Link to home
Start Free TrialLog in
Avatar of education-dynamics
education-dynamicsFlag for United States of America

asked on

Trusting Domains Issue

I am trying to create a trust between 2 domains.  Here is what I am working with...

DomainA
   Server 2003 R2
   Domain function level = Server2003
   Has forward lookup zone for DomainB which contains A records for DCs in DomainB
   Is able to ping DomainB by hostname
   When I run nltest /dsgetdc:DomainB I get the following error...
          DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


DomainB
   Server 2008 R2
   Domain function level = Server2003 (second domain controller is running Server 2003)
   Has forward lookup zone for DomainA which contains A records for DCs in DomainA
   Is able to ping DomainA by hostname
   When I run nltest /dsgetdc:DomainA I get the following error...
          DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


When I try to create the trust from either domain controller in DomainA or DomainB, I get the following error...

"The trust relationship cannot be created because the following error occurred:
 
  Either the domain does not exist, or network or other problems are preventing  
  connection."


I tried configuring forwarders in each domain to the other to no avail. Any help would be appreciated.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Do you have firewalls between the two, check your ports, http://support.microsoft.com/kb/179442

Sounds like DNS is setup ok.

Thanks

Mike
Avatar of education-dynamics

ASKER

Both firewalls are disabled.
Instead of forward lookup zones, enable zone transfer on domain dns zone of both domains and map as a secondary zone in both domains vice versa.
flush dns cache by running ipconfig /flushdns and dnscmd /clearcache at both domains.
Please try building trust now. If still issue persists,
Enable zone transfer on "_msdcs.domain.com" zone as well at each domain and map them as secondary zone at both domains vice versa
again flush dns cache by running ipconfig /flushdns and dnscmd /clearcache at both domains.
Please try building trust now. It should work.
I will try and post back. Thanks
I forgot that I already have this setup as well. I tried doing this before posting to see if this would work. See attachments.

On the 1st screen-shot... should I specify the servers instead?
trust1.png
trust2.png
You have mentioned in your question that you have forward lookup zones for opposite domains ?
My suggestion is to delete forward lookup zone for opposite domains and create secondary zones instead for domain dns zone and _msdcs.domain.com vice versa.
If above got failed then,
Alternatively you can create conditional forwarding for both domain vice versa.
Also download PortQueryUI from Microsoft and check if AD authentication ports are opened from both ends ?

Thanks
This is the result of the portquery. Does this mean port 42 is not open? If so, how is that possible since both firewalls are off?



Starting portqry.exe -n srvdc1-ofy.ofy.org -e 42 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP exits with return code 0x00000001.
It seems to be name resolution or necessary port not open for domain and trust.If you are creationg forest trust ensure below parameters.

To create the trust you have to prepare DNS to resolve the other domain name properly.Use conditional forwarder or secondary or stub zone.
http://www.windowsnetworking.com/art...tub_Zones.html

Have you created forwarders or seconadry zone for name resolution.If the secondary zone is created check does the zone loads correctly.If you have created the same then create and check.

Checklist: Creating a forest trust
http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx 

How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442

Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
TCP Port 42 (WINS) is not required by 2003 \ 2008 domain controllers.
Since you have not installed WINS service on either domain controllers, you cannot telnetThere is nothing wrong with that.
Please download PortQueryUI from Microsoft and check all AD ports with GUI
http://www.microsoft.com/en-us/download/details.aspx?id=24009
Can you please post the PortqueryUI results please..
Thanks
Here is the output...

