twcadmin
asked on
The trust relationship between the primary domain and the trusted domain failed.
I have a trust between two forests which was working. Now if I try to access a remote folder \\10.84.1.63 I get a message "The trust relationship between the primary domain and the trusted domain failed." I also get this for web applications that are trying to lookup group memberships in the trusted domain.
I've tried, recreating the trust relationships.
1. nltest /dsgetdc:<mydomain> /force correctly resolves the domain controller
2. date/time is the same across all servers and workstations
3. dcdiag reports
Starting test: SystemLog "The security system could not establish a secured connection with the server ldap/dc.mydomain.local/myd omain.loca l@mydomain .local. No authentication protocol was available.
4. repladmin /showrepl shows recent successful replications.
FROM ServerA.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerB.domainA.lo cal /query - Status = 0 0x0 NERR_Success
FROM ServerB.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Seccess
nltest /server:ServerA.domainA.lo cal /query - Status = 0 0x0 NERR_Success
FROM 2k3.domainB.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.lo cal /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.lo cal /query - Status = 5 0x5 ERROR_ACCESS_DENIED
FROM 2k8.domainB.local (Windows 2008)
nltest /server:2k3.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.lo cal /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:ServerB.domainA.lo cal /query - Status = 5 0x5 ERROR_ACCESS_DENIED
I've tried, recreating the trust relationships.
1. nltest /dsgetdc:<mydomain> /force correctly resolves the domain controller
2. date/time is the same across all servers and workstations
3. dcdiag reports
Starting test: SystemLog "The security system could not establish a secured connection with the server ldap/dc.mydomain.local/myd
4. repladmin /showrepl shows recent successful replications.
FROM ServerA.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerB.domainA.lo
FROM ServerB.domainA.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 5 0x5 ERROR_ACCESS_DENIED
nltest /server:2k3domainB.local /query - Status = 0 0x0 NERR_Seccess
nltest /server:ServerA.domainA.lo
FROM 2k3.domainB.local (Windows 2003)
nltest /server:2k8.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.lo
nltest /server:ServerB.domainA.lo
FROM 2k8.domainB.local (Windows 2008)
nltest /server:2k3.domainB.local /query - Status = 0 0x0 NERR_Success
nltest /server:ServerA.domainA.lo
nltest /server:ServerB.domainA.lo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I validate the trust I get
The secure channel (SC) verification on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
The secure channel (SC) reset on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
The secure channel (SC) verification on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
The secure channel (SC) reset on Active Directory Domain Controller \\2k8.domainB.local of domain domainB.local to domain domainA.local failed with error: Access is denied.
ASKER
It then asks me if I want to reset the trust passwords to which I click yes. Then returnes "The trust has been repaired . It may take some time for the repaired information to replicate between all Active Directory Domain Controllers in each domain to reinstate the trust relationship fully."
There are only 2 DCs in each domain and yesterday I waited a few hours for this with no luck.
There are only 2 DCs in each domain and yesterday I waited a few hours for this with no luck.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Attached is the network/AD diagram in which DomainA has a one-way incoming trust with selective authentication.
each domain are their own independent forest. (e.g. DomainA.local is a single domain within its DomainA.local forest.)
Forest-Trusts.png
each domain are their own independent forest. (e.g. DomainA.local is a single domain within its DomainA.local forest.)
Forest-Trusts.png
ASKER
@dvt_localboy:
The domains are located on two different IP ranges 10.84.x.x \16 and 10.83.x.x \16 This was setup a few days ago and worked fine.
The domains are located on two different IP ranges 10.84.x.x \16 and 10.83.x.x \16 This was setup a few days ago and worked fine.
I feel that this something to do with your selective authentication
Can you change to domain wide authentication and then try, otherwise there is specific way that you set the selective authentication
# Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually.
Can you change to domain wide authentication and then try, otherwise there is specific way that you set the selective authentication
# Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually.
ASKER
on domainA the only errors I seem to be getting are AutoEnrollment errors. I know that the DC in DomainB is a CA but would this be the reason for failure?
EventID 13: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
EventID 13: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
ASKER
I have tried completely removing the trusts and starting over with a new one-way domain waide authentication trust. Cleared out the application, security, and system event logs on all DCs and the only error I see coming up after recreating the trust is the AutoEnrollment errors.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Interesting that the rebuild of the trust didn't fix this issue.
Rebuilding the trust should also have resulted in resetting the password.
Unless you only deleted the trust from one side, and it still existed on the other domain?
Rebuilding the trust should also have resulted in resetting the password.
Unless you only deleted the trust from one side, and it still existed on the other domain?
ASKER
I was able to find the correct answer by resetting with NETDOM. I'm surprised that recreating the trust relationship from scratch didnt even work.
ASKER
Nltest /dsgetdc:domainA.local and Nltest /dsgetdc:domainB.local
both work
One thing that I have noticed is that the domain controllers are returning multiple IP addresses from FTP sites that are also running on the domain controllers but this was the same before when I started the trust. all ip addresses are local to the network.