Solved

Unble to validate trust maybe DNS related "The local security authority is unable to obtain an RPC conneciton to the DC"

Posted on 2014-01-06
13
2,585 Views
Last Modified: 2014-02-03
We have a new DC that we are adding to our existing child domain.  It seemed to go in fine but there are some issues with when validating trust I get the attached error.

I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory.  Check that the Active Directory is functioning properly.  The extended error  debug information (which may be empty) is "". The event data contains the error.

The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller.  However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Capture.JPG
0
Comment
Question by:bergquistcompany
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39759416
Hi

What if you disable the firewall temporarely on this new box? (not sure what the dynamic range for TCP/IP is for Server2012 but is seems the culprit is there).
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759432
Is this DC successfully replicating to its partners? Check Sites and Services and ensure that this DC has connections created to it.

When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.

Check the above things first, and it still no luck you may have to demote then re-promote this DC again.

Will.
0
 

Author Comment

by:bergquistcompany
ID: 39759468
firewall now off - same issue

Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.

It is listed as a name server in the parent zone.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759490
If everything looks good from that perspective you might want to use "netdom" and verify the trust. If the trust is broken you may have to re-create it. See below for steps on how to do this...

Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx

Will.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759694
Do you get the trust error on all DC's in the child domain or just the new one?

In ADSS, for the new DC object, what replication partners show?

If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
0
 

Author Comment

by:bergquistcompany
ID: 39759737
trust cannot be verified.  Only issue from this one DC in child domain.  Did find can't ping parent by name only be FQDN.  Did change to point to 2003 local DC in same site for DNS for now.  

Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759759
Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC

That is normal for the replication connections.

Can you verify replication between the new DC and existing DC?
http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx

How long has the new DC been operational?
0
 

Author Comment

by:bergquistcompany
ID: 39765983
ok turns out server can't access the shares on the parent domain

This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.

However the 2003 server sitting above it in the rack can.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39767026
Can you list the DNS suffixes configured on each server? I am thinking that the 2003 server has the parent's domain DNS suffix added or else it wouldn't be able to ping the server by hostname.

Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
0
 

Author Comment

by:bergquistcompany
ID: 39777222
bergquistcompany.com
northamerica.bergquistcompany.com

will run dcdiag thanks
0
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 500 total points
ID: 39778416
Does the 2012 server have those suffixes too?
0
 

Author Comment

by:bergquistcompany
ID: 39789137
yes and I am demoting and re promoting it so we'll see
0
 

Author Closing Comment

by:bergquistcompany
ID: 39831345
missing suffix thanks
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now