=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 135 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:10.60.0.33[49152]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc01E1B13892]

UUID: 12e65dd8-887f-41ef-91bf-8d816c42c2e7 Secure Desktop LRPC interface
ncalrpc:[WMsgKRpc01E1B13892]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48 Remote Fw APIs
ncacn_ip_tcp:10.60.0.33[53491]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:10.60.0.33[53491]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[LRPC-2186494185e91f862d]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:10.60.0.33[53489]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:10.60.0.33[55386]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:10.60.0.33[55380]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:10.60.0.33[55380]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:10.60.0.33[55380]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[OLE4080869A591A47D9A4C08B7A0B5A]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:10.60.0.33[55378]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[OLE4080869A591A47D9A4C08B7A0B5A]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:10.60.0.33[55378]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncalrpc:[OLEF0069B14502A4F46A2A6CAEC5A47]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_np:\\\\srvdc1[\\pipe\\cert]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_ip_tcp:10.60.0.33[55374]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncalrpc:[spoolss]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncalrpc:[spoolss]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncalrpc:[spoolss]

UUID: dd490425-5325-4565-b774-7e27d6c09c24 Base Firewall Engine API
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03 Fw APIs
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 2fb92682-6599-42dc-ae13-bd2ca89bd11c Fw APIs
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 1bddb2a6-c0c3-41be-8703-ddbdf4f0e80a Lan Service
ncalrpc:[LRPC-9085d185686ea5de3b]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[LRPC-9085d185686ea5de3b]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[audit]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[securityevent]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[LSARPC_ENDPOINT]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[lsapolicylookup]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[lsasspirpc]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[protected_storage]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[dsrole]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[samss lpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[audit]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[securityevent]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LSARPC_ENDPOINT]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[lsapolicylookup]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[lsasspirpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[dsrole]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[samss lpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:10.60.0.33[49155]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[lsapolicylookup]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[lsasspirpc]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[samss lpc]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:10.60.0.33[49158]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[audit]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[securityevent]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LSARPC_ENDPOINT]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[lsapolicylookup]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[lsasspirpc]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[protected_storage]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[dsrole]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[samss lpc]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:10.60.0.33[49155]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:10.60.0.33[49157]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[lsapolicylookup]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[lsasspirpc]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[samss lpc]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[audit]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[securityevent]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[lsapolicylookup]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[lsasspirpc]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[dsrole]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[samss lpc]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:10.60.0.33[49157]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 7ea70bcf-48af-4f6a-8968-6a440754d5fa NSI server endpoint
ncalrpc:[OLE2D5A74A50F7D4B9585EE926A6914]

UUID: 7ea70bcf-48af-4f6a-8968-6a440754d5fa NSI server endpoint
ncalrpc:[LRPC-206e331348470e4d95]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[OLE2D5A74A50F7D4B9585EE926A6914]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[LRPC-206e331348470e4d95]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[W32TIME_ALT]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncacn_np:\\\\srvdc1[\\PIPE\\W32TIME_ALT]

UUID: 24019106-a203-4642-b88d-82dae9158929
ncalrpc:[LRPC-a11e4f45d18ede3987]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: 2eb08e3e-639f-4fba-97b1-14f878961076
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[senssvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[IUserProfile2]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[senssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[IUserProfile2]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[senssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[IUserProfile2]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[senssvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[IUserProfile2]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[senssvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[IUserProfile2]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[senssvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_ip_tcp:10.60.0.33[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[IUserProfile2]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[senssvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_ip_tcp:10.60.0.33[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[IUserProfile2]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[senssvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[senssvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:10.60.0.33[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[IUserProfile2]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[senssvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncalrpc:[eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncalrpc:[eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncalrpc:[eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncalrpc:[dhcpcsvc6]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[dhcpcsvc6]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[dhcpcsvc]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc081441]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[LRPC-4a77474b7444c210fc]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc07CB80]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:\\\\srvdc1[\\PIPE\\InitShutdown]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WindowsShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncalrpc:[WMsgKRpc07CB80]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:\\\\srvdc1[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncalrpc:[WindowsShutdown]

Total endpoints found: 215



==== End of RPC Endpoint Mapper query response ====
portqry.exe -n srvdc1.mydomain.com -e 135 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 389 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 11/19/2013 15:01:50 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:


currentdate: 11/19/2013 15:01:54 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========

UDP port 389 is LISTENING

portqry.exe -n srvdc1.mydomain.com -e 389 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 636 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 636 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 3268 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 3268 (msft-gc service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 11/19/2013 15:01:54 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========
portqry.exe -n srvdc1.mydomain.com -e 3268 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 3269 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 3269 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 53 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 53 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 88 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n srvdc1.mydomain.com -e 88 -p BOTH exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 445 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 445 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 137 -p UDP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...


