Error with domain trusts - 2003 to 2003

Morning all,

I've struggling to establish domain traust between 2 Windows 2003 domain
controllers:

Domain A
Domain Functional Level Windows 2003 Native
Forest Functional Level Windows 2000

Domain B
Domain Functional Level Windows 2000 Native
Forest Functional Level Windows 2000

I've setup a DNS zone on each of the domains DC's as a secondary from it's
opposite and zone transfers are working, I;ve also created an HOSTS file
entry for both domains DC's on their opposits. When I validate the trusts I
get this message:

Domain B validating Domain A:
Works perfect and advises it's successful

Domain A vaildating Domain B:
The outgoing trust was successfully validated.

The secure channel (SC) reset on domain controller \\DC.domainname.com of
domain domainB.com to domain domainA.com failed with error: There are
currently no logon servers available to service the logon request.
It then foes onto ask if I would like to reset the trust password as this
might help. (the domain controller it refers to above is not the domain
controller which I'm setting the trust up from the other end in Domain B,
can this be hard-set?)

Any help, as always, much appreciated.

This sounds like there is an issue with High Ports and PRC being blocked.
Do you have a firewall between the two?

Couple of things to do...
1) Verify that you have your High ports open between the two dc's -or- you
have configured the dc's to a static range
http://support.microsoft.com/kb/179442/en-us

2) Run PortQryUI with the AD test. This is a free tool from Microsoft and
should validate the proper ports are open between the two domains.
http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
which is a backend for PortQryUI
http://www.microsoft.com/downloads/d...displaylang=en

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:%23LeBl$...
> Morning all,
>
> I've struggling to establish domain traust between 2 Windows 2003 domain
> controllers:
>
> Domain A
> Domain Functional Level Windows 2003 Native
> Forest Functional Level Windows 2000
>
> Domain B
> Domain Functional Level Windows 2000 Native
> Forest Functional Level Windows 2000
>
> I've setup a DNS zone on each of the domains DC's as a secondary from it's
> opposite and zone transfers are working, I;ve also created an HOSTS file
> entry for both domains DC's on their opposits. When I validate the trusts
> I get this message:
>
> Domain B validating Domain A:
> Works perfect and advises it's successful
>
> Domain A vaildating Domain B:
> The outgoing trust was successfully validated.
>
> The secure channel (SC) reset on domain controller \\DC.domainname.com of
> domain domainB.com to domain domainA.com failed with error: There are
> currently no logon servers available to service the logon request.
> It then foes onto ask if I would like to reset the trust password as this
> might help. (the domain controller it refers to above is not the domain
> controller which I'm setting the trust up from the other end in Domain B,
> can this be hard-set?)
>
> Any help, as always, much appreciated.
>

======== End of LDAP query response ========

UDP port 3268 (unknown service): NOT LISTENING

TCP port 3269 (msft-gc-ssl service): LISTENING

UDP port 3269 (unknown service): NOT LISTENING

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED

TCP port 445 (microsoft-ds service): LISTENING

UDP port 445 (microsoft-ds service): LISTENING or FILTERED

Log file c:\temp\port.log successfully created in current directory

Got this which is a bit shorter Paul.




"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:...
> Thanks Paul,
>
> There's no firewall betweem the servers, although they are over an MPLS
> WAN link
>
> I've ran the portqryUI selecting domains and trusts, it's output a huge
> amount, not exactly sure what I'm looking for Paul, I;ve attached here if
> it helps? Is there a way to truncate it? (appreciated the assistance)
>
>
>
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:uLnM$...
>> This sounds like there is an issue with High Ports and PRC being blocked.
>> Do you have a firewall between the two?
>>
>> Couple of things to do...
>> 1) Verify that you have your High ports open between the two dc's -or-
>> you
>> have configured the dc's to a static range
>> http://support.microsoft.com/kb/179442/en-us
>>
>> 2) Run PortQryUI with the AD test. This is a free tool from Microsoft
>> and
>> should validate the proper ports are open between the two domains.
>> http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
>> which is a backend for PortQryUI
>> http://www.microsoft.com/downloads/d...displaylang=en
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>> news:%23LeBl$...
>>> Morning all,
>>>
>>> I've struggling to establish domain traust between 2 Windows 2003 domain
>>> controllers:
>>>
>>> Domain A
>>> Domain Functional Level Windows 2003 Native
>>> Forest Functional Level Windows 2000
>>>
>>> Domain B
>>> Domain Functional Level Windows 2000 Native
>>> Forest Functional Level Windows 2000
>>>
>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>> it's
>>> opposite and zone transfers are working, I;ve also created an HOSTS file
>>> entry for both domains DC's on their opposits. When I validate the
>>> trusts
>>> I get this message:
>>>
>>> Domain B validating Domain A:
>>> Works perfect and advises it's successful
>>>
>>> Domain A vaildating Domain B:
>>> The outgoing trust was successfully validated.
>>>
>>> The secure channel (SC) reset on domain controller \\DC.domainname.com
>>> of
>>> domain domainB.com to domain domainA.com failed with error: There are
>>> currently no logon servers available to service the logon request.
>>> It then foes onto ask if I would like to reset the trust password as
>>> this
>>> might help. (the domain controller it refers to above is not the domain
>>> controller which I'm setting the trust up from the other end in Domain
>>> B,
>>> can this be hard-set?)
>>>
>>> Any help, as always, much appreciated.
>>>
>>
>>
>
>
>

