Solved

Windows Server 2003 and 2008 Two-Way Forest Trust Problems

Posted on 2011-02-22
4
5,726 Views
Last Modified: 2012-05-11
Okay, so we have an old domain "DomainA" and we have been having troubles so we've decided to upgrade from Exchange 2003 to 2010 by creating a new domain "DomainB."  The new exchange and two DC's are on DomainB while everything else is still on DomainA.

Following the instructions here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#DeploymentCheckList/ee721947/2003 for a "On-Premises" with Web access and disjointed namespace. . . . We get through configuring the disjoint namespace and begin to test by trying to ping the NetBios and FQDN names from one domain to another.

DomainA can ping only NetBios names but not the FQDN nor can it ping the DNS suffix of DomainB.  However, DomainB can ping all NetBios and FQDN names of DomainA.

Furthermore, when we try and establish a forest two-way for both domains from the PDC on DomainA in AD Domains and Trusts I get an error that says:

"The trust relationship cannot be created because of the following error occured:

The Local Security Authority is unable to obtain an RPC connection to the domain controller exchange.domainb.local.  Please check that the name can be resolved and that the server is available."

So, I edit the C:\Windows\system32\drivers\etc\HOSTS file to have the IP of the PDC and try  again.  This time I get the error:

"Cannot create both sides of the trust because a primarry domain controller for the specified domain cannot be contacted.

The operation failed.  The error is:  The operation completed successfully."

So, that is what happens when trying to establish a trust from the 2003 (legacy) domain. . . . Now, when I try and establish a trust from domainB (the 2008 domain), and the HOSTS file on domainA's PDC is back to default I get the following error:

"The attempt to read the names claimed by the specified domain has failed.

The operation faild.  The error is: The RPC server is unavailable."

When I change the HOSTS file on the PDC for DomainA to include the IP of the PDC for DomainB and try and establish the trust from the 2008 DomainB I get this error:

"The attempt to read the names claimed by the specified domain has failed.

The operation failed.  The error is: The security database on the server does not have a computer account for this workstation trust relationship."

I've made sure that DNS servers on both domains have forwarders setup for the other domain and WINS is setup to replicate between ALL WINS servers on both domains.  You will see in the link I gave above, I've also used ADSI edit to make a change to msDS-AllowedDNSSuffixes on domainA to include domainB and visa versa.

We are basically doing all this to make transfer to the new Exchange 2010 easier for us IT as we can move a few users at a time to the new domain instead of everyone at once. . . . We are considering just moving everyone at once now as we have spent a lot of time trying to get this trust working.
0
Comment
Question by:ParkwayIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 7

Accepted Solution

by:
viveksahu earned 500 total points
ID: 34957519
Hi,

You might want to also verify that you can actually resolve all AD relevant records across the domain - by running nslookup across the domain for all records listed in http://support.microsoft.com/kb/816587

Start by following http://technet.microsoft.com/en-us/library/cc782773(WS.10).aspx

Also let us know the following:

- Can you log on with an account from domainA to a member server in domainB? If not what are the error messages? Can you do log on directly to one of abc.com domain controllers (note that this will require granting this account interactive logon privileges)?
- Can you connect via ADUC to domainA from a member server in domainB? If not, what are the error messages? Can you do this from an abc.com domain controller?
- Can you add permissions to an account in domainA to a resource while logged on to a domain controller in domainB?

Do you have any firewalls/port filtering between the two domains? If so, esure that you open relevant ports (http://support.microsoft.com/kb/179442)


Regards

Vivek S
0
 

Author Comment

by:ParkwayIT
ID: 34962953
Okay, so I looked at my DNS Forward Lookup Zones and found that in the DomainB.local folder the _msdcs folder is empty.  I was looking at the first link viveksahu gave that says:

"After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Management Console to verify that the appropriate zones and resource records are created for each DNS zone.

"Active Directory creates its SRV records in the following folders, where Domain_Name is the name of your domain:
Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp "

How do I go about getting the _msdcs folder to contain what it should?  Just create it all manually or is there a way to get the server to generate the information?

To answer viveksahu's questions:
-No
-The domain domainA.local could not be found because: Logon failure: unknown user name or bad password.
-No
I think for any of the above to work there would have to be a validated trust between the two domains right?  I am not able to establish a trust.

I went through and made sure all ports listed for 2003 and 2008 server are open for the specified protocols.  I also opened those needed for the clients.

. . . still looking into the troubleshooting link and the SVR DNS records.  Just wanted to update my status.
0
 

Author Comment

by:ParkwayIT
ID: 34963212
netlogon.dns on domainB has the first line:
domainb.local. 600 IN A xxx.xxx.xxx.xxx

However, the next line is the SRV as it should be.
Furthermore, when running nslookup on both domains I get all the DC's info correctly spelled out.

The only red flag right now is the lack of these folders:
Forward Lookup Zones/DomainB/_msdcs/dc/_sites/Default-First-Site-Name/_tcp
Forward Lookup Zones/DomainB/_msdcs/dc/_tcp
0
 

Author Closing Comment

by:ParkwayIT
ID: 35028725
We ended up giving up on the old domain . . . we have had several problems with it (this is the reason we were moving to the new domain anyway).

Thank you for your detailed comment.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMWare 101 9 101
Windows Server 2003 STD SP2 as a member server of 2016 domain 11 97
Patch KB4012598 (wannacry) won't install on 2k8 3 160
Iphone new exchange 2016 9 35
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question