Name resolved to 10.60.0.33

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address b8ac6f94eb7e
UDP port: LISTENING
portqry.exe -n srvdc1.mydomain.com -e 137 -p UDP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 138 -p UDP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...


Name resolved to 10.60.0.33

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n srvdc1.mydomain.com -e 138 -p UDP exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 139 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 139 (netbios-ssn service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 139 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP exits with return code 0x00000001.
PortQuery results are satisfactory

Please check if you have reverse lookup zones of both domain controller IP subnet vice versa
if not please create them at both domains and create PTR records as well
then again flush dns cache at both side and try recreating trust please

Thanks
Yes, I have pointer records in the reverse lookup zone in each DC going both ways. I can attach screen shot if needed
Avatar of compdigit44
compdigit44

If you haven't already done so you may want to review the Microsft Trust Check-list

http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx
I have been over this checklist a few times. All is well in tasks 1 and 2. In step 3, this is the scenario we are dealing with.

     If there is no shared root DNS server, and the root DNS servers for each forest DNS    
     namespace are not running a member of the Windows Server 2003 family, configure DNS
     secondary zones in each DNS namespace to route queries for names in the other
     namespace.

Both domains are their own forest at this point with the function level being 2003 on both. I was able to trust one of these domains with a different domain just last week. There must be a reason why it won't work with this particular domain.
make sure all network ports are open between you domain and the remote domain as linked in the following article:

http://support.microsoft.com/kb/179442#method3

On a side note, I thought this article was interest as well.
http://blogs.msmvps.com/acefekay/2012/09/18/what-should-i-use-a-stub-conditional-forwader-forwarder-or-secondary-zone/
Thanks. The firewalls on both DCs are disabled in each domain. I notice that the DC running 2008 already has a conditional forwarders section. Whereas, the 2003 server does not. Is that something that must be added manually?
Windows 2003 does not understand 2008 conditional forwarder.....
In 2003 servers, you need to add conditional forwarder through DNS server properties \ Forwarders tab
In forwarder tab, you need to type your specific domain FQDN and its DNS server IP where you want to forward query for that domain

http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/

Thanks
I know you mentioned the Windows firewall was disabled on both servers but it there a hardware firewall in-between both domains?
The portQueryUI output is correct
Even if hardware firewall exists between both domains, ports are already opended....

Thanks
Have you tried to run a dcidag in both domains?

Also the following my provide you with additional troubleshooting ideas:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/9b5eb682-0ec4-4975-8b52-3c756f84edbe/create-a-trust-between-windows-2003-and-windows-2008-r2
Here are the results from running dcdiag. I see some errors, but the odd thing is that the server that it is looking for (SRVDC2-ED) no longer exists in our network. Also, this domain is already trusted with 2 others.