Is your network fully routed? Can you access all the DCs from both
locations? I'm thinking it's trying to contact a DC that's not available
from the remote location.

Andrei Ungureanu
www.winadmins.net

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:...
> ======== End of LDAP query response ========
>
> UDP port 3268 (unknown service): NOT LISTENING
>
> TCP port 3269 (msft-gc-ssl service): LISTENING
>
> UDP port 3269 (unknown service): NOT LISTENING
>
> TCP port 53 (domain service): LISTENING
>
> UDP port 53 (domain service): LISTENING
>
> TCP port 88 (kerberos service): LISTENING
>
> UDP port 88 (kerberos service): LISTENING or FILTERED
>
> TCP port 445 (microsoft-ds service): LISTENING
>
> UDP port 445 (microsoft-ds service): LISTENING or FILTERED
>
> Log file c:\temp\port.log successfully created in current directory
>
> Got this which is a bit shorter Paul.
>
>
>
>
> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
> news:...
>> Thanks Paul,
>>
>> There's no firewall betweem the servers, although they are over an MPLS
>> WAN link
>>
>> I've ran the portqryUI selecting domains and trusts, it's output a huge
>> amount, not exactly sure what I'm looking for Paul, I;ve attached here if
>> it helps? Is there a way to truncate it? (appreciated the assistance)
>>
>>
>>
>> "Paul Bergson [MVP-DS]" <> wrote in message
>> news:uLnM$...
>>> This sounds like there is an issue with High Ports and PRC being
>>> blocked.
>>> Do you have a firewall between the two?
>>>
>>> Couple of things to do...
>>> 1) Verify that you have your High ports open between the two dc's -or-
>>> you
>>> have configured the dc's to a static range
>>> http://support.microsoft.com/kb/179442/en-us
>>>
>>> 2) Run PortQryUI with the AD test. This is a free tool from Microsoft
>>> and
>>> should validate the proper ports are open between the two domains.
>>> http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
>>> which is a backend for PortQryUI
>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCITP - Enterprise Administrator
>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewGroups.
>>> This
>>> posting is provided "AS IS" with no warranties and confers no rights.
>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>> news:%23LeBl$...
>>>> Morning all,
>>>>
>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>> domain
>>>> controllers:
>>>>
>>>> Domain A
>>>> Domain Functional Level Windows 2003 Native
>>>> Forest Functional Level Windows 2000
>>>>
>>>> Domain B
>>>> Domain Functional Level Windows 2000 Native
>>>> Forest Functional Level Windows 2000
>>>>
>>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>>> it's
>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>> file
>>>> entry for both domains DC's on their opposits. When I validate the
>>>> trusts
>>>> I get this message:
>>>>
>>>> Domain B validating Domain A:
>>>> Works perfect and advises it's successful
>>>>
>>>> Domain A vaildating Domain B:
>>>> The outgoing trust was successfully validated.
>>>>
>>>> The secure channel (SC) reset on domain controller \\DC.domainname.com
>>>> of
>>>> domain domainB.com to domain domainA.com failed with error: There are
>>>> currently no logon servers available to service the logon request.
>>>> It then foes onto ask if I would like to reset the trust password as
>>>> this
>>>> might help. (the domain controller it refers to above is not the domain
>>>> controller which I'm setting the trust up from the other end in Domain
>>>> B,
>>>> can this be hard-set?)
>>>>
>>>> Any help, as always, much appreciated.
>>>>
>>>
>>>
>>
>>
>>
>
>

The qry looks fine as does the log. Lets take a look at both domains, do
the following on both.


Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds your_dc_name > c:\sysvol.log
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045




--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:...
> Thanks Paul,
>
> There's no firewall betweem the servers, although they are over an MPLS
> WAN link
>
> I've ran the portqryUI selecting domains and trusts, it's output a huge
> amount, not exactly sure what I'm looking for Paul, I;ve attached here if
> it helps? Is there a way to truncate it? (appreciated the assistance)
>
>
>
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:uLnM$...
>> This sounds like there is an issue with High Ports and PRC being blocked.
>> Do you have a firewall between the two?
>>
>> Couple of things to do...
>> 1) Verify that you have your High ports open between the two dc's -or-
>> you
>> have configured the dc's to a static range
>> http://support.microsoft.com/kb/179442/en-us
>>
>> 2) Run PortQryUI with the AD test. This is a free tool from Microsoft
>> and
>> should validate the proper ports are open between the two domains.
>> http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
>> which is a backend for PortQryUI
>> http://www.microsoft.com/downloads/d...displaylang=en
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>> news:%23LeBl$...
>>> Morning all,
>>>
>>> I've struggling to establish domain traust between 2 Windows 2003 domain
>>> controllers:
>>>
>>> Domain A
>>> Domain Functional Level Windows 2003 Native
>>> Forest Functional Level Windows 2000
>>>
>>> Domain B
>>> Domain Functional Level Windows 2000 Native
>>> Forest Functional Level Windows 2000
>>>
>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>> it's
>>> opposite and zone transfers are working, I;ve also created an HOSTS file
>>> entry for both domains DC's on their opposits. When I validate the
>>> trusts
>>> I get this message:
>>>
>>> Domain B validating Domain A:
>>> Works perfect and advises it's successful
>>>
>>> Domain A vaildating Domain B:
>>> The outgoing trust was successfully validated.
>>>
>>> The secure channel (SC) reset on domain controller \\DC.domainname.com
>>> of
>>> domain domainB.com to domain domainA.com failed with error: There are
>>> currently no logon servers available to service the logon request.
>>> It then foes onto ask if I would like to reset the trust password as
>>> this
>>> might help. (the domain controller it refers to above is not the domain
>>> controller which I'm setting the trust up from the other end in Domain
>>> B,
>>> can this be hard-set?)
>>>
>>> Any help, as always, much appreciated.
>>>
>>
>>
>
>
>

Paul & Andrew, even if portquery runs, that query is directed to a specific
IP (DC). Portquery doesn't know to lookup in the DNS for specific DCs or
FSMO roles.

You'll need to make sure that you can contact the PDC in both domains as
this DC is responsible for handling the trust password.

Andrei Ungureanu
www.winadmins.net

"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> The qry looks fine as does the log. Lets take a look at both domains, do
> the following on both.
>
>
> Run diagnostics against your Active Directory domain.
>
> If you don't have the support tools installed, install them from your
> server install disk.
> d:\support\tools\setup.exe
>
> Run dcdiag, netdiag and repadmin in verbose mode.
> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
> -> netdiag.exe /v > c:\netdiag.log (On each dc)
> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
> -> ntfrsutl ds your_dc_name > c:\sysvol.log
> -> dnslint /ad /s "ip address of your dc"
>
> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
> dc's in the forest. If you have significant numbers of DC's this test
> could generate significant detail and take a long time. You also want to
> take into account slow links to dc's will also add to the testing time.
>
> If you download a gui script I wrote it should be simple to set and run
> (DCDiag and NetDiag). It also has the option to run individual tests
> without having to learn all the switch options. The details will be output
> in notepad text files that pop up automagically.
>
> The script is located on my website at
> http://www.pbbergs.com/windows/downloads.htm
>
> Just select both dcdiag and netdiag make sure verbose is set. (Leave the
> default settings for dcdiag as set when selected)
>
> When complete search for fail, error and warning messages.
>
> Description and download for dnslint
> http://support.microsoft.com/kb/321045
>
>
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
> news:...
>> Thanks Paul,
>>
>> There's no firewall betweem the servers, although they are over an MPLS
>> WAN link
>>
>> I've ran the portqryUI selecting domains and trusts, it's output a huge
>> amount, not exactly sure what I'm looking for Paul, I;ve attached here if
>> it helps? Is there a way to truncate it? (appreciated the assistance)
>>
>>
>>
>> "Paul Bergson [MVP-DS]" <> wrote in message
>> news:uLnM$...
>>> This sounds like there is an issue with High Ports and PRC being
>>> blocked.
>>> Do you have a firewall between the two?
>>>
>>> Couple of things to do...
>>> 1) Verify that you have your High ports open between the two dc's -or-
>>> you
>>> have configured the dc's to a static range
>>> http://support.microsoft.com/kb/179442/en-us
>>>
>>> 2) Run PortQryUI with the AD test. This is a free tool from Microsoft
>>> and
>>> should validate the proper ports are open between the two domains.
>>> http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
>>> which is a backend for PortQryUI
>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCITP - Enterprise Administrator
>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewGroups.
>>> This
>>> posting is provided "AS IS" with no warranties and confers no rights.
>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>> news:%23LeBl$...
>>>> Morning all,
>>>>
>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>> domain
>>>> controllers:
>>>>
>>>> Domain A
>>>> Domain Functional Level Windows 2003 Native
>>>> Forest Functional Level Windows 2000
>>>>
>>>> Domain B
>>>> Domain Functional Level Windows 2000 Native
>>>> Forest Functional Level Windows 2000
>>>>
>>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>>> it's
>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>> file
>>>> entry for both domains DC's on their opposits. When I validate the
>>>> trusts
>>>> I get this message:
>>>>
>>>> Domain B validating Domain A:
>>>> Works perfect and advises it's successful
>>>>
>>>> Domain A vaildating Domain B:
>>>> The outgoing trust was successfully validated.
>>>>
>>>> The secure channel (SC) reset on domain controller \\DC.domainname.com
>>>> of
>>>> domain domainB.com to domain domainA.com failed with error: There are
>>>> currently no logon servers available to service the logon request.
>>>> It then foes onto ask if I would like to reset the trust password as
>>>> this
>>>> might help. (the domain controller it refers to above is not the domain
>>>> controller which I'm setting the trust up from the other end in Domain
>>>> B,
>>>> can this be hard-set?)
>>>>
>>>> Any help, as always, much appreciated.
>>>>
>>>
>>>
>>
>>
>>
>
>

