Windows Server 2003 and 2008 Two-Way Forest Trust Problems

Posted on 2011-02-22
Last Modified: 2012-05-11
Okay, so we have an old domain "DomainA" and we have been having troubles so we've decided to upgrade from Exchange 2003 to 2010 by creating a new domain "DomainB."  The new exchange and two DC's are on DomainB while everything else is still on DomainA.

Following the instructions here: for a "On-Premises" with Web access and disjointed namespace. . . . We get through configuring the disjoint namespace and begin to test by trying to ping the NetBios and FQDN names from one domain to another.

DomainA can ping only NetBios names but not the FQDN nor can it ping the DNS suffix of DomainB.  However, DomainB can ping all NetBios and FQDN names of DomainA.

Furthermore, when we try and establish a forest two-way for both domains from the PDC on DomainA in AD Domains and Trusts I get an error that says:

"The trust relationship cannot be created because of the following error occured:

The Local Security Authority is unable to obtain an RPC connection to the domain controller exchange.domainb.local.  Please check that the name can be resolved and that the server is available."

So, I edit the C:\Windows\system32\drivers\etc\HOSTS file to have the IP of the PDC and try  again.  This time I get the error:

"Cannot create both sides of the trust because a primarry domain controller for the specified domain cannot be contacted.

The operation failed.  The error is:  The operation completed successfully."

So, that is what happens when trying to establish a trust from the 2003 (legacy) domain. . . . Now, when I try and establish a trust from domainB (the 2008 domain), and the HOSTS file on domainA's PDC is back to default I get the following error:

"The attempt to read the names claimed by the specified domain has failed.

The operation faild.  The error is: The RPC server is unavailable."

When I change the HOSTS file on the PDC for DomainA to include the IP of the PDC for DomainB and try and establish the trust from the 2008 DomainB I get this error:

"The attempt to read the names claimed by the specified domain has failed.

The operation failed.  The error is: The security database on the server does not have a computer account for this workstation trust relationship."

I've made sure that DNS servers on both domains have forwarders setup for the other domain and WINS is setup to replicate between ALL WINS servers on both domains.  You will see in the link I gave above, I've also used ADSI edit to make a change to msDS-AllowedDNSSuffixes on domainA to include domainB and visa versa.

We are basically doing all this to make transfer to the new Exchange 2010 easier for us IT as we can move a few users at a time to the new domain instead of everyone at once. . . . We are considering just moving everyone at once now as we have spent a lot of time trying to get this trust working.
Question by:ParkwayIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

viveksahu earned 500 total points
ID: 34957519

You might want to also verify that you can actually resolve all AD relevant records across the domain - by running nslookup across the domain for all records listed in

Start by following

Also let us know the following:

- Can you log on with an account from domainA to a member server in domainB? If not what are the error messages? Can you do log on directly to one of domain controllers (note that this will require granting this account interactive logon privileges)?
- Can you connect via ADUC to domainA from a member server in domainB? If not, what are the error messages? Can you do this from an domain controller?
- Can you add permissions to an account in domainA to a resource while logged on to a domain controller in domainB?

Do you have any firewalls/port filtering between the two domains? If so, esure that you open relevant ports (


Vivek S

Author Comment

ID: 34962953
Okay, so I looked at my DNS Forward Lookup Zones and found that in the DomainB.local folder the _msdcs folder is empty.  I was looking at the first link viveksahu gave that says:

"After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Management Console to verify that the appropriate zones and resource records are created for each DNS zone.

"Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:
Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp "

How do I go about getting the _msdcs folder to contain what it should?  Just create it all manually or is there a way to get the server to generate the information?

To answer viveksahu's questions:
-The domain domainA.local could not be found because: Logon failure: unknown user name or bad password.
I think for any of the above to work there would have to be a validated trust between the two domains right?  I am not able to establish a trust.

I went through and made sure all ports listed for 2003 and 2008 server are open for the specified protocols.  I also opened those needed for the clients.

. . . still looking into the troubleshooting link and the SVR DNS records.  Just wanted to update my status.

Author Comment

ID: 34963212
netlogon.dns on domainB has the first line:
domainb.local. 600 IN A

However, the next line is the SRV as it should be.
Furthermore, when running nslookup on both domains I get all the DC's info correctly spelled out.

The only red flag right now is the lack of these folders:
Forward Lookup Zones/DomainB/_msdcs/dc/_sites/Default-First-Site-Name/_tcp
Forward Lookup Zones/DomainB/_msdcs/dc/_tcp

Author Closing Comment

ID: 35028725
We ended up giving up on the old domain . . . we have had several problems with it (this is the reason we were moving to the new domain anyway).

Thank you for your detailed comment.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question