Improve company productivity with a Business Account.Sign Up


Windows Server 2003 and 2008 Two-Way Forest Trust Problems

Posted on 2011-02-22
Medium Priority
Last Modified: 2012-05-11
Okay, so we have an old domain "DomainA" and we have been having troubles so we've decided to upgrade from Exchange 2003 to 2010 by creating a new domain "DomainB."  The new exchange and two DC's are on DomainB while everything else is still on DomainA.

Following the instructions here: for a "On-Premises" with Web access and disjointed namespace. . . . We get through configuring the disjoint namespace and begin to test by trying to ping the NetBios and FQDN names from one domain to another.

DomainA can ping only NetBios names but not the FQDN nor can it ping the DNS suffix of DomainB.  However, DomainB can ping all NetBios and FQDN names of DomainA.

Furthermore, when we try and establish a forest two-way for both domains from the PDC on DomainA in AD Domains and Trusts I get an error that says:

"The trust relationship cannot be created because of the following error occured:

The Local Security Authority is unable to obtain an RPC connection to the domain controller exchange.domainb.local.  Please check that the name can be resolved and that the server is available."

So, I edit the C:\Windows\system32\drivers\etc\HOSTS file to have the IP of the PDC and try  again.  This time I get the error:

"Cannot create both sides of the trust because a primarry domain controller for the specified domain cannot be contacted.

The operation failed.  The error is:  The operation completed successfully."

So, that is what happens when trying to establish a trust from the 2003 (legacy) domain. . . . Now, when I try and establish a trust from domainB (the 2008 domain), and the HOSTS file on domainA's PDC is back to default I get the following error:

"The attempt to read the names claimed by the specified domain has failed.

The operation faild.  The error is: The RPC server is unavailable."

When I change the HOSTS file on the PDC for DomainA to include the IP of the PDC for DomainB and try and establish the trust from the 2008 DomainB I get this error:

"The attempt to read the names claimed by the specified domain has failed.

The operation failed.  The error is: The security database on the server does not have a computer account for this workstation trust relationship."

I've made sure that DNS servers on both domains have forwarders setup for the other domain and WINS is setup to replicate between ALL WINS servers on both domains.  You will see in the link I gave above, I've also used ADSI edit to make a change to msDS-AllowedDNSSuffixes on domainA to include domainB and visa versa.

We are basically doing all this to make transfer to the new Exchange 2010 easier for us IT as we can move a few users at a time to the new domain instead of everyone at once. . . . We are considering just moving everyone at once now as we have spent a lot of time trying to get this trust working.
Question by:ParkwayIT
  • 3

Accepted Solution

viveksahu earned 2000 total points
ID: 34957519

You might want to also verify that you can actually resolve all AD relevant records across the domain - by running nslookup across the domain for all records listed in

Start by following

Also let us know the following:

- Can you log on with an account from domainA to a member server in domainB? If not what are the error messages? Can you do log on directly to one of domain controllers (note that this will require granting this account interactive logon privileges)?
- Can you connect via ADUC to domainA from a member server in domainB? If not, what are the error messages? Can you do this from an domain controller?
- Can you add permissions to an account in domainA to a resource while logged on to a domain controller in domainB?

Do you have any firewalls/port filtering between the two domains? If so, esure that you open relevant ports (


Vivek S

Author Comment

ID: 34962953
Okay, so I looked at my DNS Forward Lookup Zones and found that in the DomainB.local folder the _msdcs folder is empty.  I was looking at the first link viveksahu gave that says:

"After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Management Console to verify that the appropriate zones and resource records are created for each DNS zone.

"Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:
Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp "

How do I go about getting the _msdcs folder to contain what it should?  Just create it all manually or is there a way to get the server to generate the information?

To answer viveksahu's questions:
-The domain domainA.local could not be found because: Logon failure: unknown user name or bad password.
I think for any of the above to work there would have to be a validated trust between the two domains right?  I am not able to establish a trust.

I went through and made sure all ports listed for 2003 and 2008 server are open for the specified protocols.  I also opened those needed for the clients.

. . . still looking into the troubleshooting link and the SVR DNS records.  Just wanted to update my status.

Author Comment

ID: 34963212
netlogon.dns on domainB has the first line:
domainb.local. 600 IN A

However, the next line is the SRV as it should be.
Furthermore, when running nslookup on both domains I get all the DC's info correctly spelled out.

The only red flag right now is the lack of these folders:
Forward Lookup Zones/DomainB/_msdcs/dc/_sites/Default-First-Site-Name/_tcp
Forward Lookup Zones/DomainB/_msdcs/dc/_tcp

Author Closing Comment

ID: 35028725
We ended up giving up on the old domain . . . we have had several problems with it (this is the reason we were moving to the new domain anyway).

Thank you for your detailed comment.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Migrating Exchange data from one Exchange Server to another server is complicated. Though Exchange administrators can try manual methods to migrate their data from one version of Exchange to another, these manual methods are not that reliable. That…
In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question