PortQry was for checking of port openings.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Andrei Ungureanu" <> wrote in message
news:utND$...
> Paul & Andrew, even if portquery runs, that query is directed to a
> specific IP (DC). Portquery doesn't know to lookup in the DNS for specific
> DCs or FSMO roles.
>
> You'll need to make sure that you can contact the PDC in both domains as
> this DC is responsible for handling the trust password.
>
> Andrei Ungureanu
> www.winadmins.net
>
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:...
>> The qry looks fine as does the log. Lets take a look at both domains, do
>> the following on both.
>>
>>
>> Run diagnostics against your Active Directory domain.
>>
>> If you don't have the support tools installed, install them from your
>> server install disk.
>> d:\support\tools\setup.exe
>>
>> Run dcdiag, netdiag and repadmin in verbose mode.
>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>> -> dnslint /ad /s "ip address of your dc"
>>
>> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
>> dc's in the forest. If you have significant numbers of DC's this test
>> could generate significant detail and take a long time. You also want to
>> take into account slow links to dc's will also add to the testing time.
>>
>> If you download a gui script I wrote it should be simple to set and run
>> (DCDiag and NetDiag). It also has the option to run individual tests
>> without having to learn all the switch options. The details will be
>> output in notepad text files that pop up automagically.
>>
>> The script is located on my website at
>> http://www.pbbergs.com/windows/downloads.htm
>>
>> Just select both dcdiag and netdiag make sure verbose is set. (Leave the
>> default settings for dcdiag as set when selected)
>>
>> When complete search for fail, error and warning messages.
>>
>> Description and download for dnslint
>> http://support.microsoft.com/kb/321045
>>
>>
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>> news:...
>>> Thanks Paul,
>>>
>>> There's no firewall betweem the servers, although they are over an MPLS
>>> WAN link
>>>
>>> I've ran the portqryUI selecting domains and trusts, it's output a huge
>>> amount, not exactly sure what I'm looking for Paul, I;ve attached here
>>> if it helps? Is there a way to truncate it? (appreciated the
>>> assistance)
>>>
>>>
>>>
>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>> news:uLnM$...
>>>> This sounds like there is an issue with High Ports and PRC being
>>>> blocked.
>>>> Do you have a firewall between the two?
>>>>
>>>> Couple of things to do...
>>>> 1) Verify that you have your High ports open between the two dc's -or-
>>>> you
>>>> have configured the dc's to a static range
>>>> http://support.microsoft.com/kb/179442/en-us
>>>>
>>>> 2) Run PortQryUI with the AD test. This is a free tool from Microsoft
>>>> and
>>>> should validate the proper ports are open between the two domains.
>>>> http://support.microsoft.com/kb/832919/ <-- This is a link to PortQry,
>>>> which is a backend for PortQryUI
>>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCITP - Enterprise Administrator
>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>> This
>>>> posting is provided "AS IS" with no warranties and confers no rights.
>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>> news:%23LeBl$...
>>>>> Morning all,
>>>>>
>>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>>> domain
>>>>> controllers:
>>>>>
>>>>> Domain A
>>>>> Domain Functional Level Windows 2003 Native
>>>>> Forest Functional Level Windows 2000
>>>>>
>>>>> Domain B
>>>>> Domain Functional Level Windows 2000 Native
>>>>> Forest Functional Level Windows 2000
>>>>>
>>>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>>>> it's
>>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>>> file
>>>>> entry for both domains DC's on their opposits. When I validate the
>>>>> trusts
>>>>> I get this message:
>>>>>
>>>>> Domain B validating Domain A:
>>>>> Works perfect and advises it's successful
>>>>>
>>>>> Domain A vaildating Domain B:
>>>>> The outgoing trust was successfully validated.
>>>>>
>>>>> The secure channel (SC) reset on domain controller \\DC.domainname.com
>>>>> of
>>>>> domain domainB.com to domain domainA.com failed with error: There are
>>>>> currently no logon servers available to service the logon request.
>>>>> It then foes onto ask if I would like to reset the trust password as
>>>>> this
>>>>> might help. (the domain controller it refers to above is not the
>>>>> domain
>>>>> controller which I'm setting the trust up from the other end in Domain
>>>>> B,
>>>>> can this be hard-set?)
>>>>>
>>>>> Any help, as always, much appreciated.
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>