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SRVDC1-ED
      Starting test: Connectivity
         ......................... SRVDC1-ED passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SRVDC1-ED
      Starting test: Replications
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-04-29 11:45:10.
            4924 failures have occurred since the last success.
         [SRVDC2-ED] DsBindWithSpnEx() failed with error 1727,
         The remote procedure call failed and did not execute..
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191823 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:07.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191823 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-04-29 11:45:10.
            4924 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191798 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:04.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191815 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:27.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:09.
            191776 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         SRVDC1-ED:  Current time is 2013-11-20 14:59:16.
            DC=ForestDnsZones,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=DomainDnsZones,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:53:07.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Schema,CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:50:34.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:09.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:53:27.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:08.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
         ......................... SRVDC1-ED passed test Replications
      Starting test: NCSecDesc
         ......................... SRVDC1-ED passed test NCSecDesc
      Starting test: NetLogons
         ......................... SRVDC1-ED passed test NetLogons
      Starting test: Advertising
         ......................... SRVDC1-ED passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SRVDC1-ED passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SRVDC1-ED passed test RidManager
      Starting test: MachineAccount
         ......................... SRVDC1-ED passed test MachineAccount
      Starting test: Services
         ......................... SRVDC1-ED passed test Services
      Starting test: ObjectsReplicated
         ......................... SRVDC1-ED passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SRVDC1-ED passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group
         Policy problems.
         ......................... SRVDC1-ED failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... SRVDC1-ED failed test kccevent
      Starting test: systemlog
         ......................... SRVDC1-ED passed test systemlog
      Starting test: VerifyReferences
         ......................... SRVDC1-ED passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : mydomain
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom

   Running enterprise tests on : mydomain.com
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... mydomain.com passed test FsmoCheck
If the server no longer exists, it should be manually removed from AD but this is a side point right now.



1) Conditional forwards in place in both domains.
2) A firewall (software/hardware) is not blocking communicates in either domain.
3) Is the remote domain able to trust your domain?
4) Can you post the result of the following:

Configuring Conditional Forward DNS in windows server 2008.
Try the these steps:
(1) Type nslookup, and then press ENTER.
(2) Type set type=all, and then press ENTER.
(3) Type _ldap._tcp.dc. _msdcs .trusting.domain.com and then press ENTER.
(4) Type _ldap._tcp.dc._msdcs.trusted.domain.com and then press ENTER.
Odd. I ran these commands on the 2008DC in domain B.... why does nslookup use a different DNS server in the domain instead of itself (which I believe is the authoritative DNS server)?

C:\>nslookup
Default Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

> _ldap._tcp.dc._mcds.srvdc1-ed.2003DC-IN-DOMAIN-A.com
Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

*** srvhp1-ofy.2003DC-IN-DOMAIN-B.com can't find _ldap._tcp.dc._mcds.srvdc1-ed.2003DC-IN-DOMAIN-A.com: Non-existent domain


> _ldap._tcp.dc._mcds.srvdc1-ofy.2008DC-IN-DOMAIN-B.com
Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

*** srvhp1-ofy.2003DC-IN-DOMAIN-B.com can't find _ldap._tcp.dc._mcds.srvdc1-ofy.2008DC-IN-DOMAIN-B.com: Non-existent domain
>
thats why event after creating _msdcs.domain.com secondary zone, you are facing issues.

Please find below article
http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx

I think you will be fine once you corrected stale DNS server entry....

Thanks
will post back results
Here are the results. How do I get rid of DC2? Also, files-ed is not a DC.

C:\Documents and Settings\user>nslookup
Default Server:  srvdc1-ed.mydomain.com
Address:  10.10.0.30

> set q=srv
> _ldap._tcp.dc._msdcs.mydomain.com
Server:  srvdc1-ed.mydomain.com
Address:  10.10.0.30

_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvdc2-ed.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvdc1-ed.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvfiles-ed.mydomain.com
srvdc2-ed.mydomain.com        internet address = 10.10.0.201
srvdc2-ed.mydomain.com        internet address = 10.10.0.31
srvdc1-ed.mydomain.com        internet address = 10.10.0.30
srvfiles-ed.mydomain.com      internet address = 10.80.0.106
have you checked srv records in all DNS partitions ?
_msdcs
_sites
_tcp
_udp

Also there are two records showing for srvdc2.....

