Solved

Can't Setup a Trust Between MS 2008R2 servers - The Network Address is invalid

Posted on 2010-09-09
11
1,713 Views
Last Modified: 2012-06-21
I can't setup a trust between my two domains.  I can setup a one-way trust on the newer domain's DC but can't even resolve the domain name when trying to setup the trust on the other (older) DC.  This is strange since I can resolve the new DCs hostname, FQDN and IP address from the old server which has the new DC/DNS server and namespace configured as a Stub Zone.

The full error message is as follows:
Cannot Continue
The Trust relationship cannon be created because the following error occurred:

The Local Security Authority is unable to connect to the Active Directory Domain Controller DC1.newdomainname.lcl.  The error is: The network adress is invalid.
0
Comment
Question by:ChocolateRain
  • 5
  • 5
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33638769
How do you have DNS setup between the two domains and are there any firewalls between the two?
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33638948
Both Domains are setup as stub zones on the DCs that are DNS servers in that other domain.  Meaning, that the DC for the new domain has the old namespace setup as a stub zone and vice versa.

All firewalls have been turned off.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639508
You really should be setting up conditional forwarders on your DCs.

Here's a DNSCMD to add AD-Integrated conditional forwarders to your DNS servers.  This will save you from having to configure the forwarder on every DNS server for the trusting domains.  You should add a forwarder to both sides of the trust:


DNSCMD /ZoneAdd domain1.com /DsForwarder 192.168.253.2 192.168.253.3

DNSCMD /ZoneAdd domain2.net /DsForwarder 192.168.253.2 192.168.253.3

Open in new window

0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639531
If it's not clear from my post, the first command should be run on DOMAIN2.net DNS server, and second command should be run on DOMAIN1.com DNS server.

Remove the stub zones.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33641014
Ok, I removed the stub zones and added the forwarders via the command line as you illustrated.  Interestingly enough adding conditional forwarders wouldn't work in the GUI saying that "The Server with this IP address is not authoritative for the required zone" although in the CLI they were added successfully.

If that wasn't bewildering enough now I can ping everything via FQDN between domains but when I try and establish a trust and enter the domain name of the new domain on the old domain servers Trust Wizard is says: "The Network Address is invalid".  Although from the new DC in the new domain in this same screen i can type the name of the old domain and it allows me to the next screen.  In fact, I was able to setup an External Non-Transitive Trust on the New DC to the Old Domain DCs just fine although when i go to "Validate" this connection it errors out.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641254
I assume that you're using the FQDN of the domains that you're trying to set up the trust for, correct?

Do you have two single-domain forests in this scenario?  They are completely different NETBIOS domain names as well?  You don't have any trusts set up in either domain currently?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641287
Check this article:  http://support.microsoft.com/kb/285692

It will generate that error if one of the FSMO role holders is missing.  Just a shot.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642429
Yes, the FQDNs i'm referring to are cross-domain FQDNs, not some other network.  So in my above post I'm referring to the fact that the servers in the old domain can ping "dc1.newdomain.lcl" and the server in the new domain can ping "olddc1.olddomain.com".

Both domains are resident in a forest with no other domains, they are single-domain forests.  The old and new domain names are completely different the old one follows a "companynameglobal.com" format and the new one follows a "companyname.lcl" format.  The NETBIOS name is simply "companynameglobal" no ".com".  Both domains are without any other trust relationships.

I run "netdom query fsmo" and I see that all FSMO role holders are accounted for and up and running.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 33642557
Both NETBIOS domains are different?  And there are no other computers with a same netbios name in either domain?  

Can you check the output of a DCDIAG /v for any errors.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642701
It looks like it failed the NCSecDesc saying "Error NET AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=Schema, CN=Configuration, DC=aimcoglobal, DC=com (Schema, Version 3)"  

There is more after that, would you like me to include it?  I believe this failed only because we haven't prepped or installed any RODCs.

There WAS a computer with a same NETBIOS name as this domain but i deleted it a few days ago when it was causing other problems.  Even though it is deleted (and no longer findable in ADUC) can it still be causing problems "beyond the grave"?


0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33663501
Well I came in this morning, sat down and proceeded to run the Domain Trust Wizard again to see that it completed without incident.  I imagine it might have been related to the fact that we had a computer account with the same name as the new domain, but no way (that i know of) to tell for sure.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question