Solved

Unble to validate trust maybe DNS related "The local security authority is unable to obtain an RPC conneciton to the DC"

Posted on 2014-01-06
13
2,536 Views
Last Modified: 2014-02-03
We have a new DC that we are adding to our existing child domain.  It seemed to go in fine but there are some issues with when validating trust I get the attached error.

I do have in event log under DNS: The DNS server has encountered a critical error from the Active Directory.  Check that the Active Directory is functioning properly.  The extended error  debug information (which may be empty) is "". The event data contains the error.

The only other error is: The DFS Namespace service could not initialize cross forest trust information on this domain controller.  However I have other branch offices that have the same trust from child to parent and they are fine so trust seems fine.
Capture.JPG
0
Comment
Question by:bergquistcompany
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39759416
Hi

What if you disable the firewall temporarely on this new box? (not sure what the dynamic range for TCP/IP is for Server2012 but is seems the culprit is there).
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759432
Is this DC successfully replicating to its partners? Check Sites and Services and ensure that this DC has connections created to it.

When you are adding a DC in to a child domain a 2 way transitive trust is created automatically. Make sure that you check DNS Manger and ensure that your DC in the child domain is a Name server in the parent zone as well. If this trust was not create correctly upon promoting this DC it is possible that the promotion did not complete correctly.

Check the above things first, and it still no luck you may have to demote then re-promote this DC again.

Will.
0
 

Author Comment

by:bergquistcompany
ID: 39759468
firewall now off - same issue

Sites and Services shows other DC at same site but when looking at the working DC in that site it has a connection to the new one AND another site.

It is listed as a name server in the parent zone.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39759490
If everything looks good from that perspective you might want to use "netdom" and verify the trust. If the trust is broken you may have to re-create it. See below for steps on how to do this...

Verify/Re-create Trust using Netdom or GUI - http://technet.microsoft.com/en-us/library/cc753821.aspx

Will.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759694
Do you get the trust error on all DC's in the child domain or just the new one?

In ADSS, for the new DC object, what replication partners show?

If the new DC is pointed to itself for DNS, you may want to change it to the other DC in the domain until the first replication has taken place.
0
 

Author Comment

by:bergquistcompany
ID: 39759737
trust cannot be verified.  Only issue from this one DC in child domain.  Did find can't ping parent by name only be FQDN.  Did change to point to 2003 local DC in same site for DNS for now.  

Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39759759
Only partners are 2003 DC in same site.  However 2003 DC in same site has this and another site DC

That is normal for the replication connections.

Can you verify replication between the new DC and existing DC?
http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx

How long has the new DC been operational?
0
 

Author Comment

by:bergquistcompany
ID: 39765983
ok turns out server can't access the shares on the parent domain

This is a 2012 server and when I browse the parent \\dc1\c$ it gives it says: No network provider accepted the given network path.

However the 2003 server sitting above it in the rack can.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39767026
Can you list the DNS suffixes configured on each server? I am thinking that the 2003 server has the parent's domain DNS suffix added or else it wouldn't be able to ping the server by hostname.

Run a dcdiag for kicks and make sure it's showing the DNS looks good on both the 2003 and the 2008 servers.
0
 

Author Comment

by:bergquistcompany
ID: 39777222
bergquistcompany.com
northamerica.bergquistcompany.com

will run dcdiag thanks
0
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 500 total points
ID: 39778416
Does the 2012 server have those suffixes too?
0
 

Author Comment

by:bergquistcompany
ID: 39789137
yes and I am demoting and re promoting it so we'll see
0
 

Author Closing Comment

by:bergquistcompany
ID: 39831345
missing suffix thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

709 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now