Not able to establish trust with another window 2003 domain

Hi All,

I have a problem establish a trust with one of my domain. I have an existing
windows 2003 domain call Source and I am planning for a migration. I setup a
test Target domain,windows 2003 as well, call Target, to test the migration.

I try to create/establish trust between this 2 domain but fail with the
following error :""The Local Secutiry Authority is unable to obtain an RPC
connection to the domain controller w2k3.source.local. Please check the name
can be resolve and the server is available."

I had check the name resolution and its working. I had created conditional
forwarding but still fail. Also, I had edit the lmhost file on both Domain
PDC but its still fail. RPC server services on both domain is started.

I had perform the NLTEST and NSLOOKUP and comeback with a positive result.
nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
nltest /dsgetdc:domain-name.com
But I still not able to resolve this issue.

I had tried to create a secondary zone on each DNS on each domain but still
fail to establish the trust. Which mean, on Source DNS, I created the
secondary zone of Target domain, and on Target domain DNS, I created a
secondary zone of Source domain.

Can anyone tell me what's wrong with my environment? Or something that I can
do to resolve this issue?

Thank you

Eng

 

If you haven't already, I would set up a secondary of each others dns
servers. Do you have any firewalls set up between the two forests?

Check out my articles on AD ports needed for communications at:
http://www.pbbergs.com
Select articles

 

Hi
Download port query and test the availabel ports for domain and trust
http://support.microsoft.com/kb/310099

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

Hi Guys,

Thank you for the information. I had tried the suggestions by you all guys
but no luck. All the result using the Port Query tools with the result on all
port is "listening" and "exit with return code 0x00000000. I assume all the
port is opened and working.

Also, i install a new server on each domain and try to create a DNS zone for
each of the domain. Then i try to establish the trust but still fail. I try
to create a secondary zone on the newly created DNS server and try to
establish the trust again but its still fail. I also try to create a Stub
zone for both domain and establish the trust again and still fail.
Conditional forwarding also try on both Domain DNS and trust still fail.

I had check with the network guy and all the port had been open up on the
firewall.

Is there anyway that I can try to do beside all these?

Thank you very much for the suggestions. Hope to hear more you all guys.

Thank you
Eng

 

Ok...
What type of trust are trying to stablish?

Use conditional forwarding and make sure that both ends can resolve
eachother, which means that you must configure in both ends the conditional
forwarding, then perform the test in both ends:what results?

When trying to stablish the trusts use both PDCe for both domains. The PDCe
on both sides of the trust need to be able to resolve one another.
also take another close look at
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442

If none of this work check

Remember generally broadcast traffic isn't allowed between routers (unless
you have relay agents, some switching/routers tha allow this,etc).
The MTU can be an Issue Test your MTU from the problem server by pinging the
gateway of your router:
ping -f <router gateway IP> -l 1472

You will get one of three responses;
the ping will return, "Packet needs to be fragmented but DF set." or it will
timeout.
If the ping timeout, that means a downstream router has a mismatched MTU,
and is the probable reason for your connectivity issue. Incrementally reduce
the 1472 until the ping returns.
If you get the packet needs to be fragmented but DF set, at a low number of
less than 1400, see if you can increase the MTU without a timeout. Ideally
you would really like a number as close to 1500 as you can get.Carefull MTU
to a much too low of a number and it would affect your network performance.
Check the MTU max size on your router.
Also check:
Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

I also though about UDP fragmentation, do you see any kerberos errors on
your event viewer?

By default, Kerberos authentication uses User Datagram Protocol (UDP) to
transmit its data,UDP provides no guarantee that a packet sent along the
network will reach its destination intact. Thus, in environments with a high
amount of network congestion it is common for packets to get lost or
fragmented on the way to their destination, because the only way to decrease
the likelihood of UDP fragmentation occurring is to reduce network traffic,
a usually impractical solution, it is almost always better to configure the
Kerberos authentication service to use TCP instead of UDP. TCP provides a
guarantee that a packet that is sent will reach its destination intact and
can therefore be used in any network environment. In order to force Kerberos
authentication to use TCP, see
http://support.microsoft.com/kb/244474

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

Hi Jorge,

Thank you for your reply.

The trust that I try to create is external trust.

I had try to create conditional forwarding and perform the test at both end
usingThe result at below:
C:\Documents and Settings\Administrator>nslookup -type=srv
_ldap._tcp.pdc._msdcs.target.local
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
_ldap._tcp.pdc._msdcs.target.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ky-target.target.local

ky-target.target.local internet address = 10.30.101.228

:\Documents and Settings\Administrator>nslookup -type=srv
_ldap._tcp.dc._msdcs.target.local
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
_ldap._tcp.dc._msdcs.target.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ky-target.target.local

ky-target.target.local internet address = 10.30.101.228

Also, I had check the event viewer but there is no Keberos related error. I
had apply the patch 913446 but still no luck.

I try to ping the gateway using ping -f <gateway ip> -l 1742 and it reply
with the "Packet needs to be fragmented but DF set." Is this the correct
result? I had read through your explanation but i still not really
understand. Can you eleborate more on this? Thanks.

Thank you
Eng

 

The error message you are recieving has to do with routing not Windows. The
size of the packets are too big for the routers and the routers are not
allowed to break them up.

http://support.microsoft.com/default.aspx/kb/159211

 

Hi guys,

My mistake. when I ping using the "ping <gateway ip address> -f -l 1472" i
got reply. Not the "Packet needs to be fragmented but DF set". But when I
ping using the "ping <gateway ip address> -f -l 1742", then I get the "Packet
needs to be fragmented but DF set" reply. I think the 1st time I run is using
the wrong packet size.