I know that Paul, but you'll need to test that against the PDC servers, not
any DC. You may be able to connect the a remote DC and have all the
necessary ports open, but if the PDC is in another site and you have no
route to it, or blocked ports, then it might be an issue.

Sorry for interfering ...

Andrei Ungureanu
www.winadmins.net

"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> PortQry was for checking of port openings.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Andrei Ungureanu" <> wrote in message
> news:utND$...
>> Paul & Andrew, even if portquery runs, that query is directed to a
>> specific IP (DC). Portquery doesn't know to lookup in the DNS for
>> specific DCs or FSMO roles.
>>
>> You'll need to make sure that you can contact the PDC in both domains as
>> this DC is responsible for handling the trust password.
>>
>> Andrei Ungureanu
>> www.winadmins.net
>>
>> "Paul Bergson [MVP-DS]" <> wrote in message
>> news:...
>>> The qry looks fine as does the log. Lets take a look at both domains,
>>> do the following on both.
>>>
>>>
>>> Run diagnostics against your Active Directory domain.
>>>
>>> If you don't have the support tools installed, install them from your
>>> server install disk.
>>> d:\support\tools\setup.exe
>>>
>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>> -> dnslint /ad /s "ip address of your dc"
>>>
>>> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
>>> dc's in the forest. If you have significant numbers of DC's this test
>>> could generate significant detail and take a long time. You also want to
>>> take into account slow links to dc's will also add to the testing time.
>>>
>>> If you download a gui script I wrote it should be simple to set and run
>>> (DCDiag and NetDiag). It also has the option to run individual tests
>>> without having to learn all the switch options. The details will be
>>> output in notepad text files that pop up automagically.
>>>
>>> The script is located on my website at
>>> http://www.pbbergs.com/windows/downloads.htm
>>>
>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave the
>>> default settings for dcdiag as set when selected)
>>>
>>> When complete search for fail, error and warning messages.
>>>
>>> Description and download for dnslint
>>> http://support.microsoft.com/kb/321045
>>>
>>>
>>>
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCITP - Enterprise Administrator
>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewGroups.
>>> This
>>> posting is provided "AS IS" with no warranties and confers no rights.
>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>> news:...
>>>> Thanks Paul,
>>>>
>>>> There's no firewall betweem the servers, although they are over an MPLS
>>>> WAN link
>>>>
>>>> I've ran the portqryUI selecting domains and trusts, it's output a huge
>>>> amount, not exactly sure what I'm looking for Paul, I;ve attached here
>>>> if it helps? Is there a way to truncate it? (appreciated the
>>>> assistance)
>>>>
>>>>
>>>>
>>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>>> news:uLnM$...
>>>>> This sounds like there is an issue with High Ports and PRC being
>>>>> blocked.
>>>>> Do you have a firewall between the two?
>>>>>
>>>>> Couple of things to do...
>>>>> 1) Verify that you have your High ports open between the two
>>>>> dc's -or- you
>>>>> have configured the dc's to a static range
>>>>> http://support.microsoft.com/kb/179442/en-us
>>>>>
>>>>> 2) Run PortQryUI with the AD test. This is a free tool from
>>>>> Microsoft and
>>>>> should validate the proper ports are open between the two domains.
>>>>> http://support.microsoft.com/kb/832919/ <-- This is a link to
>>>>> PortQry,
>>>>> which is a backend for PortQryUI
>>>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCITP - Enterprise Administrator
>>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>>> This
>>>>> posting is provided "AS IS" with no warranties and confers no rights.
>>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>>> news:%23LeBl$...
>>>>>> Morning all,
>>>>>>
>>>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>>>> domain
>>>>>> controllers:
>>>>>>
>>>>>> Domain A
>>>>>> Domain Functional Level Windows 2003 Native
>>>>>> Forest Functional Level Windows 2000
>>>>>>
>>>>>> Domain B
>>>>>> Domain Functional Level Windows 2000 Native
>>>>>> Forest Functional Level Windows 2000
>>>>>>
>>>>>> I've setup a DNS zone on each of the domains DC's as a secondary from
>>>>>> it's
>>>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>>>> file
>>>>>> entry for both domains DC's on their opposits. When I validate the
>>>>>> trusts
>>>>>> I get this message:
>>>>>>
>>>>>> Domain B validating Domain A:
>>>>>> Works perfect and advises it's successful
>>>>>>
>>>>>> Domain A vaildating Domain B:
>>>>>> The outgoing trust was successfully validated.
>>>>>>
>>>>>> The secure channel (SC) reset on domain controller
>>>>>> \\DC.domainname.com of
>>>>>> domain domainB.com to domain domainA.com failed with error: There are
>>>>>> currently no logon servers available to service the logon request.
>>>>>> It then foes onto ask if I would like to reset the trust password as
>>>>>> this
>>>>>> might help. (the domain controller it refers to above is not the
>>>>>> domain
>>>>>> controller which I'm setting the trust up from the other end in
>>>>>> Domain B,
>>>>>> can this be hard-set?)
>>>>>>
>>>>>> Any help, as always, much appreciated.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>
>

