• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12003
  • Last Modified:

The trust relationship between the primary domain and the trusted domain failed.

I have a trust between two forests which was working. Now if I try to access a remote folder \\10.84.1.63  I get a message "The trust relationship between the primary domain and the trusted domain failed."  I also get this for web applications that are trying to lookup group memberships in the trusted domain.

I've tried, recreating the trust relationships.
1. nltest /dsgetdc:<mydomain> /force        correctly resolves the domain controller
2. date/time is the same across all servers and workstations
3. dcdiag reports
Starting test: SystemLog "The security system could not establish a secured connection with the server ldap/dc.mydomain.local/mydomain.local@mydomain.local. No authentication protocol was available.
4. repladmin /showrepl shows recent successful replications.

FROM ServerA.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerB.domainA.local /query - Status = 0 0x0 NERR_Success

FROM ServerB.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Seccess
nltest /server:ServerA.domainA.local /query - Status = 0 0x0 NERR_Success

FROM 2k3.domainB.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED

FROM 2k8.domainB.local (Windows 2008)
nltest /server:2k3.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED


0
twcadmin
Asked:
twcadmin
  • 9
  • 4
  • 2
5 Solutions
 
NavdeepCommented:
Hi,

Try to recreate Forest Trust Relation, please check the below article
http://exchadtech.blogspot.com/2011/01/setting-up-cross-forest-trust-between.html
0
 
twcadminAuthor Commented:
I have already tried recreating the trust relationship and each domain controller is able to resolve a dc from the opposite domain
Nltest /dsgetdc:domainA.local and Nltest /dsgetdc:domainB.local
both work

One thing that I have noticed is that the domain controllers are returning multiple IP addresses from FTP sites that are also running on the domain controllers but this was the same before when I started the trust. all ip addresses are local to the network.
0
 
NavdeepCommented:
If you check active directory domain and trust and try to verify trust relationship vice and versa what happens then.

can you access the share locally
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Leon FesterIT Project Change ManagerCommented:
Is there any chance that your two networks are running on the same IP ranges?
If yes, then you'll need to have some nifty natting inplace to ensure that there is some uniqueness.
Your DNS Servers will also need to be reconfigured to local host the NAT'ed IPs on it's own zone, without querying the DNS Servers in the other domains.
0
 
twcadminAuthor Commented:
When I validate the trust I get
The secure channel (SC) verification on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.

The secure channel (SC) reset on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
0
 
twcadminAuthor Commented:
It then asks me if I want to reset the trust passwords to which I click yes. Then returnes "The trust has been repaired . It may take some time for the repaired information to replicate between all Active Directory Domain Controllers in each domain to reinstate the trust relationship fully."

There are only 2 DCs in each domain and yesterday I waited a few hours for this with no luck.
0
 
NavdeepCommented:
If u reverify the trust wat happens also from app logs post error related to trust n make small ad trust diagram n post it will look into it
0
 
twcadminAuthor Commented:
Attached is the network/AD diagram in which DomainA has a one-way incoming trust with selective authentication.

each domain are their own independent forest. (e.g. DomainA.local is a single domain within its DomainA.local forest.)
Forest-Trusts.png
0
 
twcadminAuthor Commented:
@dvt_localboy:

The domains are located on two different IP ranges 10.84.x.x \16 and 10.83.x.x \16   This was setup a few days ago and worked fine.
0
 
NavdeepCommented:
I feel that this something to do with your selective authentication

Can you change to domain wide authentication and then try, otherwise there is specific way that you set the selective authentication

# Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually.
0
 
twcadminAuthor Commented:
on domainA the only errors I seem to be getting are AutoEnrollment errors. I know that the DC in DomainB is a CA but would this be the reason for failure?

EventID 13: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.
0
 
twcadminAuthor Commented:
I have tried completely removing the trusts and starting over with a new one-way domain waide authentication trust. Cleared out the application, security, and system event logs on all DCs and the only error I see coming up after recreating the trust is the AutoEnrollment errors.
0
 
twcadminAuthor Commented:
On a domain controller in DomainA  I ran the following command from a command prompt and the trust immediately started working again. I then changed the authentication back to selective and it still works!

netdom TRUST domainA.local /Domain:domainB.local /UserD:DomainBAdmin /PasswordD:DomainBPassword /UO:DomainAAdmin /po:DomainAPassword /reset
0
 
Leon FesterIT Project Change ManagerCommented:
Interesting that the rebuild of the trust didn't fix this issue.

Rebuilding the trust should also have resulted in resetting the password.
Unless you only deleted the trust from one side, and it still existed on the other domain?
0
 
twcadminAuthor Commented:
I was able to find the correct answer by resetting with NETDOM. I'm surprised that recreating the trust relationship from scratch didnt even work.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 9
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now