Solved

Trusting Domains Issue

Posted on 2013-11-18
56
153 Views
Last Modified: 2015-06-23
I am trying to create a trust between 2 domains.  Here is what I am working with...

DomainA
   Server 2003 R2
   Domain function level = Server2003
   Has forward lookup zone for DomainB which contains A records for DCs in DomainB
   Is able to ping DomainB by hostname
   When I run nltest /dsgetdc:DomainB I get the following error...
          DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


DomainB
   Server 2008 R2
   Domain function level = Server2003 (second domain controller is running Server 2003)
   Has forward lookup zone for DomainA which contains A records for DCs in DomainA
   Is able to ping DomainA by hostname
   When I run nltest /dsgetdc:DomainA I get the following error...
          DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


When I try to create the trust from either domain controller in DomainA or DomainB, I get the following error...

"The trust relationship cannot be created because the following error occurred:
 
  Either the domain does not exist, or network or other problems are preventing  
  connection."


I tried configuring forwarders in each domain to the other to no avail. Any help would be appreciated.
0
Comment
Question by:education-dynamics
  • 26
  • 14
  • 11
  • +3
56 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39657179
Do you have firewalls between the two, check your ports, http://support.microsoft.com/kb/179442

Sounds like DNS is setup ok.

Thanks

Mike
0
 

Author Comment

by:education-dynamics
ID: 39657258
Both firewalls are disabled.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39657314
Instead of forward lookup zones, enable zone transfer on domain dns zone of both domains and map as a secondary zone in both domains vice versa.
flush dns cache by running ipconfig /flushdns and dnscmd /clearcache at both domains.
Please try building trust now. If still issue persists,
Enable zone transfer on "_msdcs.domain.com" zone as well at each domain and map them as secondary zone at both domains vice versa
again flush dns cache by running ipconfig /flushdns and dnscmd /clearcache at both domains.
Please try building trust now. It should work.
0
 

Author Comment

by:education-dynamics
ID: 39657316
I will try and post back. Thanks
0
 

Author Comment

by:education-dynamics
ID: 39657620
I forgot that I already have this setup as well. I tried doing this before posting to see if this would work. See attachments.

On the 1st screen-shot... should I specify the servers instead?
trust1.png
trust2.png
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39657675
You have mentioned in your question that you have forward lookup zones for opposite domains ?
My suggestion is to delete forward lookup zone for opposite domains and create secondary zones instead for domain dns zone and _msdcs.domain.com vice versa.
If above got failed then,
Alternatively you can create conditional forwarding for both domain vice versa.
Also download PortQueryUI from Microsoft and check if AD authentication ports are opened from both ends ?

Thanks
0
 

Author Comment

by:education-dynamics
ID: 39658111
This is the result of the portquery. Does this mean port 42 is not open? If so, how is that possible since both firewalls are off?



Starting portqry.exe -n srvdc1-ofy.ofy.org -e 42 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP exits with return code 0x00000001.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39658368
It seems to be name resolution or necessary port not open for domain and trust.If you are creationg forest trust ensure below parameters.

To create the trust you have to prepare DNS to resolve the other domain name properly.Use conditional forwarder or secondary or stub zone.
http://www.windowsnetworking.com/art...tub_Zones.html

Have you created forwarders or seconadry zone for name resolution.If the secondary zone is created check does the zone loads correctly.If you have created the same then create and check.

Checklist: Creating a forest trust
http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx

How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442

Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39658550
TCP Port 42 (WINS) is not required by 2003 \ 2008 domain controllers.
Since you have not installed WINS service on either domain controllers, you cannot telnetThere is nothing wrong with that.
Please download PortQueryUI from Microsoft and check all AD ports with GUI
http://www.microsoft.com/en-us/download/details.aspx?id=24009
Can you please post the PortqueryUI results please..
Thanks
0
 

Author Comment

by:education-dynamics
ID: 39659528
Here is the output...

