Go Premium for a chance to win a PS4. Enter to Win


Windows Server 2003 and 2008 Two-Way Forest Trust Problems

Posted on 2011-02-22
Medium Priority
Last Modified: 2012-05-11
Okay, so we have an old domain "DomainA" and we have been having troubles so we've decided to upgrade from Exchange 2003 to 2010 by creating a new domain "DomainB."  The new exchange and two DC's are on DomainB while everything else is still on DomainA.

Following the instructions here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#DeploymentCheckList/ee721947/2003 for a "On-Premises" with Web access and disjointed namespace. . . . We get through configuring the disjoint namespace and begin to test by trying to ping the NetBios and FQDN names from one domain to another.

DomainA can ping only NetBios names but not the FQDN nor can it ping the DNS suffix of DomainB.  However, DomainB can ping all NetBios and FQDN names of DomainA.

Furthermore, when we try and establish a forest two-way for both domains from the PDC on DomainA in AD Domains and Trusts I get an error that says:

"The trust relationship cannot be created because of the following error occured:

The Local Security Authority is unable to obtain an RPC connection to the domain controller exchange.domainb.local.  Please check that the name can be resolved and that the server is available."

So, I edit the C:\Windows\system32\drivers\etc\HOSTS file to have the IP of the PDC and try  again.  This time I get the error:

"Cannot create both sides of the trust because a primarry domain controller for the specified domain cannot be contacted.

The operation failed.  The error is:  The operation completed successfully."

So, that is what happens when trying to establish a trust from the 2003 (legacy) domain. . . . Now, when I try and establish a trust from domainB (the 2008 domain), and the HOSTS file on domainA's PDC is back to default I get the following error:

"The attempt to read the names claimed by the specified domain has failed.

The operation faild.  The error is: The RPC server is unavailable."

When I change the HOSTS file on the PDC for DomainA to include the IP of the PDC for DomainB and try and establish the trust from the 2008 DomainB I get this error:

"The attempt to read the names claimed by the specified domain has failed.

The operation failed.  The error is: The security database on the server does not have a computer account for this workstation trust relationship."

I've made sure that DNS servers on both domains have forwarders setup for the other domain and WINS is setup to replicate between ALL WINS servers on both domains.  You will see in the link I gave above, I've also used ADSI edit to make a change to msDS-AllowedDNSSuffixes on domainA to include domainB and visa versa.

We are basically doing all this to make transfer to the new Exchange 2010 easier for us IT as we can move a few users at a time to the new domain instead of everyone at once. . . . We are considering just moving everyone at once now as we have spent a lot of time trying to get this trust working.
Question by:ParkwayIT
  • 3

Accepted Solution

viveksahu earned 2000 total points
ID: 34957519

You might want to also verify that you can actually resolve all AD relevant records across the domain - by running nslookup across the domain for all records listed in http://support.microsoft.com/kb/816587

Start by following http://technet.microsoft.com/en-us/library/cc782773(WS.10).aspx

Also let us know the following:

- Can you log on with an account from domainA to a member server in domainB? If not what are the error messages? Can you do log on directly to one of abc.com domain controllers (note that this will require granting this account interactive logon privileges)?
- Can you connect via ADUC to domainA from a member server in domainB? If not, what are the error messages? Can you do this from an abc.com domain controller?
- Can you add permissions to an account in domainA to a resource while logged on to a domain controller in domainB?

Do you have any firewalls/port filtering between the two domains? If so, esure that you open relevant ports (http://support.microsoft.com/kb/179442)


Vivek S

Author Comment

ID: 34962953
Okay, so I looked at my DNS Forward Lookup Zones and found that in the DomainB.local folder the _msdcs folder is empty.  I was looking at the first link viveksahu gave that says:

"After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Management Console to verify that the appropriate zones and resource records are created for each DNS zone.

"Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:
Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp "

How do I go about getting the _msdcs folder to contain what it should?  Just create it all manually or is there a way to get the server to generate the information?

To answer viveksahu's questions:
-The domain domainA.local could not be found because: Logon failure: unknown user name or bad password.
I think for any of the above to work there would have to be a validated trust between the two domains right?  I am not able to establish a trust.

I went through and made sure all ports listed for 2003 and 2008 server are open for the specified protocols.  I also opened those needed for the clients.

. . . still looking into the troubleshooting link and the SVR DNS records.  Just wanted to update my status.

Author Comment

ID: 34963212
netlogon.dns on domainB has the first line:
domainb.local. 600 IN A xxx.xxx.xxx.xxx

However, the next line is the SRV as it should be.
Furthermore, when running nslookup on both domains I get all the DC's info correctly spelled out.

The only red flag right now is the lack of these folders:
Forward Lookup Zones/DomainB/_msdcs/dc/_sites/Default-First-Site-Name/_tcp
Forward Lookup Zones/DomainB/_msdcs/dc/_tcp

Author Closing Comment

ID: 35028725
We ended up giving up on the old domain . . . we have had several problems with it (this is the reason we were moving to the new domain anyway).

Thank you for your detailed comment.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question