Solved

The trust relationship between the primary domain and the trusted domain failed.

Posted on 2011-02-23
15
9,924 Views
Last Modified: 2012-11-28
I have a trust between two forests which was working. Now if I try to access a remote folder \\10.84.1.63  I get a message "The trust relationship between the primary domain and the trusted domain failed."  I also get this for web applications that are trying to lookup group memberships in the trusted domain.

I've tried, recreating the trust relationships.
1. nltest /dsgetdc:<mydomain> /force        correctly resolves the domain controller
2. date/time is the same across all servers and workstations
3. dcdiag reports
Starting test: SystemLog "The security system could not establish a secured connection with the server ldap/dc.mydomain.local/mydomain.local@mydomain.local. No authentication protocol was available.
4. repladmin /showrepl shows recent successful replications.

FROM ServerA.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerB.domainA.local /query - Status = 0 0x0 NERR_Success

FROM ServerB.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Seccess
nltest /server:ServerA.domainA.local /query - Status = 0 0x0 NERR_Success

FROM 2k3.domainB.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED

FROM 2k8.domainB.local (Windows 2008)
nltest /server:2k3.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED


0
Comment
Question by:twcadmin
  • 9
  • 4
  • 2
15 Comments
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34965607
Hi,

Try to recreate Forest Trust Relation, please check the below article
http://exchadtech.blogspot.com/2011/01/setting-up-cross-forest-trust-between.html
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34965682
I have already tried recreating the trust relationship and each domain controller is able to resolve a dc from the opposite domain
Nltest /dsgetdc:domainA.local and Nltest /dsgetdc:domainB.local
both work

One thing that I have noticed is that the domain controllers are returning multiple IP addresses from FTP sites that are also running on the domain controllers but this was the same before when I started the trust. all ip addresses are local to the network.
0
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34965714
If you check active directory domain and trust and try to verify trust relationship vice and versa what happens then.

can you access the share locally
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 100 total points
ID: 34969129
Is there any chance that your two networks are running on the same IP ranges?
If yes, then you'll need to have some nifty natting inplace to ensure that there is some uniqueness.
Your DNS Servers will also need to be reconfigured to local host the NAT'ed IPs on it's own zone, without querying the DNS Servers in the other domains.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34969887
When I validate the trust I get
The secure channel (SC) verification on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.

The secure channel (SC) reset on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34969899
It then asks me if I want to reset the trust passwords to which I click yes. Then returnes "The trust has been repaired . It may take some time for the repaired information to replicate between all Active Directory Domain Controllers in each domain to reinstate the trust relationship fully."

There are only 2 DCs in each domain and yesterday I waited a few hours for this with no luck.
0
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 400 total points
ID: 34969939
If u reverify the trust wat happens also from app logs post error related to trust n make small ad trust diagram n post it will look into it
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 5

Author Comment

by:twcadmin
ID: 34970168
Attached is the network/AD diagram in which DomainA has a one-way incoming trust with selective authentication.

each domain are their own independent forest. (e.g. DomainA.local is a single domain within its DomainA.local forest.)
Forest-Trusts.png
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970278
@dvt_localboy:

The domains are located on two different IP ranges 10.84.x.x \16 and 10.83.x.x \16   This was setup a few days ago and worked fine.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34970562
I feel that this something to do with your selective authentication

Can you change to domain wide authentication and then try, otherwise there is specific way that you set the selective authentication

# Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970566
on domainA the only errors I seem to be getting are AutoEnrollment errors. I know that the DC in DomainB is a CA but would this be the reason for failure?

EventID 13: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.
0
 
LVL 5

Author Comment

by:twcadmin
ID: 34970578
I have tried completely removing the trusts and starting over with a new one-way domain waide authentication trust. Cleared out the application, security, and system event logs on all DCs and the only error I see coming up after recreating the trust is the AutoEnrollment errors.
0
 
LVL 5

Accepted Solution

by:
twcadmin earned 0 total points
ID: 34971197
On a domain controller in DomainA  I ran the following command from a command prompt and the trust immediately started working again. I then changed the authentication back to selective and it still works!

netdom TRUST domainA.local /Domain:domainB.local /UserD:DomainBAdmin /PasswordD:DomainBPassword /UO:DomainAAdmin /po:DomainAPassword /reset
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34977499
Interesting that the rebuild of the trust didn't fix this issue.

Rebuilding the trust should also have resulted in resetting the password.
Unless you only deleted the trust from one side, and it still existed on the other domain?
0
 
LVL 5

Author Closing Comment

by:twcadmin
ID: 35005176
I was able to find the correct answer by resetting with NETDOM. I'm surprised that recreating the trust relationship from scratch didnt even work.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now