Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Trouble with cross forest trust

Posted on 2012-04-11
10
Medium Priority
?
1,127 Views
Last Modified: 2012-04-16
I have a frustrating issue I was hoping to get some help on.

The company I started working for has a cross forest trust in place. Domain1 and Domain2. It is a two-way non-transitive trust. Both domains are at a 2003 functional level. Domain1 has 4 name servers, 2 are 2003 and 2 are 2008R2. Domain2 has 2 name servers and both are 2003.

Domain1 is configured with conditional forwarders to domain2, and domain2 has forwarders for domain1.

The problem that we are having is that users in domain2 cannot access shares in domain1. When I go to the properties for the share on domain1\server, go to the security tab, add and then try to do an advanced find on domain2 i get "The following error prevented the display of any items: The specified domain either does not exist or could not be contacted."
0
Comment
Question by:Chuck Cobern
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37834591
can you validate the trust first..

Using the Windows interface
1.Open Active Directory Domains and Trusts.
2.In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
3.On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
4.Click Validate.
5.Do one of the following, and then click OK:
Click No, do not validate the incoming trust.
If you choose this option, it is recommended that you repeat this procedure for the reciprocal domain.
Click Yes, validate the incoming trust.
If you choose this option, you must type a user account and password with administrative credentials for the reciprocal domain.

http://technet.microsoft.com/en-us/library/cc737447(v=ws.10).aspx
0
 
LVL 45

Expert Comment

by:Amit
ID: 37834692
Are you able to ping any dc in each forest.
0
 

Author Comment

by:Chuck Cobern
ID: 37834726
From Domain2 (Server 2003 DC) I can validate the trust, but from Domain1 I receive the error, "Windows cannot find an Active Directory Domain Controller for the "Domain2" domain. Verify that an AD DC is available and then try again." when trying to validate from a 2008 DC, but the trust validates from a 2003 DC in the same domain.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 45

Accepted Solution

by:
Amit earned 1500 total points
ID: 37834740
Looks like to me DNS issue more. I assume ID you are using have both Domain and Enterprise admin rights.
0
 

Author Comment

by:Chuck Cobern
ID: 37834777
I can ping all DC's in both domains. If I am going to ping a DC in the remote domain I have to ping using FQDN (server1.domain2.local).  Yes the credential I am using is both domain and enterprise admin groups.
0
 
LVL 45

Expert Comment

by:Amit
ID: 37834793
0
 

Author Comment

by:Chuck Cobern
ID: 37834872
I've verified the time is the same on all DC's. Still cannot validate the trust.
0
 
LVL 45

Expert Comment

by:Amit
ID: 37837376
My Guess is firewall might be blocking ports. Download port query tool

http://www.microsoft.com/download/en/details.aspx?id=24009

Run it from both sides and compare the port result. If ports are blocked open it.
0
 

Author Comment

by:Chuck Cobern
ID: 37837480
There is no firewall between the two domains. There is a point to point connection. Weird thing is, I can validate the trust from the 2003 DC's but not from the 2008 DC.
0
 

Author Comment

by:Chuck Cobern
ID: 37853131
Ended up being a weird DNS issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question