Unble to validate trust maybe DNS related "The local security authority is unable to obtain an RPC conneciton to the DC"

We have a new DC that we are adding to our existing child domain.  It seemed to go in fine but there are some issues with when validating trust I get the attached error.

I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory.  Check that the Active Directory is functioning properly.  The extended error  debug information (which may be empty) is "". The event data contains the error.

The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller.  However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:

What if you disable the firewall temporarely on this new box? (not sure what the dynamic range for TCP/IP is for Server2012 but is seems the culprit is there).
Will SzymkowskiSenior Solution ArchitectCommented:
Is this DC successfully replicating to its partners? Check Sites and Services and ensure that this DC has connections created to it.

When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.

Check the above things first, and it still no luck you may have to demote then re-promote this DC again.

bergquistcompanyAuthor Commented:
firewall now off - same issue

Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.

It is listed as a name server in the parent zone.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Will SzymkowskiSenior Solution ArchitectCommented:
If everything looks good from that perspective you might want to use "netdom" and verify the trust. If the trust is broken you may have to re-create it. See below for steps on how to do this...

Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Do you get the trust error on all DC's in the child domain or just the new one?

In ADSS, for the new DC object, what replication partners show?

If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
bergquistcompanyAuthor Commented:
trust cannot be verified.  Only issue from this one DC in child domain.  Did find can't ping parent by name only be FQDN.  Did change to point to 2003 local DC in same site for DNS for now.  

Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC

That is normal for the replication connections.

Can you verify replication between the new DC and existing DC?

How long has the new DC been operational?
bergquistcompanyAuthor Commented:
ok turns out server can't access the shares on the parent domain

This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.

However the 2003 server sitting above it in the rack can.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Can you list the DNS suffixes configured on each server? I am thinking that the 2003 server has the parent's domain DNS suffix added or else it wouldn't be able to ping the server by hostname.

Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
bergquistcompanyAuthor Commented:

will run dcdiag thanks
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Does the 2012 server have those suffixes too?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bergquistcompanyAuthor Commented:
yes and I am demoting and re promoting it so we'll see
bergquistcompanyAuthor Commented:
missing suffix thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.