=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 135 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:10.60.0.33[49152]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc01E1B13892]

UUID: 12e65dd8-887f-41ef-91bf-8d816c42c2e7 Secure Desktop LRPC interface
ncalrpc:[WMsgKRpc01E1B13892]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC-c6577f35a7f72a6d3c]

UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48 Remote Fw APIs
ncacn_ip_tcp:10.60.0.33[53491]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:10.60.0.33[53491]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncalrpc:[LRPC-2186494185e91f862d]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:10.60.0.33[53489]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:10.60.0.33[55386]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:10.60.0.33[55380]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:10.60.0.33[55380]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[OLE9D25B4825332421D9CFA33A2DD75]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:10.60.0.33[55380]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC-39642e714fabf726d2]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[OLE4080869A591A47D9A4C08B7A0B5A]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:10.60.0.33[55378]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[OLE4080869A591A47D9A4C08B7A0B5A]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:10.60.0.33[55378]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncalrpc:[OLEF0069B14502A4F46A2A6CAEC5A47]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_np:\\\\srvdc1[\\pipe\\cert]

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_ip_tcp:10.60.0.33[55374]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncalrpc:[spoolss]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncalrpc:[spoolss]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncacn_np:\\\\srvdc1[\\pipe\\spoolss]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncacn_ip_tcp:10.60.0.33[55346]

UUID: 4a452661-8290-4b36-8fbe-7f4093a94978 Spooler function endpoint
ncalrpc:[spoolss]

UUID: dd490425-5325-4565-b774-7e27d6c09c24 Base Firewall Engine API
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03 Fw APIs
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 2fb92682-6599-42dc-ae13-bd2ca89bd11c Fw APIs
ncalrpc:[LRPC-5e576e15949d530d81]

UUID: 1bddb2a6-c0c3-41be-8703-ddbdf4f0e80a Lan Service
ncalrpc:[LRPC-9085d185686ea5de3b]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[LRPC-9085d185686ea5de3b]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[audit]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[securityevent]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[LSARPC_ENDPOINT]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[lsapolicylookup]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[lsasspirpc]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[protected_storage]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[dsrole]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncalrpc:[samss lpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[audit]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[securityevent]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LSARPC_ENDPOINT]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[lsapolicylookup]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[lsasspirpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[dsrole]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[samss lpc]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:10.60.0.33[49155]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[lsapolicylookup]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[lsasspirpc]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[samss lpc]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:10.60.0.33[49158]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[audit]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[securityevent]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LSARPC_ENDPOINT]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[lsapolicylookup]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[lsasspirpc]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[protected_storage]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[dsrole]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[samss lpc]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:10.60.0.33[49155]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:10.60.0.33[49157]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[audit]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[securityevent]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[lsapolicylookup]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[lsasspirpc]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[dsrole]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[samss lpc]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncalrpc:[NTDS_LPC]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:10.60.0.33[49157]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\srvdc1[\\pipe\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC-d7a89f3643d063f605]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[audit]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[securityevent]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LSARPC_ENDPOINT]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[lsapolicylookup]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[lsasspirpc]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\srvdc1[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[dsrole]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[samss lpc]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[OLE00BC171B4B964A29AF1C9F38873E]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:10.60.0.33[49155]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:10.60.0.33[49157]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:10.60.0.33[49158]

UUID: 7ea70bcf-48af-4f6a-8968-6a440754d5fa NSI server endpoint
ncalrpc:[OLE2D5A74A50F7D4B9585EE926A6914]

UUID: 7ea70bcf-48af-4f6a-8968-6a440754d5fa NSI server endpoint
ncalrpc:[LRPC-206e331348470e4d95]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[OLE2D5A74A50F7D4B9585EE926A6914]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[LRPC-206e331348470e4d95]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncalrpc:[W32TIME_ALT]

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Service
ncacn_np:\\\\srvdc1[\\PIPE\\W32TIME_ALT]

