Windows Server 2003 and 2008 Two-Way Forest Trust Problems

Okay, so we have an old domain "DomainA" and we have been having troubles so we've decided to upgrade from Exchange 2003 to 2010 by creating a new domain "DomainB."  The new exchange and two DC's are on DomainB while everything else is still on DomainA.

Following the instructions here: for a "On-Premises" with Web access and disjointed namespace. . . . We get through configuring the disjoint namespace and begin to test by trying to ping the NetBios and FQDN names from one domain to another.

DomainA can ping only NetBios names but not the FQDN nor can it ping the DNS suffix of DomainB.  However, DomainB can ping all NetBios and FQDN names of DomainA.

Furthermore, when we try and establish a forest two-way for both domains from the PDC on DomainA in AD Domains and Trusts I get an error that says:

"The trust relationship cannot be created because of the following error occured:

The Local Security Authority is unable to obtain an RPC connection to the domain controller exchange.domainb.local.  Please check that the name can be resolved and that the server is available."

So, I edit the C:\Windows\system32\drivers\etc\HOSTS file to have the IP of the PDC and try  again.  This time I get the error:

"Cannot create both sides of the trust because a primarry domain controller for the specified domain cannot be contacted.

The operation failed.  The error is:  The operation completed successfully."

So, that is what happens when trying to establish a trust from the 2003 (legacy) domain. . . . Now, when I try and establish a trust from domainB (the 2008 domain), and the HOSTS file on domainA's PDC is back to default I get the following error:

"The attempt to read the names claimed by the specified domain has failed.

The operation faild.  The error is: The RPC server is unavailable."

When I change the HOSTS file on the PDC for DomainA to include the IP of the PDC for DomainB and try and establish the trust from the 2008 DomainB I get this error:

"The attempt to read the names claimed by the specified domain has failed.

The operation failed.  The error is: The security database on the server does not have a computer account for this workstation trust relationship."

I've made sure that DNS servers on both domains have forwarders setup for the other domain and WINS is setup to replicate between ALL WINS servers on both domains.  You will see in the link I gave above, I've also used ADSI edit to make a change to msDS-AllowedDNSSuffixes on domainA to include domainB and visa versa.

We are basically doing all this to make transfer to the new Exchange 2010 easier for us IT as we can move a few users at a time to the new domain instead of everyone at once. . . . We are considering just moving everyone at once now as we have spent a lot of time trying to get this trust working.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

viveksahuConnect With a Mentor Commented:

You might want to also verify that you can actually resolve all AD relevant records across the domain - by running nslookup across the domain for all records listed in

Start by following

Also let us know the following:

- Can you log on with an account from domainA to a member server in domainB? If not what are the error messages? Can you do log on directly to one of domain controllers (note that this will require granting this account interactive logon privileges)?
- Can you connect via ADUC to domainA from a member server in domainB? If not, what are the error messages? Can you do this from an domain controller?
- Can you add permissions to an account in domainA to a resource while logged on to a domain controller in domainB?

Do you have any firewalls/port filtering between the two domains? If so, esure that you open relevant ports (


Vivek S
ParkwayITAuthor Commented:
Okay, so I looked at my DNS Forward Lookup Zones and found that in the DomainB.local folder the _msdcs folder is empty.  I was looking at the first link viveksahu gave that says:

"After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Management Console to verify that the appropriate zones and resource records are created for each DNS zone.

"Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:
Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp "

How do I go about getting the _msdcs folder to contain what it should?  Just create it all manually or is there a way to get the server to generate the information?

To answer viveksahu's questions:
-The domain domainA.local could not be found because: Logon failure: unknown user name or bad password.
I think for any of the above to work there would have to be a validated trust between the two domains right?  I am not able to establish a trust.

I went through and made sure all ports listed for 2003 and 2008 server are open for the specified protocols.  I also opened those needed for the clients.

. . . still looking into the troubleshooting link and the SVR DNS records.  Just wanted to update my status.
ParkwayITAuthor Commented:
netlogon.dns on domainB has the first line:
domainb.local. 600 IN A

However, the next line is the SRV as it should be.
Furthermore, when running nslookup on both domains I get all the DC's info correctly spelled out.

The only red flag right now is the lack of these folders:
Forward Lookup Zones/DomainB/_msdcs/dc/_sites/Default-First-Site-Name/_tcp
Forward Lookup Zones/DomainB/_msdcs/dc/_tcp
ParkwayITAuthor Commented:
We ended up giving up on the old domain . . . we have had several problems with it (this is the reason we were moving to the new domain anyway).

Thank you for your detailed comment.
All Courses

From novice to tech pro — start learning today.