Adding an Active Directory trust


I'm trying to create a two-way domain trust between two ad domains.  The two networks are linked via VPN.  Firewall is open.  
Each domain has two DCs.  One has 2008 R2 + 2016 with domain and forrest functional level at 2008 R2.
The other has 2x 2016 with domain and forrest functional level also at 2008 R2.

I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.  NSlookup-queries are answered fine.  nslookup -q=ns domain2.local produces the expected results.

When I try to add the trust, message sais that the domain could not be found.  This happens in command line and in the wizard on both ends the same way.  There are no relevant events in event log.

One of the two domains (the one with the 2008R2+2016 DC) already has a trust to another domain in place.  I added that trust back in 2016 and it was a very simple process that succeded on the first try.

What am I missing?

Ralph ScharpingDigital TherapistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ibrahim BennaTechnology LeadCommented:
are you trying to add a 2-way trust relationship? If not which domain is the trusting and which is the trusted? Remember you need to configure the trust on the trusting domain first.

Are you able to ping the domain controllers in both directions?
Ralph ScharpingDigital TherapistAuthor Commented:
Hi Ibrahim,

thanks for your reply.  I am not sure I understand the difference.  The domains shold be able to access each other.  Adding the trust does not work either way.
Yes, the DCs are able to ping each other both by name and by address.
I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.

what do you mean by secondary domain?

All you need is *only* conditional forwarder between both domains pointing to each other
Ex: and should have conditional forwarder pointing to with DNS servers IP address
Similarly, should have conditional forwarder pointing to with DNS servers IP address

As long as srv query to opposite domain is resolving you can resolve dns and you can build trust

In each domain DNS server type:

you should get answer
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Ralph ScharpingDigital TherapistAuthor Commented:
Hi Mahesh,

thanks for your reply.
By secondary domain I mean that I first tried to add the domain as a secondary domain in the DNS of
After that did not work, I removed the secondary domain and added the conditional forwarding as you described.

nslookup reply looks like this:



That is all - no other information is given.
remove all secondary domains and just use conditional forwarders and then try nslookup query from cmd

nslookup <enter> <Enter>

If you get proper response in srv lookup, your name resolution is working and then you can build trust
Ralph ScharpingDigital TherapistAuthor Commented:
I HAVE already removed all secondary domains.  Even before adding conditional forwardes I have removed them.  And I rebooted all servers.  And I refreshed all zones and emptied all caches.

What is the proper response that I should be receiving? Is the response I posted not proper?  I get the same thing when I ask this question within my domain...
I believe you missed step "set type=all" in nslookup prompt
Ralph ScharpingDigital TherapistAuthor Commented:
It does match.  Only thing I notice:  it lists three DCs like this:   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   =   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   =   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   =   internet address =   internet address =   internet address =

Notice how it lists the second DC twice.  But other than that names and IPs are correct.
still you are not able to built trust?

what error you are getting?

ensure that if any-any ports are allowed bi-directionally between both source and target DCs
Ralph ScharpingDigital TherapistAuthor Commented:
All ports are allowed bi-directionally.
I have not yet changed anything, only looked at the result of the new nslookup-query that I had not yet previously seen.

No, I still cannot build the trust.
The wizard starts by asking my domain, then it takes about 30sec.  
On the next page I have two options:  add a trust to a Kerberos V5-Scope that is not an AD-domain or add a trust to an AD-domain.
This is already odd - it should not be asking this.
I choose Windows-domain, of course.  It asks me the domain name again.
On the next page it sais that the domain could not be found.

It has been behaving like this since the very beginning.
can you check domain controller NIC advanced dns config and post here ?

Did you set any dns search suffix list in domain level policy which excluds own domain?

download PortQueryUI tool from MS and try domain and trusts test for opposite domain controllers and post results here, check if all AD ports are open from output
Ralph ScharpingDigital TherapistAuthor Commented:
The server is running German language windows - I might not accurately transcribe all terms.

The list of DNS-suffixes is empty.  "add the primary DNS-suffix of the connection" is active.  "Add inherited-suffixes of the primay DNS-suffix" is active.  The field for DNS-suffix for this connection is empty.
"register addresses of this connection in DNS" is active.
"use DNS-suffix of this connection in DNS-registration" is inactive.

While you read this, I will deactivate windows firewall on both ends and retry.  I'd be really embarrassed if that's the problem...
Ralph ScharpingDigital TherapistAuthor Commented:
No change with deactivated windows firewall.
Above under dns addresses there should point to only internal DNS servers (Primary and secondary and there should not be any public dns entry

rest of the settings also needs to be same

also have you tried PortQueryUI tool?
Ralph ScharpingDigital TherapistAuthor Commented:
The screenshot looks identical.

Yes, I have tried PortQuery.  These ports are returned as listening:
135 TCP
53 TCP + UDP
445 TCP
139 TCP

These ports are returned as filtered:
389 UDP + TCP
363 TCP
3268 TCP
3269 TCP
88 TCP + UDP
137 UDP
138 UDP
42 TCP

Most of these ports I have never heard of, but the relevant ports seem to be open.  I'm not so sure about the LDAP port 389 - I guess that one should be open.  My VPN-firewall has all ports open, windows-firewall is disabled on both ends.  Sophos Endpoint Protection is disabled on both ends.
Refer below ports to be opened bi-directionally between source and target PDC master for trust to be working and you should configure trust from PDC servers only, if you tried from other servers, it 1st tried to contact PDC only

TCP and UDP 389, 445, 53, 88, 464
TCP 636, 139, 3268, 3269, 49152-65535
UDP 137, 138, 123, 49152-65535

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ralph ScharpingDigital TherapistAuthor Commented:
Antivirus-Software on one and had an integrated firewall that was acting up.  That was unexpected - and a bit embarassing.  Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.