Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can't Setup a Trust Between MS 2008R2 servers - The Network Address is invalid

Posted on 2010-09-09
11
Medium Priority
?
1,794 Views
Last Modified: 2012-06-21
I can't setup a trust between my two domains.  I can setup a one-way trust on the newer domain's DC but can't even resolve the domain name when trying to setup the trust on the other (older) DC.  This is strange since I can resolve the new DCs hostname, FQDN and IP address from the old server which has the new DC/DNS server and namespace configured as a Stub Zone.

The full error message is as follows:
Cannot Continue
The Trust relationship cannon be created because the following error occurred:

The Local Security Authority is unable to connect to the Active Directory Domain Controller DC1.newdomainname.lcl.  The error is: The network adress is invalid.
0
Comment
Question by:ChocolateRain
  • 5
  • 5
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33638769
How do you have DNS setup between the two domains and are there any firewalls between the two?
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33638948
Both Domains are setup as stub zones on the DCs that are DNS servers in that other domain.  Meaning, that the DC for the new domain has the old namespace setup as a stub zone and vice versa.

All firewalls have been turned off.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639508
You really should be setting up conditional forwarders on your DCs.

Here's a DNSCMD to add AD-Integrated conditional forwarders to your DNS servers.  This will save you from having to configure the forwarder on every DNS server for the trusting domains.  You should add a forwarder to both sides of the trust:


DNSCMD /ZoneAdd domain1.com /DsForwarder 192.168.253.2 192.168.253.3

DNSCMD /ZoneAdd domain2.net /DsForwarder 192.168.253.2 192.168.253.3

Open in new window

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 17

Expert Comment

by:Tony Massa
ID: 33639531
If it's not clear from my post, the first command should be run on DOMAIN2.net DNS server, and second command should be run on DOMAIN1.com DNS server.

Remove the stub zones.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33641014
Ok, I removed the stub zones and added the forwarders via the command line as you illustrated.  Interestingly enough adding conditional forwarders wouldn't work in the GUI saying that "The Server with this IP address is not authoritative for the required zone" although in the CLI they were added successfully.

If that wasn't bewildering enough now I can ping everything via FQDN between domains but when I try and establish a trust and enter the domain name of the new domain on the old domain servers Trust Wizard is says: "The Network Address is invalid".  Although from the new DC in the new domain in this same screen i can type the name of the old domain and it allows me to the next screen.  In fact, I was able to setup an External Non-Transitive Trust on the New DC to the Old Domain DCs just fine although when i go to "Validate" this connection it errors out.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641254
I assume that you're using the FQDN of the domains that you're trying to set up the trust for, correct?

Do you have two single-domain forests in this scenario?  They are completely different NETBIOS domain names as well?  You don't have any trusts set up in either domain currently?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33641287
Check this article:  http://support.microsoft.com/kb/285692

It will generate that error if one of the FSMO role holders is missing.  Just a shot.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642429
Yes, the FQDNs i'm referring to are cross-domain FQDNs, not some other network.  So in my above post I'm referring to the fact that the servers in the old domain can ping "dc1.newdomain.lcl" and the server in the new domain can ping "olddc1.olddomain.com".

Both domains are resident in a forest with no other domains, they are single-domain forests.  The old and new domain names are completely different the old one follows a "companynameglobal.com" format and the new one follows a "companyname.lcl" format.  The NETBIOS name is simply "companynameglobal" no ".com".  Both domains are without any other trust relationships.

I run "netdom query fsmo" and I see that all FSMO role holders are accounted for and up and running.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 33642557
Both NETBIOS domains are different?  And there are no other computers with a same netbios name in either domain?  

Can you check the output of a DCDIAG /v for any errors.
0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33642701
It looks like it failed the NCSecDesc saying "Error NET AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=Schema, CN=Configuration, DC=aimcoglobal, DC=com (Schema, Version 3)"  

There is more after that, would you like me to include it?  I believe this failed only because we haven't prepped or installed any RODCs.

There WAS a computer with a same NETBIOS name as this domain but i deleted it a few days ago when it was causing other problems.  Even though it is deleted (and no longer findable in ADUC) can it still be causing problems "beyond the grave"?


0
 
LVL 1

Author Comment

by:ChocolateRain
ID: 33663501
Well I came in this morning, sat down and proceeded to run the Domain Trust Wizard again to see that it completed without incident.  I imagine it might have been related to the fact that we had a computer account with the same name as the new domain, but no way (that i know of) to tell for sure.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question