Jeff Perry
asked on
Cannot Create Trust between Two Forests
Issue creating trust between two forests. I have setup forwarders between DC's in DomainA and DC's in DomainB. All DC's can ping each other as well as the domains. I have created reverse lookup zones on both sides for the other domain as well with PTR records for the other side.
While in DomainB I am able to create the two way trust in that domain only.
I then move over to DomainA to create the other half of the trust but I get the following error
The New Trust Wizard cannot continue because the specified domain cannot be contacted.
Either the domain does not exist, or network or other problems are preventing connection.
All ports are opened between the networks and all firewalls are turned off. As I said I can ping servers from both sides using FQDN as well as the domain of each side. I am stuck and getting lost in DNS as that is where I think the issue is I just am not sure where.
While in DomainB I am able to create the two way trust in that domain only.
I then move over to DomainA to create the other half of the trust but I get the following error
The New Trust Wizard cannot continue because the specified domain cannot be contacted.
Either the domain does not exist, or network or other problems are preventing connection.
All ports are opened between the networks and all firewalls are turned off. As I said I can ping servers from both sides using FQDN as well as the domain of each side. I am stuck and getting lost in DNS as that is where I think the issue is I just am not sure where.
ASKER
Yes conditional DNS forwards are setup. I will remove the reverse lookup zones to simplify it. You can telnet from both sides on ports 389, 636, & 53. Tracert flows the same path from both sides.
ok - that is odd. I'm assuming both the AD's are healthy and if we look in _msdcs there is no entries for dead DC's
that being the case - you may have to follow this - https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/
that being the case - you may have to follow this - https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/
ASKER
It is very odd which is why I am here. DCDIAG shows clean on all DC's and no dead DC entries either.
use this - just incase
https://www.microsoft.com/en-us/download/details.aspx?id=17148
what does C:\windows\system32\config \netlogon. dns tell us - anything?
Do the DC's in both domains have a suffix configured - as per https://dirteam.com/sander/2015/11/26/from-the-field-the-case-of-the-active-directory-trust-without-dns-suffixes/
https://www.microsoft.com/en-us/download/details.aspx?id=17148
what does C:\windows\system32\config
Do the DC's in both domains have a suffix configured - as per https://dirteam.com/sander/2015/11/26/from-the-field-the-case-of-the-active-directory-trust-without-dns-suffixes/
ASKER
I have run portqry and all ports are allowed. Nothing unusual in the netlogon.dns. I checked the suffix and it is configured on the secondary DC in DomainB. The other two DC's have CA installed so I am not able to check their status.
sorry - I don't understand why having cert services installed would stop you from checking their status ?
ASKER
On the servers running CA the change option is grayed out due to the identification of the computer cannot be changed because CA is installed. Since I am not able to get to the change button I cannot view the more options.
ok - now I get you - this could still be verified via C:\windows\system32\config \netlogon. dns
I don't have any more ideas sorry.
if it was me - i'd be trolling the event logs - my gut feel is that its naming (DNS) related - but without being able to look at it - I don't think I can offer assistance sorry.
I don't have any more ideas sorry.
if it was me - i'd be trolling the event logs - my gut feel is that its naming (DNS) related - but without being able to look at it - I don't think I can offer assistance sorry.
ASKER
THis caused em to do a deep dive into the DNS which I have actually discovered a number of issues that need to be cleaned up in DNS. Since I inherited this network I am discovering new issues all the time. I will clean up these DNS issues and see if that corrects the problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you say forwarders, I assume you mean conditional DNS forwarders ?
If you do a tracert from each side, does the traffic take the same path?
can you telnet to 389 from one side to the other?
Reverse lookup zones are not needed for a trust to be established.