Good point, don't feel like you are interferring.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Andrei Ungureanu" <> wrote in message
news:...
>I know that Paul, but you'll need to test that against the PDC servers, not
>any DC. You may be able to connect the a remote DC and have all the
>necessary ports open, but if the PDC is in another site and you have no
>route to it, or blocked ports, then it might be an issue.
>
> Sorry for interfering ...
>
> Andrei Ungureanu
> www.winadmins.net
>
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:...
>> PortQry was for checking of port openings.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "Andrei Ungureanu" <> wrote in message
>> news:utND$...
>>> Paul & Andrew, even if portquery runs, that query is directed to a
>>> specific IP (DC). Portquery doesn't know to lookup in the DNS for
>>> specific DCs or FSMO roles.
>>>
>>> You'll need to make sure that you can contact the PDC in both domains as
>>> this DC is responsible for handling the trust password.
>>>
>>> Andrei Ungureanu
>>> www.winadmins.net
>>>
>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>> news:...
>>>> The qry looks fine as does the log. Lets take a look at both domains,
>>>> do the following on both.
>>>>
>>>>
>>>> Run diagnostics against your Active Directory domain.
>>>>
>>>> If you don't have the support tools installed, install them from your
>>>> server install disk.
>>>> d:\support\tools\setup.exe
>>>>
>>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>>> -> dnslint /ad /s "ip address of your dc"
>>>>
>>>> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
>>>> dc's in the forest. If you have significant numbers of DC's this test
>>>> could generate significant detail and take a long time. You also want
>>>> to take into account slow links to dc's will also add to the testing
>>>> time.
>>>>
>>>> If you download a gui script I wrote it should be simple to set and run
>>>> (DCDiag and NetDiag). It also has the option to run individual tests
>>>> without having to learn all the switch options. The details will be
>>>> output in notepad text files that pop up automagically.
>>>>
>>>> The script is located on my website at
>>>> http://www.pbbergs.com/windows/downloads.htm
>>>>
>>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>>>> the default settings for dcdiag as set when selected)
>>>>
>>>> When complete search for fail, error and warning messages.
>>>>
>>>> Description and download for dnslint
>>>> http://support.microsoft.com/kb/321045
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCITP - Enterprise Administrator
>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>> This
>>>> posting is provided "AS IS" with no warranties and confers no rights.
>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>> news:...
>>>>> Thanks Paul,
>>>>>
>>>>> There's no firewall betweem the servers, although they are over an
>>>>> MPLS WAN link
>>>>>
>>>>> I've ran the portqryUI selecting domains and trusts, it's output a
>>>>> huge amount, not exactly sure what I'm looking for Paul, I;ve attached
>>>>> here if it helps? Is there a way to truncate it? (appreciated the
>>>>> assistance)
>>>>>
>>>>>
>>>>>
>>>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>>>> news:uLnM$...
>>>>>> This sounds like there is an issue with High Ports and PRC being
>>>>>> blocked.
>>>>>> Do you have a firewall between the two?
>>>>>>
>>>>>> Couple of things to do...
>>>>>> 1) Verify that you have your High ports open between the two
>>>>>> dc's -or- you
>>>>>> have configured the dc's to a static range
>>>>>> http://support.microsoft.com/kb/179442/en-us
>>>>>>
>>>>>> 2) Run PortQryUI with the AD test. This is a free tool from
>>>>>> Microsoft and
>>>>>> should validate the proper ports are open between the two domains.
>>>>>> http://support.microsoft.com/kb/832919/ <-- This is a link to
>>>>>> PortQry,
>>>>>> which is a backend for PortQryUI
>>>>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCITP - Enterprise Administrator
>>>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>>>> This
>>>>>> posting is provided "AS IS" with no warranties and confers no rights.
>>>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>>>> news:%23LeBl$...
>>>>>>> Morning all,
>>>>>>>
>>>>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>>>>> domain
>>>>>>> controllers:
>>>>>>>
>>>>>>> Domain A
>>>>>>> Domain Functional Level Windows 2003 Native
>>>>>>> Forest Functional Level Windows 2000
>>>>>>>
>>>>>>> Domain B
>>>>>>> Domain Functional Level Windows 2000 Native
>>>>>>> Forest Functional Level Windows 2000
>>>>>>>
>>>>>>> I've setup a DNS zone on each of the domains DC's as a secondary
>>>>>>> from it's
>>>>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>>>>> file
>>>>>>> entry for both domains DC's on their opposits. When I validate the
>>>>>>> trusts
>>>>>>> I get this message:
>>>>>>>
>>>>>>> Domain B validating Domain A:
>>>>>>> Works perfect and advises it's successful
>>>>>>>
>>>>>>> Domain A vaildating Domain B:
>>>>>>> The outgoing trust was successfully validated.
>>>>>>>
>>>>>>> The secure channel (SC) reset on domain controller
>>>>>>> \\DC.domainname.com of
>>>>>>> domain domainB.com to domain domainA.com failed with error: There
>>>>>>> are
>>>>>>> currently no logon servers available to service the logon request.
>>>>>>> It then foes onto ask if I would like to reset the trust password as
>>>>>>> this
>>>>>>> might help. (the domain controller it refers to above is not the
>>>>>>> domain
>>>>>>> controller which I'm setting the trust up from the other end in
>>>>>>> Domain B,
>>>>>>> can this be hard-set?)
>>>>>>>
>>>>>>> Any help, as always, much appreciated.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>
>>

