asked on
Unble to validate trust maybe DNS related "The local security authority is unable to obtain an RPC conneciton to the DC"
We have a new DC that we are adding to our existing child domain. It seemed to go in fine but there are some issues with when validating trust I get the attached error.
I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller. However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Capture.JPG
I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller. However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Capture.JPG
DNSActive DirectoryWindows Server 2012
Last Comment
bergquistcompany
Is this DC successfully replicating to its partners? Check Sites and Services and ensure that this DC has connections created to it.
When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.
Check the above things first, and it still no luck you may have to demote then re-promote this DC again.
Will.
When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.
Check the above things first, and it still no luck you may have to demote then re-promote this DC again.
Will.
ASKER
firewall now off - same issue
Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.
It is listed as a name server in the parent zone.
Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.
It is listed as a name server in the parent zone.
If everything looks good from that perspective you might want to use "netdom" and verify the trust. If the trust is broken you may have to re-create it. See below for steps on how to do this...
Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx
Will.
Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx
Will.
Do you get the trust error on all DC's in the child domain or just the new one?
In ADSS, for the new DC object, what replication partners show?
If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
In ADSS, for the new DC object, what replication partners show?
If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
ASKER
trust cannot be verified. Only issue from this one DC in child domain. Did find can't ping parent by name only be FQDN. Did change to point to 2003 local DC in same site for DNS for now.
Only partners are 2003 DC in same site. However 2003 DC in same site has this and another site DC
Only partners are 2003 DC in same site. However 2003 DC in same site has this and another site DC
Only partners are 2003 DC in same site. However 2003 DC in same site has this and another site DC
That is normal for the replication connections.
Can you verify replication between the new DC and existing DC?
http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx
How long has the new DC been operational?
ASKER
ok turns out server can't access the shares on the parent domain
This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.
However the 2003 server sitting above it in the rack can.
This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.
However the 2003 server sitting above it in the rack can.
Can you list the DNS suffixes configured on each server? I am thinking that the 2003 server has the parent's domain DNS suffix added or else it wouldn't be able to ping the server by hostname.
Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
ASKER
bergquistcompany.com
northamerica.bergquistcomp
will run dcdiag thanks
northamerica.bergquistcomp
will run dcdiag thanks
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
yes and I am demoting and re promoting it so we'll see
ASKER
missing suffix thanks
What if you disable the firewall temporarely on this new box? (not sure what the dynamic range for TCP/IP is for Server2012 but is seems the culprit is there).