aideb
asked on
Domain Trust failing
I am having an issue with a trust relationship that I have created.
Overview of my network
Domain A/B
2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall
Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.
DNS zone transfers successfully created between both domains
WINS replication taking place between domains.
DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets.
An incoming Trust has been established for domain C to trust domain B but appears to have since broken.
From a DC in Domain C, the trust appears OK. I am told that the trust is valid and in place.
From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.
Even stranger is that it seems to be OK one day and broken the next. Without anything changing everything may work tomorrow!
When I open AD users and computers from the DC in Domain B at the remote site and try connect to Domain C, I get an error;
The domain ** could not be found because: Access is denied
I have done some more investigations as it is back down again today. It was working OK yesterday and nothing has changed...
C:\Windows\system32>nltest
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\Windows\system32>nltest
DC: \\s-49-4901-002.ceg.compan
Address: \\10.49.31.12
Dom Guid: 37a357fe-e492-43a2-8a1e-c0
Dom Name: ceg.company.org
Forest Name: ceg.company.org
Dc Site Name: Koeln-HQ
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
The command completed successfully
Any ideas?
It would appear to be something wrong with name resolution but everything looks OK
Overview of my network
Domain A/B
2003 forest level
root domain (A)and child domain (B) fsmo roles within datacentre (firewalled)
Domain controller for domain B (Lets call it DC3) has been created at remote site (for Domain C) in DMZ
RPC ports have been tied down to allow traffic through the firewall
Domain C
2003 domain
Firewalled from domain B with exception of the domain controller (noted as placed at remote site)
Firewall is open between PDC of Domain C and domain controller (DC3) on all ports as RPC port settings have not been applied in domain C.
DNS zone transfers successfully created between both domains
WINS replication taking place between domains.
DC3 is able to communicate on standard AD ports (with RPC restricted) to Domain C subnets.
An incoming Trust has been established for domain C to trust domain B but appears to have since broken.
From a DC in Domain C, the trust appears OK. I am told that the trust is valid and in place.
From Domain B, I am told that the trust cannot be validated as 'There are no logon servers available to service the logon request'. The strange things is that it attempts to validate the secure channel with a domain controller in domain C that it is firewalled from rather than the PDC with which it is able to communicate with.
Even stranger is that it seems to be OK one day and broken the next. Without anything changing everything may work tomorrow!
When I open AD users and computers from the DC in Domain B at the remote site and try connect to Domain C, I get an error;
The domain ** could not be found because: Access is denied
I have done some more investigations as it is back down again today. It was working OK yesterday and nothing has changed...
C:\Windows\system32>nltest
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\Windows\system32>nltest
DC: \\s-49-4901-002.ceg.compan
Address: \\10.49.31.12
Dom Guid: 37a357fe-e492-43a2-8a1e-c0
Dom Name: ceg.company.org
Forest Name: ceg.company.org
Dc Site Name: Koeln-HQ
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
The command completed successfully
Any ideas?
It would appear to be something wrong with name resolution but everything looks OK
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, I omitted to add that domains A & B are running 2008 DCs so therefore NetDiag is no longer available.
I thought about the round robin issue and tried to force the issue with setting a host file on DC3 with an entry for the domain name pointing to the DC on domain C that it is able to speak to.
Whilst when I ping ceg.company.org it resolves to the right DC, the
nltest /dsgetdc:ceg.company.org
returns a DC without connectivity...
I thought about the round robin issue and tried to force the issue with setting a host file on DC3 with an entry for the domain name pointing to the DC on domain C that it is able to speak to.
Whilst when I ping ceg.company.org it resolves to the right DC, the
nltest /dsgetdc:ceg.company.org
returns a DC without connectivity...
I've seen instances where the trust behaves erratically. Some functionality is working one day then the next it isn't.
Even verifying the trust in AD Domains and Trusts Snap-in shows everything OK.
The easist way to fix a corrupt trust, even if verification works, is to break the trust and then set it up again. I spent a whole weekend chasing Event Log errors, and finally broke and re-established the trust and worked immediately.
Even verifying the trust in AD Domains and Trusts Snap-in shows everything OK.
The easist way to fix a corrupt trust, even if verification works, is to break the trust and then set it up again. I spent a whole weekend chasing Event Log errors, and finally broke and re-established the trust and worked immediately.
ASKER
I have previously removed and then re-established the trust. It went back in place and worked not problem for a few days then started playing up again! ARRRGH!!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On oneside of the trust reseting the channel gave
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
On the other side I got a succesful
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
On the other side I got a succesful
ASKER
I have uploaded a problem steps recorder.
In AD domains and trusts today it says that the trust is valid and in place (yesterday it said it was failed!)
At the command line it says no such domain.
Any help would be invaluable.
I may have to try break and re-establish the trust again if I cannot get this working reliably soon :(
trust.zip
In AD domains and trusts today it says that the trust is valid and in place (yesterday it said it was failed!)
At the command line it says no such domain.
Any help would be invaluable.
I may have to try break and re-establish the trust again if I cannot get this working reliably soon :(
trust.zip
ASKER
Issue was with firewall. Dc needs to have 389 opened to all DCs on the other domain
See here:
http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/75e6cfd9-dc72-4225-b88b-0390a15ad77b