Solved

The trust relationship between the primary domain and the trusted domain failed.

Posted on 2011-02-23
15
10,533 Views
Last Modified: 2012-11-28
I have a trust between two forests which was working. Now if I try to access a remote folder \\10.84.1.63  I get a message "The trust relationship between the primary domain and the trusted domain failed."  I also get this for web applications that are trying to lookup group memberships in the trusted domain.

I've tried, recreating the trust relationships.
1. nltest /dsgetdc:<mydomain> /force        correctly resolves the domain controller
2. date/time is the same across all servers and workstations
3. dcdiag reports
Starting test: SystemLog "The security system could not establish a secured connection with the server ldap/dc.mydomain.local/mydomain.local@mydomain.local. No authentication protocol was available.
4. repladmin /showrepl shows recent successful replications.

FROM ServerA.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerB.domainA.local /query - Status = 0 0x0 NERR_Success

FROM ServerB.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Seccess
nltest /server:ServerA.domainA.local /query - Status = 0 0x0 NERR_Success

FROM 2k3.domainB.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED

FROM 2k8.domainB.local (Windows 2008)
nltest /server:2k3.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED


0
Comment
Question by:twcadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 2
15 Comments
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34965607
Hi,

Try to recreate Forest Trust Relation, please check the below article
http://exchadtech.blogspot.com/2011/01/setting-up-cross-forest-trust-between.html
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34965682
I have already tried recreating the trust relationship and each domain controller is able to resolve a dc from the opposite domain
Nltest /dsgetdc:domainA.local and Nltest /dsgetdc:domainB.local
both work

One thing that I have noticed is that the domain controllers are returning multiple IP addresses from FTP sites that are also running on the domain controllers but this was the same before when I started the trust. all ip addresses are local to the network.
0
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34965714
If you check active directory domain and trust and try to verify trust relationship vice and versa what happens then.

can you access the share locally
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
ID: 34969129
Is there any chance that your two networks are running on the same IP ranges?
If yes, then you'll need to have some nifty natting inplace to ensure that there is some uniqueness.
Your DNS Servers will also need to be reconfigured to local host the NAT'ed IPs on it's own zone, without querying the DNS Servers in the other domains.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34969887
When I validate the trust I get
The secure channel (SC) verification on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.

The secure channel (SC) reset on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34969899
It then asks me if I want to reset the trust passwords to which I click yes. Then returnes "The trust has been repaired . It may take some time for the repaired information to replicate between all Active Directory Domain Controllers in each domain to reinstate the trust relationship fully."

There are only 2 DCs in each domain and yesterday I waited a few hours for this with no luck.
0
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34969939
If u reverify the trust wat happens also from app logs post error related to trust n make small ad trust diagram n post it will look into it
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970168
Attached is the network/AD diagram in which DomainA has a one-way incoming trust with selective authentication.

each domain are their own independent forest. (e.g. DomainA.local is a single domain within its DomainA.local forest.)
Forest-Trusts.png
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970278
@dvt_localboy:

The domains are located on two different IP ranges 10.84.x.x \16 and 10.83.x.x \16   This was setup a few days ago and worked fine.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34970562
I feel that this something to do with your selective authentication

Can you change to domain wide authentication and then try, otherwise there is specific way that you set the selective authentication

# Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970566
on domainA the only errors I seem to be getting are AutoEnrollment errors. I know that the DC in DomainB is a CA but would this be the reason for failure?

EventID 13: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970578
I have tried completely removing the trusts and starting over with a new one-way domain waide authentication trust. Cleared out the application, security, and system event logs on all DCs and the only error I see coming up after recreating the trust is the AutoEnrollment errors.
0
 
LVL 5

Accepted Solution

by:
twcadmin earned 0 total points
ID: 34971197
On a domain controller in DomainA  I ran the following command from a command prompt and the trust immediately started working again. I then changed the authentication back to selective and it still works!

netdom TRUST domainA.local /Domain:domainB.local /UserD:DomainBAdmin /PasswordD:DomainBPassword /UO:DomainAAdmin /po:DomainAPassword /reset
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34977499
Interesting that the rebuild of the trust didn't fix this issue.

Rebuilding the trust should also have resulted in resetting the password.
Unless you only deleted the trust from one side, and it still existed on the other domain?
0
 
LVL 5

Author Closing Comment

by:twcadmin
ID: 35005176
I was able to find the correct answer by resetting with NETDOM. I'm surprised that recreating the trust relationship from scratch didnt even work.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question