• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1851
  • Last Modified:

Can't Setup a Trust Between MS 2008R2 servers - The Network Address is invalid

I can't setup a trust between my two domains.  I can setup a one-way trust on the newer domain's DC but can't even resolve the domain name when trying to setup the trust on the other (older) DC.  This is strange since I can resolve the new DCs hostname, FQDN and IP address from the old server which has the new DC/DNS server and namespace configured as a Stub Zone.

The full error message is as follows:
Cannot Continue
The Trust relationship cannon be created because the following error occurred:

The Local Security Authority is unable to connect to the Active Directory Domain Controller DC1.newdomainname.lcl.  The error is: The network adress is invalid.
0
ChocolateRain
Asked:
ChocolateRain
  • 5
  • 5
1 Solution
 
Mike KlineCommented:
How do you have DNS setup between the two domains and are there any firewalls between the two?
 
Thanks
Mike
0
 
ChocolateRainAuthor Commented:
Both Domains are setup as stub zones on the DCs that are DNS servers in that other domain.  Meaning, that the DC for the new domain has the old namespace setup as a stub zone and vice versa.

All firewalls have been turned off.
0
 
Tony MassaCommented:
You really should be setting up conditional forwarders on your DCs.

Here's a DNSCMD to add AD-Integrated conditional forwarders to your DNS servers.  This will save you from having to configure the forwarder on every DNS server for the trusting domains.  You should add a forwarder to both sides of the trust:


DNSCMD /ZoneAdd domain1.com /DsForwarder 192.168.253.2 192.168.253.3

DNSCMD /ZoneAdd domain2.net /DsForwarder 192.168.253.2 192.168.253.3

Open in new window

0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Tony MassaCommented:
If it's not clear from my post, the first command should be run on DOMAIN2.net DNS server, and second command should be run on DOMAIN1.com DNS server.

Remove the stub zones.
0
 
ChocolateRainAuthor Commented:
Ok, I removed the stub zones and added the forwarders via the command line as you illustrated.  Interestingly enough adding conditional forwarders wouldn't work in the GUI saying that "The Server with this IP address is not authoritative for the required zone" although in the CLI they were added successfully.

If that wasn't bewildering enough now I can ping everything via FQDN between domains but when I try and establish a trust and enter the domain name of the new domain on the old domain servers Trust Wizard is says: "The Network Address is invalid".  Although from the new DC in the new domain in this same screen i can type the name of the old domain and it allows me to the next screen.  In fact, I was able to setup an External Non-Transitive Trust on the New DC to the Old Domain DCs just fine although when i go to "Validate" this connection it errors out.
0
 
Tony MassaCommented:
I assume that you're using the FQDN of the domains that you're trying to set up the trust for, correct?

Do you have two single-domain forests in this scenario?  They are completely different NETBIOS domain names as well?  You don't have any trusts set up in either domain currently?
0
 
Tony MassaCommented:
Check this article:  http://support.microsoft.com/kb/285692

It will generate that error if one of the FSMO role holders is missing.  Just a shot.
0
 
ChocolateRainAuthor Commented:
Yes, the FQDNs i'm referring to are cross-domain FQDNs, not some other network.  So in my above post I'm referring to the fact that the servers in the old domain can ping "dc1.newdomain.lcl" and the server in the new domain can ping "olddc1.olddomain.com".

Both domains are resident in a forest with no other domains, they are single-domain forests.  The old and new domain names are completely different the old one follows a "companynameglobal.com" format and the new one follows a "companyname.lcl" format.  The NETBIOS name is simply "companynameglobal" no ".com".  Both domains are without any other trust relationships.

I run "netdom query fsmo" and I see that all FSMO role holders are accounted for and up and running.
0
 
Tony MassaCommented:
Both NETBIOS domains are different?  And there are no other computers with a same netbios name in either domain?  

Can you check the output of a DCDIAG /v for any errors.
0
 
ChocolateRainAuthor Commented:
It looks like it failed the NCSecDesc saying "Error NET AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=Schema, CN=Configuration, DC=aimcoglobal, DC=com (Schema, Version 3)"  

There is more after that, would you like me to include it?  I believe this failed only because we haven't prepped or installed any RODCs.

There WAS a computer with a same NETBIOS name as this domain but i deleted it a few days ago when it was causing other problems.  Even though it is deleted (and no longer findable in ADUC) can it still be causing problems "beyond the grave"?


0
 
ChocolateRainAuthor Commented:
Well I came in this morning, sat down and proceeded to run the Domain Trust Wizard again to see that it completed without incident.  I imagine it might have been related to the fact that we had a computer account with the same name as the new domain, but no way (that i know of) to tell for sure.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now