Not able to establish trust with another window 2003 domain

Discussion in 'Active Directory' started by Eng, Oct 19, 2006.

  1. Eng

    Eng Guest

    Hi All,

    I have a problem establish a trust with one of my domain. I have an existing
    windows 2003 domain call Source and I am planning for a migration. I setup a
    test Target domain,windows 2003 as well, call Target, to test the migration.

    I try to create/establish trust between this 2 domain but fail with the
    following error :""The Local Secutiry Authority is unable to obtain an RPC
    connection to the domain controller w2k3.source.local. Please check the name
    can be resolve and the server is available."

    I had check the name resolution and its working. I had created conditional
    forwarding but still fail. Also, I had edit the lmhost file on both Domain
    PDC but its still fail. RPC server services on both domain is started.

    I had perform the NLTEST and NSLOOKUP and comeback with a positive result.
    nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
    nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
    nltest /dsgetdc:domain-name.com
    But I still not able to resolve this issue.

    I had tried to create a secondary zone on each DNS on each domain but still
    fail to establish the trust. Which mean, on Source DNS, I created the
    secondary zone of Target domain, and on Target domain DNS, I created a
    secondary zone of Source domain.

    Can anyone tell me what's wrong with my environment? Or something that I can
    do to resolve this issue?

    Thank you

    Eng
     
    Eng, Oct 19, 2006
    #1
    1. Advertisements

  2. If you haven't already, I would set up a secondary of each others dns
    servers. Do you have any firewalls set up between the two forests?

    Check out my articles on AD ports needed for communications at:
    http://www.pbbergs.com
    Select articles
     
    Paul Bergson [MVP-DS], Oct 19, 2006
    #2
    1. Advertisements

  3. Eng

    Jorge Silva Guest

    Hi
    Download port query and test the availabel ports for domain and trust
    http://support.microsoft.com/kb/310099

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Oct 19, 2006
    #3
  4. Eng

    Eng Guest

    Hi Guys,

    Thank you for the information. I had tried the suggestions by you all guys
    but no luck. All the result using the Port Query tools with the result on all
    port is "listening" and "exit with return code 0x00000000. I assume all the
    port is opened and working.

    Also, i install a new server on each domain and try to create a DNS zone for
    each of the domain. Then i try to establish the trust but still fail. I try
    to create a secondary zone on the newly created DNS server and try to
    establish the trust again but its still fail. I also try to create a Stub
    zone for both domain and establish the trust again and still fail.
    Conditional forwarding also try on both Domain DNS and trust still fail.

    I had check with the network guy and all the port had been open up on the
    firewall.

    Is there anyway that I can try to do beside all these?

    Thank you very much for the suggestions. Hope to hear more you all guys.

    Thank you
    Eng
     
    Eng, Oct 20, 2006
    #4
  5. Eng

    Jorge Silva Guest

    Ok...
    What type of trust are trying to stablish?

    Use conditional forwarding and make sure that both ends can resolve
    eachother, which means that you must configure in both ends the conditional
    forwarding, then perform the test in both ends:what results?

    When trying to stablish the trusts use both PDCe for both domains. The PDCe
    on both sides of the trust need to be able to resolve one another.
    also take another close look at
    How to configure a firewall for domains and trusts
    http://support.microsoft.com/kb/179442

    If none of this work check

    Remember generally broadcast traffic isn't allowed between routers (unless
    you have relay agents, some switching/routers tha allow this,etc).
    The MTU can be an Issue Test your MTU from the problem server by pinging the
    gateway of your router:
    ping -f <router gateway IP> -l 1472

    You will get one of three responses;
    the ping will return, "Packet needs to be fragmented but DF set." or it will
    timeout.
    If the ping timeout, that means a downstream router has a mismatched MTU,
    and is the probable reason for your connectivity issue. Incrementally reduce
    the 1472 until the ping returns.
    If you get the packet needs to be fragmented but DF set, at a low number of
    less than 1400, see if you can increase the MTU without a timeout. Ideally
    you would really like a number as close to 1500 as you can get.Carefull MTU
    to a much too low of a number and it would affect your network performance.
    Check the MTU max size on your router.
    Also check:
    Installing security update MS05-019 or Windows Server 2003 Service Pack 1
    may cause network connectivity between clients and servers to fail
    http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

    I also though about UDP fragmentation, do you see any kerberos errors on
    your event viewer?

    By default, Kerberos authentication uses User Datagram Protocol (UDP) to
    transmit its data,UDP provides no guarantee that a packet sent along the
    network will reach its destination intact. Thus, in environments with a high
    amount of network congestion it is common for packets to get lost or
    fragmented on the way to their destination, because the only way to decrease
    the likelihood of UDP fragmentation occurring is to reduce network traffic,
    a usually impractical solution, it is almost always better to configure the
    Kerberos authentication service to use TCP instead of UDP. TCP provides a
    guarantee that a packet that is sent will reach its destination intact and
    can therefore be used in any network environment. In order to force Kerberos
    authentication to use TCP, see
    http://support.microsoft.com/kb/244474

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Oct 20, 2006
    #5
  6. Eng

    Eng Guest

    Hi Jorge,

    Thank you for your reply.

    The trust that I try to create is external trust.