UUID: 24019106-a203-4642-b88d-82dae9158929
ncalrpc:[LRPC-a11e4f45d18ede3987]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: 2eb08e3e-639f-4fba-97b1-14f878961076
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[senssvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[IUserProfile2]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncalrpc:[senssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[IUserProfile2]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[senssvc]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[IUserProfile2]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[senssvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[IUserProfile2]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncalrpc:[senssvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[IUserProfile2]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncalrpc:[senssvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_ip_tcp:10.60.0.33[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[IUserProfile2]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncalrpc:[senssvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_ip_tcp:10.60.0.33[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[IUserProfile2]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncalrpc:[senssvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[IUserProfile2]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[senssvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:10.60.0.33[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[IUserProfile2]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[OLE853666A3731B49708CD7C83E553A]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncalrpc:[senssvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:\\\\srvdc1[\\PIPE\\atsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_ip_tcp:10.60.0.33[49154]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:\\\\srvdc1[\\PIPE\\srvsvc]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncalrpc:[eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncalrpc:[eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncalrpc:[eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncalrpc:[dhcpcsvc6]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_np:\\\\srvdc1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_ip_tcp:10.60.0.33[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[dhcpcsvc6]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncalrpc:[dhcpcsvc]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc081441]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncalrpc:[LRPC-4a77474b7444c210fc]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WMsgKRpc07CB80]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:\\\\srvdc1[\\PIPE\\InitShutdown]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncalrpc:[WindowsShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncalrpc:[WMsgKRpc07CB80]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:\\\\srvdc1[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncalrpc:[WindowsShutdown]

Total endpoints found: 215



==== End of RPC Endpoint Mapper query response ====
portqry.exe -n srvdc1.mydomain.com -e 135 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 389 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 11/19/2013 15:01:50 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:


currentdate: 11/19/2013 15:01:54 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========

UDP port 389 is LISTENING

portqry.exe -n srvdc1.mydomain.com -e 389 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 636 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 636 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 3268 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 3268 (msft-gc service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 11/19/2013 15:01:54 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: CN=NTDS Settings,CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
namingContexts: DC=mydomain,DC=com
defaultNamingContext: DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=mydomain,DC=com
rootDomainNamingContext: DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 25364149
supportedSASLMechanisms: GSSAPI
dnsHostName: srvdc1.mydomain.com
ldapServiceName: mydomain.com:srvdc1$@mydomain.com
serverName: CN=srvdc1,CN=Servers,CN=Downtown,CN=Sites,CN=Configuration,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 0
domainControllerFunctionality: 4


======== End of LDAP query response ========
portqry.exe -n srvdc1.mydomain.com -e 3268 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 3269 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 3269 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 53 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 53 -p BOTH exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 88 -p BOTH ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n srvdc1.mydomain.com -e 88 -p BOTH exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 445 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 445 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 137 -p UDP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...


Name resolved to 10.60.0.33

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address b8ac6f94eb7e
UDP port: LISTENING
portqry.exe -n srvdc1.mydomain.com -e 137 -p UDP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 138 -p UDP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...


Name resolved to 10.60.0.33

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n srvdc1.mydomain.com -e 138 -p UDP exits with return code 0x00000002.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 139 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 139 (netbios-ssn service): LISTENING
portqry.exe -n srvdc1.mydomain.com -e 139 -p TCP exits with return code 0x00000000.
=============================================

 Starting portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP ...


Querying target system called:

 srvdc1.mydomain.com

Attempting to resolve name to IP address...

Name resolved to 10.60.0.33

querying...

TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n srvdc1.mydomain.com -e 42 -p TCP exits with return code 0x00000001.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39659548
PortQuery results are satisfactory

Please check if you have reverse lookup zones of both domain controller IP subnet vice versa
if not please create them at both domains and create PTR records as well
then again flush dns cache at both side and try recreating trust please

Thanks
0
 

Author Comment

by:education-dynamics
ID: 39659652
Yes, I have pointer records in the reverse lookup zone in each DC going both ways. I can attach screen shot if needed
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39661062
If you haven't already done so you may want to review the Microsft Trust Check-list

http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspx
0
 

Author Comment

by:education-dynamics
ID: 39661107
I have been over this checklist a few times. All is well in tasks 1 and 2. In step 3, this is the scenario we are dealing with.

     If there is no shared root DNS server, and the root DNS servers for each forest DNS    
     namespace are not running a member of the Windows Server 2003 family, configure DNS
     secondary zones in each DNS namespace to route queries for names in the other
     namespace.