I think you can better check netlogon.dns file
Netlogon.dns is located in the %systemroot%\System32\Config

http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/bb727055.aspx

Mahesh
Do you have admin access in 2003 domain?
Is AD working correctly in this domain?
Can you upload the result of the following in the 2003 domain :  dcdiag /v /e C;\dcdiag_2k3.txt
Yes, I am logged in with a user account in the 'domain admins' group. Attached are the results. I had to add the /f switch to create the logfile
dcdiag-2k3-.txt
Mahesh - I have attached the contents of the netlogon.dns file
netlogon.dns-.txt
Interestsing, If DC2 is no longer online it should manually be removed from AD and all DNS records removed. I did notice replications errors as well..

Anyway have you tried to create a trust going from 2003 domain to 2008 ?
Yes. I have tried from either domain to initiate the trust. This domain already has trusts with two other domains, so it's odd that it won't work now. I created the 2nd of the trusts just a couple of weeks ago too.
Has anything changed in the Windows 2003 domain since you created the last trust?

What OS are the other domains running?
Nothing has changed that I can think of. The DCs in both of those other domains are 2008.
Are they running 2008 R2? How long on DC2 been offline?
Sorry, I type-o'd the last comment. I meant to type that both DCs are 2003 server. This new trust that I want to create is a 2008 DC

DC2 has been offline for over 1 year
interesting for kick on your source domain you mentioned that you had a second DC running 2003 have you tried to setup the trust from the 2003 DC???
I have not tried that. Let me try now
No joy. Same errors
Hum..

1) Are you sure nothing has changed in the 2003 domain? CAn you upload a screen shot of the DNS settings on records.

2) An error in the windows 2003 event logs?

3) Is AV running on the 2003 server

4) Try to create a new stand-alone 2008 DC running a new instance of a domain & forest and try to add it to the 2003 domain
I will work on this and post back
netlogon.dns seems to be perfect for DC1..

In dcdiag output there are some entries for SRVFILES and failed entries for DC2 as below.

" Testing server: Default-First-Site-Name\SRVFILES-ED
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         SRVFILES-ED:  Current time is 2013-11-21 14:44:49.
            CN=Schema,CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiable

I suggest you to check for DC2 metadata cleanup......and also for lingering objects in advisory mode first....may be some hidden issues will get resolve with them
http://technet.microsoft.com/en-us/library/cc785298(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc738018(v=ws.10).aspx

You said that SRVFILE is not a DC...........Can you please logon to this server with domain admins account and check if sysvol and netlogon are shared.......and DNS server status..may be dns is not installed on that..you can install DNS and check if domain DNS zone gets populated there...

Mahesh
I logged into SRVFILES-ED and I can see that NETLOGON and SYSVOL are shared. DNS server is not installed on this server, nor do I want it to be.
Was AD ever installed on  SRVFiles-ED? If so you should do a manual clean up of this domain. It sould like there are a number of DC that have been remove inproperly.

http://support.microsoft.com/kb/216498


Can you send a screen shot of the _msdc DNS foleder from the 2003 domain
I don't think AD was ever installed on that server. How would I be able to tell?

Where do I find the _msdc DNS folder?
You already told that SRVFiles-ED is DC

look your earlier comment

"I logged into SRVFILES-ED and I can see that NETLOGON and SYSVOL are shared. DNS server is not installed on this server, nor do I want it to be"

Install DNS server roll on this server and check if all AD integrated DNS zones will get polulated to this DC like i asked you in my previous comment
this will proove that it is DC

Mahesh
Maybe that's part of the problem. This server is not supposed to be a DC. I did not know it was. We have never used it as a DC in 6 years that I have been here.
Then as suggested by: compdigit44 you should remove the DC role forcefully from that server

Mahesh
i will do that over the weekend and post back.
It sounds like the 2003 AD domain needs a lot of clean up and you should inventory all of your servers to make sure everything is as it should be.
ASKER CERTIFIED SOLUTION
Avatar of Sandesh Dubey
Sandesh Dubey
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So, I have started trying to clean up replication and DNS. Come to find out that SRVFILES-ED is indeed and DC. I will post back more results later.
Good luck please let us know if you have any further questions..
I am continuing to work on this in my "spare time"
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.