Beside, I try to use my target domain to create a trust to one of my
production domain and its work. Only when I try to use my target domain to
establish a trust to my source, its fail.

I not sure what's going wrong but I believe that is something not right with
my source domain.

Hope to hear from you all guys soon.

Thanks

Eng

 

I'm unclear as to what you have setup for dns. For now try setting up a
secondary of each others primary and see if you have any luck.

Secondary
http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html

http://support.microsoft.com/default.aspx/kb/816518/en-us

 

Hi Paul,

Thank you for your reply.

I had followed the instruction from the website that you provide but still
no luck. I still getting the same error message "The Local Security Authority
is unable to obtain an ROC connection from the domain controller
DC1.target.local. Please check that the name can be resolved and that the
server is available" .

I had verify that the RPC services is running and the name can be resolve on
each domain.

My source and target domain currently sitting on the same subnet. I don't
think this is a problem right? correct me if i am wrong.

Is there any other way that I can try/ do to resolve my issue?

Thank you

Eng

 

You could try creating an LMHosts file and see if that helps.

Go to my website and lookup trust setup on an nt4 v 2003. This should work
for 2003 v 2003, it even has a fool proof way to setup the LMHost records.

http://www.pbbergs.com
Select articles and click on NT4 -v- Active Directory Trust

 

Hi Paul,

Thank you for your reply.

The lmhost file is working but is only working for my source domain. Which
mean, my source domain able to create a trust to the target, but when I try
to create the trust from my target to my source, its fail again with the same
error.

I try to remove the lmhost file and copy from my source domain pdc and
change the name and ip and try again. But its fail too.

On my source, I try to verify the trust after i had created the trust but it
fail. (Strange, I can create the trust but I cannot verify the trust). I open
event viewer and found that the following event id is log,
Event ID: 40960
Description:The Security System detected an authentication error for the
server cifs/ky-target.TARGET.LOCAL. The failure code from authentication
protocol Kerberos was "The referenced account is currently disabled and may
not be logged on to.
(0xc0000072)".

I try to search MS website but fail to find a solution. Any idea what is
going on?

Thank you

Eng

 

The spaces in the lmhost names for the dc's and domain names is critical, be
sure that both are properly spaced, that is why I pointed to this in my
article I sent you to read.

 

Hi,

I had follow exactly the same that stated in your article but still fail.
Also, i had try to use your web tool to generate the syntax but still fail.

I try to remove the trust that created at my Source and re-create again. But
this time its fail with the same error. Really headache with this issue.

Anything else that i can try?

Thank you

Eng

 

Is the time on the two servers within 5 minutes of one another?

 

Hi,

Thank you for the reply.

No. The time of the two server is the same. No different. I had check all
the servers and all their time is the same. No delay.

Thank you

Eng

 

I don't know what else to tell you. I'm not sure the 40960 even has
anything to do with your problem.

You could use the KBB 889030 and see if there is value in it. It was
written for nt to AD but there maybe issuues in it that could help you as
well.
http://support.microsoft.com/default.aspx/kb/889030/en-us

 

Hi
The 40960 Errors Can have some different Causes: - Generally, these errors
can be safely ignored. These errors occur because the DNS server doesn't
have a Reverse Lookup Zone Configured. Although Active Directory doesn't
need Reverse Lookup Zone to function, the Windows 2003 and XP tries to make
a secure PTR registration, and because the Reverse Lookup Zone isn't
configured, the OS tries to make a secure PTR registration at the External
DNS that is Authoritative over the reverse lookup of the IP on the machine's
local interface. If it's a private address it will say cannot establish a
secured connection with the server prisoner.iana.org. Also, nslookup will
report "Can't find server name for address <IPAddressOfDNSServer>

Solution: 1-Create a Reverse Lookup Zone.

-----------

I know that I started to answer this post but unfortunately I can't see all
the thread.

Test your MTU from the problem server by pinging the gateway of your router:
ping -f <IP> - 1472



You need to start at your problem server, with a 1472 byte packet, then ping
your machine gateway (router if any) address with a 1472 byte packet, then
ping the next gateway with 1472 byte packet, etc. until you reach the other
server.

If you ping a router that returns a time out or "Packet needs to be
fragmented but DF set.", then you should reduce the packet size to that
router until the ping returns.
Then find the issue with that router as to why it is using a reduced MTU
setting and increase the router MTU.

--
I hope that the information above helps you
Good Luck


Jorge Silva
MCSA
Systems Administrator

 

Other problems related with 40960 could be - This behavior occurs when you
restart the server that was promoted to a domain controller. In this
scenario, the Windows Time service (W32Time) tries to authenticate before
Directory Services has started.
Event IDs 40960 and 40961 in the System Event Log When You Restart Windows
Server 2003 After You Run Dcpromo.exe
http://support.microsoft.com/kb/823712/en-us
Situation 2
LSASRV Event IDs 40960 and 40961 When You Promote a Server to a Domain
Controller Role
http://support.microsoft.com/kb/824217/en-us
Other Related:
You cannot access network resources after you try to log on to a Windows XP
Service Pack 2-based computer
http://support.microsoft.com/kb/885887/en-us
You cannot access resources after you install Security Bulletin MS04-011 or
Windows XP Service Pack 2
http://support.microsoft.com/kb/891559/en-us
Logon Authentication, Active Directory Replication, and Domain Joins Do Not
Complete Successfully
http://support.microsoft.com/kb/315150/en-us
--
I hope that the information above helps you
Good Luck

Jorge Silva
MCSA
Systems Administrator

 

Hi Guys,

Thank you very much for all the suggestion. But i had try all of them and
still No Luck. The same error still come up.

Appreciated for all the help given. I will see what I can do from now.

Thank you

Eng