Both domains are their own forest at this point with the function level being 2003 on both. I was able to trust one of these domains with a different domain just last week. There must be a reason why it won't work with this particular domain.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39661123
make sure all network ports are open between you domain and the remote domain as linked in the following article:

http://support.microsoft.com/kb/179442#method3

On a side note, I thought this article was interest as well.
http://blogs.msmvps.com/acefekay/2012/09/18/what-should-i-use-a-stub-conditional-forwader-forwarder-or-secondary-zone/
0
 

Author Comment

by:education-dynamics
ID: 39661139
Thanks. The firewalls on both DCs are disabled in each domain. I notice that the DC running 2008 already has a conditional forwarders section. Whereas, the 2003 server does not. Is that something that must be added manually?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39661776
Windows 2003 does not understand 2008 conditional forwarder.....
In 2003 servers, you need to add conditional forwarder through DNS server properties \ Forwarders tab
In forwarder tab, you need to type your specific domain FQDN and its DNS server IP where you want to forward query for that domain

http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/

Thanks
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39662312
I know you mentioned the Windows firewall was disabled on both servers but it there a hardware firewall in-between both domains?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39662352
The portQueryUI output is correct
Even if hardware firewall exists between both domains, ports are already opended....

Thanks
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39662528
Have you tried to run a dcidag in both domains?

Also the following my provide you with additional troubleshooting ideas:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/9b5eb682-0ec4-4975-8b52-3c756f84edbe/create-a-trust-between-windows-2003-and-windows-2008-r2
0
 

Author Comment

by:education-dynamics
ID: 39664362
Here are the results from running dcdiag. I see some errors, but the odd thing is that the server that it is looking for (SRVDC2-ED) no longer exists in our network. Also, this domain is already trusted with 2 others.

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SRVDC1-ED
      Starting test: Connectivity
         ......................... SRVDC1-ED passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SRVDC1-ED
      Starting test: Replications
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-04-29 11:45:10.
            4924 failures have occurred since the last success.
         [SRVDC2-ED] DsBindWithSpnEx() failed with error 1727,
         The remote procedure call failed and did not execute..
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191823 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:07.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191823 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-04-29 11:45:10.
            4924 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191798 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:04.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:10.
            191815 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2013-05-08 11:53:27.
            4708 failures have occurred since the last success.
         [Replications Check,SRVDC1-ED] A recent replication attempt failed:
            From SRVDC2-ED to SRVDC1-ED
            Naming Context: DC=mydomain,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2013-11-20 14:47:08.
            The last success occurred at 2008-05-31 07:54:09.
            191776 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         SRVDC1-ED:  Current time is 2013-11-20 14:59:16.
            DC=ForestDnsZones,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=DomainDnsZones,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:53:07.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Schema,CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:50:34.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:09.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
            DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-05-08 11:53:27.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:08.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
         ......................... SRVDC1-ED passed test Replications
      Starting test: NCSecDesc
         ......................... SRVDC1-ED passed test NCSecDesc
      Starting test: NetLogons
         ......................... SRVDC1-ED passed test NetLogons
      Starting test: Advertising
         ......................... SRVDC1-ED passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SRVDC1-ED passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SRVDC1-ED passed test RidManager
      Starting test: MachineAccount
         ......................... SRVDC1-ED passed test MachineAccount
      Starting test: Services
         ......................... SRVDC1-ED passed test Services
      Starting test: ObjectsReplicated
         ......................... SRVDC1-ED passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SRVDC1-ED passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group
         Policy problems.
         ......................... SRVDC1-ED failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 11/20/2013   14:51:18
            Event String: All domain controllers in the following site that
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) has
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 11/20/2013   14:51:18
            Event String: The Knowledge Consistency Checker (KCC) was
         ......................... SRVDC1-ED failed test kccevent
      Starting test: systemlog
         ......................... SRVDC1-ED passed test systemlog
      Starting test: VerifyReferences
         ......................... SRVDC1-ED passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : mydomain
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom

   Running enterprise tests on : mydomain.com
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... mydomain.com passed test FsmoCheck
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664439
If the server no longer exists, it should be manually removed from AD but this is a side point right now.



1) Conditional forwards in place in both domains.
2) A firewall (software/hardware) is not blocking communicates in either domain.
3) Is the remote domain able to trust your domain?
4) Can you post the result of the following:

Configuring Conditional Forward DNS in windows server 2008.
Try the these steps:
(1) Type nslookup, and then press ENTER.
(2) Type set type=all, and then press ENTER.
(3) Type _ldap._tcp.dc. _msdcs .trusting.domain.com and then press ENTER.
(4) Type _ldap._tcp.dc._msdcs.trusted.domain.com and then press ENTER.
0
 

Author Comment

by:education-dynamics
ID: 39664515
Odd. I ran these commands on the 2008DC in domain B.... why does nslookup use a different DNS server in the domain instead of itself (which I believe is the authoritative DNS server)?

