Solved

RDS Server cannot access DCs of a trusted Domain

Posted on 2014-09-17
10
357 Views
Last Modified: 2014-09-23
We are currently undergoing a domain migration from a server 2008 forest to a new 2012 forest. There is only one domain in each forest.
Between these two domains there exists a bidirectional trust, which i already verified and seems to be working fine. There are also trust to other Forests in both domains.
FFR i will call the old domain "D1" and the new domain "D2".

In D2 we have a RDS Server running 2008R2, which was migrated from D1. I added the builtin group "Domain Users" of D1 to the local "Remotedesktop Users" group and also the same group of another trusted domain. All of this worked perfectly fine untill monday. Ever since then users of D1 can no longer authenticate to the RDS Server.

When i checked the local RDS Users group i noticed that the domain users group of D1 was missing and replaced by a unresolved SID. Attempting to add the group again results in really weird behavior. In the add users / groups dialog bnox i can select D1, enter "domain", select the domain useres group and when i klick ok i get the usual underlined display of the group name. So far so good. As soon as i hit the ok button again to save the changes to the group i get an error, that no DCs for D1 could be reached / found. But i just searched D1 for the domain users group and it worked!?

I'm really confused right now and can't seem to find the error.
0
Comment
Question by:eSourceONE
  • 6
  • 4
10 Comments
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40327651
It is bit difficult to pinpoint the exact issue. But it is related to LDAP calls.

So you have trust between the 2 forests. Do you have a fire wall between these 2 forest?  If so review the Fire wall logs for the LDAP calls.

What about the site names you have given in each forest?

Have you tried IPConfig /FlushDNS and NbtStat –R ?

Do you have RODC in each forest?
0
 

Author Comment

by:eSourceONE
ID: 40327826
There is no firewall between the forests. They are in fact on the same network.
How are the site names relevant? What do i need to look out for? We made no changes to the site configuration, it just stopped working somewhere from friday to monday.

There are no DNS related issues. I can resolve the DCs perfectly fine from the affected machine and also other servers in D1

We do not have RODCs in any of the domains
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40327988
ok.

have  you cross checked the trust between the 2 domains? are you able to  validate the incoming trust.? please check it out and post the results.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:eSourceONE
ID: 40328000
I already did that. The trust is totally fine in both directions. The RDS Server is the only machine affected. Everything else works fine. Trusts to other Domains also work fine.
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40328011
forgot to mention this too;

Your RDS Server running 2008R2, can you check to which domain it is getting authenticated.
0
 

Author Comment

by:eSourceONE
ID: 40328041
The computeraccount is in D2 the users are able to authenticate from any domain except D1. Is that what you wanted to know?

I just did a little more testing and everything just SEEMED to work fine. WIndows Authentication with D1 Users on D2 machines is broken in generall.
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40328684
Did you check your DNS in both domains? All the zones are updated? Does your RD server has all records in DNS?

Did you try dis join and re join the RD server?
0
 

Author Comment

by:eSourceONE
ID: 40330384
Did that today and it sadly didn't help. Same error as before
0
 

Accepted Solution

by:
eSourceONE earned 0 total points
ID: 40330655
I just recreated the domain trust and now it seems to work again.
Whatever happend i can't explain but now everything works again.

Ty for the support.
0
 

Author Closing Comment

by:eSourceONE
ID: 40338607
Did my own troubleshooting parallel to asking on experts exchange
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question