Solved

Trouble with cross forest trust

Posted on 2012-04-11
10
1,089 Views
Last Modified: 2012-04-16
I have a frustrating issue I was hoping to get some help on.

The company I started working for has a cross forest trust in place. Domain1 and Domain2. It is a two-way non-transitive trust. Both domains are at a 2003 functional level. Domain1 has 4 name servers, 2 are 2003 and 2 are 2008R2. Domain2 has 2 name servers and both are 2003.

Domain1 is configured with conditional forwarders to domain2, and domain2 has forwarders for domain1.

The problem that we are having is that users in domain2 cannot access shares in domain1. When I go to the properties for the share on domain1\server, go to the security tab, add and then try to do an advanced find on domain2 i get "The following error prevented the display of any items: The specified domain either does not exist or could not be contacted."
0
Comment
Question by:Chuck Cobern
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37834591
can you validate the trust first..

Using the Windows interface
1.Open Active Directory Domains and Trusts.
2.In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
3.On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
4.Click Validate.
5.Do one of the following, and then click OK:
Click No, do not validate the incoming trust.
If you choose this option, it is recommended that you repeat this procedure for the reciprocal domain.
Click Yes, validate the incoming trust.
If you choose this option, you must type a user account and password with administrative credentials for the reciprocal domain.

http://technet.microsoft.com/en-us/library/cc737447(v=ws.10).aspx
0
 
LVL 41

Expert Comment

by:Amit
ID: 37834692
Are you able to ping any dc in each forest.
0
 

Author Comment

by:Chuck Cobern
ID: 37834726
From Domain2 (Server 2003 DC) I can validate the trust, but from Domain1 I receive the error, "Windows cannot find an Active Directory Domain Controller for the "Domain2" domain. Verify that an AD DC is available and then try again." when trying to validate from a 2008 DC, but the trust validates from a 2003 DC in the same domain.
0
 
LVL 41

Accepted Solution

by:
Amit earned 500 total points
ID: 37834740
Looks like to me DNS issue more. I assume ID you are using have both Domain and Enterprise admin rights.
0
 

Author Comment

by:Chuck Cobern
ID: 37834777
I can ping all DC's in both domains. If I am going to ping a DC in the remote domain I have to ping using FQDN (server1.domain2.local).  Yes the credential I am using is both domain and enterprise admin groups.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 41

Expert Comment

by:Amit
ID: 37834793
0
 

Author Comment

by:Chuck Cobern
ID: 37834872
I've verified the time is the same on all DC's. Still cannot validate the trust.
0
 
LVL 41

Expert Comment

by:Amit
ID: 37837376
My Guess is firewall might be blocking ports. Download port query tool

http://www.microsoft.com/download/en/details.aspx?id=24009

Run it from both sides and compare the port result. If ports are blocked open it.
0
 

Author Comment

by:Chuck Cobern
ID: 37837480
There is no firewall between the two domains. There is a point to point connection. Weird thing is, I can validate the trust from the 2003 DC's but not from the 2008 DC.
0
 

Author Comment

by:Chuck Cobern
ID: 37853131
Ended up being a weird DNS issue.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now