Thanks for the reply guys.

The PDCe role holders in both domains can see each other and are on an MPLS
network (fully routed). We have some IPSec sites aswell with DC's and these
sites aren't fully routed.

Am going to run all the tests below you suggest Paul and will post the
results shortly.

Tanks again guys, Andy


"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> Good point, don't feel like you are interferring.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Andrei Ungureanu" <> wrote in message
> news:...
>>I know that Paul, but you'll need to test that against the PDC servers,
>>not any DC. You may be able to connect the a remote DC and have all the
>>necessary ports open, but if the PDC is in another site and you have no
>>route to it, or blocked ports, then it might be an issue.
>>
>> Sorry for interfering ...
>>
>> Andrei Ungureanu
>> www.winadmins.net
>>
>> "Paul Bergson [MVP-DS]" <> wrote in message
>> news:...
>>> PortQry was for checking of port openings.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCITP - Enterprise Administrator
>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewGroups.
>>> This
>>> posting is provided "AS IS" with no warranties and confers no rights.
>>> "Andrei Ungureanu" <> wrote in message
>>> news:utND$...
>>>> Paul & Andrew, even if portquery runs, that query is directed to a
>>>> specific IP (DC). Portquery doesn't know to lookup in the DNS for
>>>> specific DCs or FSMO roles.
>>>>
>>>> You'll need to make sure that you can contact the PDC in both domains
>>>> as this DC is responsible for handling the trust password.
>>>>
>>>> Andrei Ungureanu
>>>> www.winadmins.net
>>>>
>>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>>> news:...
>>>>> The qry looks fine as does the log. Lets take a look at both domains,
>>>>> do the following on both.
>>>>>
>>>>>
>>>>> Run diagnostics against your Active Directory domain.
>>>>>
>>>>> If you don't have the support tools installed, install them from your
>>>>> server install disk.
>>>>> d:\support\tools\setup.exe
>>>>>
>>>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>>>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>>>> -> dnslint /ad /s "ip address of your dc"
>>>>>
>>>>> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
>>>>> dc's in the forest. If you have significant numbers of DC's this test
>>>>> could generate significant detail and take a long time. You also want
>>>>> to take into account slow links to dc's will also add to the testing
>>>>> time.
>>>>>
>>>>> If you download a gui script I wrote it should be simple to set and
>>>>> run (DCDiag and NetDiag). It also has the option to run individual
>>>>> tests without having to learn all the switch options. The details will
>>>>> be output in notepad text files that pop up automagically.
>>>>>
>>>>> The script is located on my website at
>>>>> http://www.pbbergs.com/windows/downloads.htm
>>>>>
>>>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>>>>> the default settings for dcdiag as set when selected)
>>>>>
>>>>> When complete search for fail, error and warning messages.
>>>>>
>>>>> Description and download for dnslint
>>>>> http://support.microsoft.com/kb/321045
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCITP - Enterprise Administrator
>>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>>> This
>>>>> posting is provided "AS IS" with no warranties and confers no rights.
