Unble to validate trust maybe DNS related "The local security authority is unable to obtain an RPC conneciton to the DC"

We have a new DC that we are adding to our existing child domain.  It seemed to go in fine but there are some issues with when validating trust I get the attached error.

I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory.  Check that the Active Directory is functioning properly.  The extended error  debug information (which may be empty) is "". The event data contains the error.

The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller.  However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Capture.JPG
bergquistcompanyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Jeremy WeisingerConnect With a Mentor Senior Network Consultant / EngineerCommented:
Does the 2012 server have those suffixes too?
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

What if you disable the firewall temporarely on this new box? (not sure what the dynamic range for TCP/IP is for Server2012 but is seems the culprit is there).
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Is this DC successfully replicating to its partners? Check Sites and Services and ensure that this DC has connections created to it.

When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.

Check the above things first, and it still no luck you may have to demote then re-promote this DC again.

Will.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
bergquistcompanyAuthor Commented:
firewall now off - same issue

Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.

It is listed as a name server in the parent zone.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If everything looks good from that perspective you might want to use "netdom" and verify the trust. If the trust is broken you may have to re-create it. See below for steps on how to do this...

Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx

Will.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Do you get the trust error on all DC's in the child domain or just the new one?

In ADSS, for the new DC object, what replication partners show?

If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
0
 
bergquistcompanyAuthor Commented:
trust cannot be verified.  Only issue from this one DC in child domain.  Did find can't ping parent by name only be FQDN.  Did change to point to 2003 local DC in same site for DNS for now.  

Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC

That is normal for the replication connections.

Can you verify replication between the new DC and existing DC?
http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx

How long has the new DC been operational?
0
 
bergquistcompanyAuthor Commented:
ok turns out server can't access the shares on the parent domain

This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.

However the 2003 server sitting above it in the rack can.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Can you list the DNS suffixes configured on each server? I am thinking that the 2003 server has the parent's domain DNS suffix added or else it wouldn't be able to ping the server by hostname.

Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
0
 
bergquistcompanyAuthor Commented:
bergquistcompany.com
northamerica.bergquistcompany.com

will run dcdiag thanks
0
 
bergquistcompanyAuthor Commented:
yes and I am demoting and re promoting it so we'll see
0
 
bergquistcompanyAuthor Commented:
missing suffix thanks
0
All Courses

From novice to tech pro — start learning today.