C:\>nslookup
Default Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

> _ldap._tcp.dc._mcds.srvdc1-ed.2003DC-IN-DOMAIN-A.com
Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

*** srvhp1-ofy.2003DC-IN-DOMAIN-B.com can't find _ldap._tcp.dc._mcds.srvdc1-ed.2003DC-IN-DOMAIN-A.com: Non-existent domain


> _ldap._tcp.dc._mcds.srvdc1-ofy.2008DC-IN-DOMAIN-B.com
Server:  srvhp1-ofy.2003DC-IN-DOMAIN-B.com
Address:  10.60.0.70

*** srvhp1-ofy.2003DC-IN-DOMAIN-B.com can't find _ldap._tcp.dc._mcds.srvdc1-ofy.2008DC-IN-DOMAIN-B.com: Non-existent domain
>
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39665058
thats why event after creating _msdcs.domain.com secondary zone, you are facing issues.

Please find below article
http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx

I think you will be fine once you corrected stale DNS server entry....

Thanks
0
 

Author Comment

by:education-dynamics
ID: 39667287
will post back results
0
 

Author Comment

by:education-dynamics
ID: 39667302
Here are the results. How do I get rid of DC2? Also, files-ed is not a DC.

C:\Documents and Settings\user>nslookup
Default Server:  srvdc1-ed.mydomain.com
Address:  10.10.0.30

> set q=srv
> _ldap._tcp.dc._msdcs.mydomain.com
Server:  srvdc1-ed.mydomain.com
Address:  10.10.0.30

_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvdc2-ed.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvdc1-ed.mydomain.com
_ldap._tcp.dc._msdcs.mydomain.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = srvfiles-ed.mydomain.com
srvdc2-ed.mydomain.com        internet address = 10.10.0.201
srvdc2-ed.mydomain.com        internet address = 10.10.0.31
srvdc1-ed.mydomain.com        internet address = 10.10.0.30
srvfiles-ed.mydomain.com      internet address = 10.80.0.106
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39667368
have you checked srv records in all DNS partitions ?
_msdcs
_sites
_tcp
_udp

Also there are two records showing for srvdc2.....

I think you can better check netlogon.dns file
Netlogon.dns is located in the %systemroot%\System32\Config

http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/bb727055.aspx

Mahesh
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 19

Expert Comment

by:compdigit44
ID: 39667543
Do you have admin access in 2003 domain?
Is AD working correctly in this domain?
Can you upload the result of the following in the 2003 domain :  dcdiag /v /e C;\dcdiag_2k3.txt
0
 

Author Comment

by:education-dynamics
ID: 39667584
Yes, I am logged in with a user account in the 'domain admins' group. Attached are the results. I had to add the /f switch to create the logfile
dcdiag-2k3-.txt
0
 

Author Comment

by:education-dynamics
ID: 39667601
Mahesh - I have attached the contents of the netlogon.dns file
netlogon.dns-.txt
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39667618
Interestsing, If DC2 is no longer online it should manually be removed from AD and all DNS records removed. I did notice replications errors as well..

Anyway have you tried to create a trust going from 2003 domain to 2008 ?
0
 

Author Comment

by:education-dynamics
ID: 39667649
Yes. I have tried from either domain to initiate the trust. This domain already has trusts with two other domains, so it's odd that it won't work now. I created the 2nd of the trusts just a couple of weeks ago too.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39667674
Has anything changed in the Windows 2003 domain since you created the last trust?

What OS are the other domains running?
0
 

Author Comment

by:education-dynamics
ID: 39667687
Nothing has changed that I can think of. The DCs in both of those other domains are 2008.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39667696
Are they running 2008 R2? How long on DC2 been offline?
0
 

Author Comment

by:education-dynamics
ID: 39667704
Sorry, I type-o'd the last comment. I meant to type that both DCs are 2003 server. This new trust that I want to create is a 2008 DC

DC2 has been offline for over 1 year
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39667710
interesting for kick on your source domain you mentioned that you had a second DC running 2003 have you tried to setup the trust from the 2003 DC???
0
 

Author Comment

by:education-dynamics
ID: 39667714
I have not tried that. Let me try now
0
 

Author Comment

by:education-dynamics
ID: 39667719
No joy. Same errors
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39667728
Hum..

