Cannot Create Trust between Two Forests

Issue creating trust between two forests.  I have setup forwarders between DC's in DomainA and DC's in DomainB.  All DC's can ping each other as well as the domains.  I have created reverse lookup zones on both sides for the other domain as well with PTR records for the other side.  

While in DomainB I am able to create the two way trust in that domain only.

I then move over to DomainA to create the other half of the trust but I get the following error

The New Trust Wizard cannot continue because the specified domain cannot be contacted.

Either the domain does not exist, or network or other problems are preventing connection.

All ports are opened between the networks and all firewalls are turned off.  As I said I can ping servers from both sides using FQDN as well as the domain of each side.  I am stuck and getting lost in DNS as that is where I think the issue is I just am not sure where.
Jeff PerryEnterprise IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hayes JupeIT DirectorCommented:
Hi.

When you say forwarders, I assume you mean conditional DNS forwarders ?
If you do a tracert from each side, does the traffic take the same path?
can you telnet to 389 from one side to the other?
Reverse lookup zones are not needed for a trust to be established.
Jeff PerryEnterprise IT ManagerAuthor Commented:
Yes conditional DNS forwards are setup.  I will remove the reverse lookup zones to simplify it.  You can telnet from both sides on ports 389, 636, & 53.  Tracert flows the same path from both sides.
Hayes JupeIT DirectorCommented:
ok - that is odd. I'm assuming both the AD's are healthy and if we look in _msdcs there is no entries for dead DC's

that being the case - you may have to follow this - https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Jeff PerryEnterprise IT ManagerAuthor Commented:
It is very odd which is why I am here.  DCDIAG shows clean on all DC's and no dead DC entries either.
Hayes JupeIT DirectorCommented:
use this - just incase
https://www.microsoft.com/en-us/download/details.aspx?id=17148

what does C:\windows\system32\config\netlogon.dns tell us - anything?

Do the DC's in both domains have a suffix configured - as per https://dirteam.com/sander/2015/11/26/from-the-field-the-case-of-the-active-directory-trust-without-dns-suffixes/
Jeff PerryEnterprise IT ManagerAuthor Commented:
I have run portqry and all ports are allowed.  Nothing unusual in the netlogon.dns.  I checked the suffix and it is configured on the secondary DC in DomainB.  The other two DC's have CA installed so I am not able to check their status.
Hayes JupeIT DirectorCommented:
sorry - I don't understand why having cert services installed would stop you from checking their status ?
Jeff PerryEnterprise IT ManagerAuthor Commented:
On the servers running CA the change option is grayed out due to the identification of the computer cannot be changed because CA is installed.  Since I am not able to get to the change button I cannot view the more options.
Hayes JupeIT DirectorCommented:
ok - now I get you - this could still be verified via C:\windows\system32\config\netlogon.dns

I don't have any more ideas sorry.

if it was me - i'd be trolling the event logs - my gut feel is that its naming (DNS) related - but without being able to look at it - I don't think I can offer assistance sorry.
Jeff PerryEnterprise IT ManagerAuthor Commented:
THis caused em to do a deep dive into the DNS which I have actually discovered a number of issues that need to be cleaned up in DNS.  Since I inherited this network I am discovering new issues all the time.  I will clean up these DNS issues and see if that corrects the problem
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.