trust:


DNSCMD /ZoneAdd domain1.com /DsForwarder 192.168.253.2 192.168.253.3

DNSCMD /ZoneAdd domain2.net /DsForwarder 192.168.253.2 192.168.253.3

Open in new window

0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639531
If it's not clear from my post, the first command should be run on DOMAIN2.net DNS server, and second command should be run on DOMAIN1.com DNS server.

Remove the stub zones.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33641014
Ok, I removed the stub zones and added the forwarders via the command line as you illustrated.  Interestingly enough adding conditional forwarders wouldn't work in the GUI saying that "The Server with this IP address is not authoritative for the required zone" although in the CLI they were added successfully.

If that wasn't bewildering enough now I can ping everything via FQDN between domains but when I try and establish a trust and enter the domain name of the new domain on the old domain servers Trust Wizard is says: "The Network Address is invalid".  Although from the new DC in the new domain in this same screen i can type the name of the old domain and it allows me to the next screen.  In fact, I was able to setup an External Non-Transitive Trust on the New DC to the Old Domain DCs just fine although when i go to "Validate" this connection it errors out.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641254
I assume that you're using the FQDN of the domains that you're trying to set up the trust for, correct?

Do you have two single-domain forests in this scenario?  They are completely different NETBIOS domain names as well?  You don't have any trusts set up in either domain currently?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641287
Check this article:  http://support.microsoft.com/kb/285692

It will generate that error if one of the FSMO role holders is missing.  Just a shot.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642429
Yes, the FQDNs i'm referring to are cross-domain FQDNs, not some other network.  So in my above post I'm referring to the fact that the servers in the old domain can ping "dc1.newdomain.lcl" and the server in the new domain can ping "olddc1.olddomain.com".

Both domains are resident in a forest with no other domains, they are single-domain forests.  The old and new domain names are completely different the old one follows a "companynameglobal.com" format and the new one follows a "companyname.lcl" format.  The NETBIOS name is simply "companynameglobal" no ".com".  Both domains are without any other trust relationships.

I run "netdom query fsmo" and I see that all FSMO role holders are accounted for and up and running.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 33642557
Both NETBIOS domains are different?  And there are no other computers with a same netbios name in either domain?  

Can you check the output of a DCDIAG /v for any errors.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642701
It looks like it failed the NCSecDesc saying "Error NET AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=Schema, CN=Configuration, DC=aimcoglobal, DC=com (Schema, Version 3)"  

There is more after that, would you like me to include it?  I believe this failed only because we haven't prepped or installed any RODCs.

There WAS a computer with a same NETBIOS name as this domain but i deleted it a few days ago when it was causing other problems.  Even though it is deleted (and no longer findable in ADUC) can it still be causing problems "beyond the grave"?


0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33663501
Well I came in this morning, sat down and proceeded to run the Domain Trust Wizard again to see that it completed without incident.  I imagine it might have been related to the fact that we had a computer account with the same name as the new domain, but no way (that i know of) to tell for sure.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question