1) Are you sure nothing has changed in the 2003 domain? CAn you upload a screen shot of the DNS settings on records.

2) An error in the windows 2003 event logs?

3) Is AV running on the 2003 server

4) Try to create a new stand-alone 2008 DC running a new instance of a domain & forest and try to add it to the 2003 domain
0
 

Author Comment

by:education-dynamics
ID: 39667734
I will work on this and post back
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39668268
netlogon.dns seems to be perfect for DC1..

In dcdiag output there are some entries for SRVFILES and failed entries for DC2 as below.

" Testing server: Default-First-Site-Name\SRVFILES-ED
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         SRVFILES-ED:  Current time is 2013-11-21 14:44:49.
            CN=Schema,CN=Configuration,DC=mydomain,DC=com
               Last replication recieved from SRVDC2-ED at 2013-04-29 11:45:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
               Last replication recieved from SRVDC2-ED at 2008-05-31 07:54:10.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiable

I suggest you to check for DC2 metadata cleanup......and also for lingering objects in advisory mode first....may be some hidden issues will get resolve with them
http://technet.microsoft.com/en-us/library/cc785298(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc738018(v=ws.10).aspx

You said that SRVFILE is not a DC...........Can you please logon to this server with domain admins account and check if sysvol and netlogon are shared.......and DNS server status..may be dns is not installed on that..you can install DNS and check if domain DNS zone gets populated there...

Mahesh
0
 

Author Comment

by:education-dynamics
ID: 39669460
I logged into SRVFILES-ED and I can see that NETLOGON and SYSVOL are shared. DNS server is not installed on this server, nor do I want it to be.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39669525
Was AD ever installed on  SRVFiles-ED? If so you should do a manual clean up of this domain. It sould like there are a number of DC that have been remove inproperly.

http://support.microsoft.com/kb/216498


Can you send a screen shot of the _msdc DNS foleder from the 2003 domain
0
 

Author Comment

by:education-dynamics
ID: 39670381
I don't think AD was ever installed on that server. How would I be able to tell?

Where do I find the _msdc DNS folder?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39670413
You already told that SRVFiles-ED is DC

look your earlier comment

"I logged into SRVFILES-ED and I can see that NETLOGON and SYSVOL are shared. DNS server is not installed on this server, nor do I want it to be"

Install DNS server roll on this server and check if all AD integrated DNS zones will get polulated to this DC like i asked you in my previous comment
this will proove that it is DC

Mahesh
0
 

Author Comment

by:education-dynamics
ID: 39670419
Maybe that's part of the problem. This server is not supposed to be a DC. I did not know it was. We have never used it as a DC in 6 years that I have been here.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39670478
Then as suggested by: compdigit44 you should remove the DC role forcefully from that server

Mahesh
0
 

Author Comment

by:education-dynamics
ID: 39670501
i will do that over the weekend and post back.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39671622
It sounds like the 2003 AD domain needs a lot of clean up and you should inventory all of your servers to make sure everything is as it should be.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39673717
You need to fixt fix the replication issue in the domain and then proceed with check the trusting domain issue.

From the log it is clear that DC has not replicated for more then 60 days and this latency is over the Tombstone Lifetime.To fix the issue you need to demote the faulty Server forcefully followed by metadata cleanup and promote it back as DC as other suggested.
You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

Reference link
Forcefull removal of DC: http://support.microsoft.com/kb/332199
Metadata cleanup: http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Seize FSMO role: http://www.petri.co.il/seizing_fsmo_roles.htm
Authorative time server: http://support.microsoft.com/kb/816042
0
 

Author Comment

by:education-dynamics
ID: 39703628
So, I have started trying to clean up replication and DNS. Come to find out that SRVFILES-ED is indeed and DC. I will post back more results later.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39703692
Good luck please let us know if you have any further questions..
0
 

Author Comment

by:education-dynamics
ID: 39962921
I am continuing to work on this in my "spare time"
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845796
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now