>>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>>> news:...
>>>>>> Thanks Paul,
>>>>>>
>>>>>> There's no firewall betweem the servers, although they are over an
>>>>>> MPLS WAN link
>>>>>>
>>>>>> I've ran the portqryUI selecting domains and trusts, it's output a
>>>>>> huge amount, not exactly sure what I'm looking for Paul, I;ve
>>>>>> attached here if it helps? Is there a way to truncate it?
>>>>>> (appreciated the assistance)
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Paul Bergson [MVP-DS]" <> wrote in message
>>>>>> news:uLnM$...
>>>>>>> This sounds like there is an issue with High Ports and PRC being
>>>>>>> blocked.
>>>>>>> Do you have a firewall between the two?
>>>>>>>
>>>>>>> Couple of things to do...
>>>>>>> 1) Verify that you have your High ports open between the two
>>>>>>> dc's -or- you
>>>>>>> have configured the dc's to a static range
>>>>>>> http://support.microsoft.com/kb/179442/en-us
>>>>>>>
>>>>>>> 2) Run PortQryUI with the AD test. This is a free tool from
>>>>>>> Microsoft and
>>>>>>> should validate the proper ports are open between the two domains.
>>>>>>> http://support.microsoft.com/kb/832919/ <-- This is a link to
>>>>>>> PortQry,
>>>>>>> which is a backend for PortQryUI
>>>>>>> http://www.microsoft.com/downloads/d...displaylang=en
>>>>>>>
>>>>>>> --
>>>>>>> Paul Bergson
>>>>>>> MVP - Directory Services
>>>>>>> MCITP - Enterprise Administrator
>>>>>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>>>>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>
>>>>>>> http://www.pbbergs.com
>>>>>>>
>>>>>>> Please no e-mails, any questions should be posted in the NewGroups.
>>>>>>> This
>>>>>>> posting is provided "AS IS" with no warranties and confers no
>>>>>>> rights.
>>>>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>>>>> news:%23LeBl$...
>>>>>>>> Morning all,
>>>>>>>>
>>>>>>>> I've struggling to establish domain traust between 2 Windows 2003
>>>>>>>> domain
>>>>>>>> controllers:
>>>>>>>>
>>>>>>>> Domain A
>>>>>>>> Domain Functional Level Windows 2003 Native
>>>>>>>> Forest Functional Level Windows 2000
>>>>>>>>
>>>>>>>> Domain B
>>>>>>>> Domain Functional Level Windows 2000 Native
>>>>>>>> Forest Functional Level Windows 2000
>>>>>>>>
>>>>>>>> I've setup a DNS zone on each of the domains DC's as a secondary
>>>>>>>> from it's
>>>>>>>> opposite and zone transfers are working, I;ve also created an HOSTS
>>>>>>>> file
>>>>>>>> entry for both domains DC's on their opposits. When I validate the
>>>>>>>> trusts
>>>>>>>> I get this message:
>>>>>>>>
>>>>>>>> Domain B validating Domain A:
>>>>>>>> Works perfect and advises it's successful
>>>>>>>>
>>>>>>>> Domain A vaildating Domain B:
>>>>>>>> The outgoing trust was successfully validated.
>>>>>>>>
>>>>>>>> The secure channel (SC) reset on domain controller
>>>>>>>> \\DC.domainname.com of
>>>>>>>> domain domainB.com to domain domainA.com failed with error: There
>>>>>>>> are
>>>>>>>> currently no logon servers available to service the logon request.
>>>>>>>> It then foes onto ask if I would like to reset the trust password
>>>>>>>> as this
>>>>>>>> might help. (the domain controller it refers to above is not the
>>>>>>>> domain
>>>>>>>> controller which I'm setting the trust up from the other end in
>>>>>>>> Domain B,
>>>>>>>> can this be hard-set?)
>>>>>>>>
>>>>>>>> Any help, as always, much appreciated.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>