    I had try to create conditional forwarding and perform the test at both end
    usingThe result at below:
    C:\Documents and Settings\Administrator>nslookup -type=srv
    _ldap._tcp.pdc._msdcs.target.local
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    _ldap._tcp.pdc._msdcs.target.local SRV service location:
    priority = 0
    weight = 100
    port = 389
    svr hostname = ky-target.target.local

    ky-target.target.local internet address = 10.30.101.228

    :\Documents and Settings\Administrator>nslookup -type=srv
    _ldap._tcp.dc._msdcs.target.local
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    _ldap._tcp.dc._msdcs.target.local SRV service location:
    priority = 0
    weight = 100
    port = 389
    svr hostname = ky-target.target.local

    ky-target.target.local internet address = 10.30.101.228

    Also, I had check the event viewer but there is no Keberos related error. I
    had apply the patch 913446 but still no luck.

    I try to ping the gateway using ping -f <gateway ip> -l 1742 and it reply
    with the "Packet needs to be fragmented but DF set." Is this the correct
    result? I had read through your explanation but i still not really
    understand. Can you eleborate more on this? Thanks.

    Thank you
    Eng
     
    Eng, Oct 25, 2006
    #6
  7. Paul Bergson [MVP-DS], Oct 25, 2006
    #7
  8. Eng

    Eng Guest

    Hi guys,

    My mistake. when I ping using the "ping <gateway ip address> -f -l 1472" i
    got reply. Not the "Packet needs to be fragmented but DF set". But when I
    ping using the "ping <gateway ip address> -f -l 1742", then I get the "Packet
    needs to be fragmented but DF set" reply. I think the 1st time I run is using
    the wrong packet size.

    Beside, I try to use my target domain to create a trust to one of my
    production domain and its work. Only when I try to use my target domain to
    establish a trust to my source, its fail.

    I not sure what's going wrong but I believe that is something not right with
    my source domain.

    Hope to hear from you all guys soon.

    Thanks

    Eng
     
    Eng, Oct 26, 2006
    #8
  9. Paul Bergson [MVP-DS], Oct 26, 2006
    #9
  10. Eng

    Eng Guest

    Hi Paul,

    Thank you for your reply.

    I had followed the instruction from the website that you provide but still
    no luck. I still getting the same error message "The Local Security Authority
    is unable to obtain an ROC connection from the domain controller
    DC1.target.local. Please check that the name can be resolved and that the
    server is available" .

    I had verify that the RPC services is running and the name can be resolve on
    each domain.

    My source and target domain currently sitting on the same subnet. I don't
    think this is a problem right? correct me if i am wrong.

    Is there any other way that I can try/ do to resolve my issue?

    Thank you

    Eng
     
    Eng, Oct 27, 2006
    #10
  11. You could try creating an LMHosts file and see if that helps.

    Go to my website and lookup trust setup on an nt4 v 2003. This should work
    for 2003 v 2003, it even has a fool proof way to setup the LMHost records.

    http://www.pbbergs.com
    Select articles and click on NT4 -v- Active Directory Trust
     
    Paul Bergson [MVP-DS], Oct 27, 2006
    #11
  12. Eng

    Eng Guest

    Hi Paul,

    Thank you for your reply.

    The lmhost file is working but is only working for my source domain. Which
    mean, my source domain able to create a trust to the target, but when I try
    to create the trust from my target to my source, its fail again with the same
    error.

    I try to remove the lmhost file and copy from my source domain pdc and
    change the name and ip and try again. But its fail too.

    On my source, I try to verify the trust after i had created the trust but it
    fail. (Strange, I can create the trust but I cannot verify the trust). I open
    event viewer and found that the following event id is log,
    Event ID: 40960
    Description:The Security System detected an authentication error for the
    server cifs/ky-target.TARGET.LOCAL. The failure code from authentication
    protocol Kerberos was "The referenced account is currently disabled and may
    not be logged on to.
    (0xc0000072)".

    I try to search MS website but fail to find a solution. Any idea what is
    going on?

    Thank you

    Eng
     
    Eng, Oct 30, 2006
    #12
  13. The spaces in the lmhost names for the dc's and domain names is critical, be
    sure that both are properly spaced, that is why I pointed to this in my
    article I sent you to read.
     
    Paul Bergson [MVP-DS], Oct 31, 2006
    #13
  14. Eng

    Eng Guest

    Hi,

    I had follow exactly the same that stated in your article but still fail.
    Also, i had try to use your web tool to generate the syntax but still fail.

    I try to remove the trust that created at my Source and re-create again. But
    this time its fail with the same error. Really headache with this issue.

    Anything else that i can try?

    Thank you

    Eng
     
    Eng, Nov 2, 2006
    #14
  15. Is the time on the two servers within 5 minutes of one another?
     
    Paul Bergson [MVP-DS], Nov 3, 2006
    #15
  16. Eng

    Eng Guest

    Hi,

    Thank you for the reply.

    No. The time of the two server is the same. No different. I had check all
    the servers and all their time is the same. No delay.

    Thank you

    Eng
     
    Eng, Nov 6, 2006
    #16
  17. I don't know what else to tell you. I'm not sure the 40960 even has
    anything to do with your problem.

    You could use the KBB 889030 and see if there is value in it. It was
    written for nt to AD but there maybe issuues in it that could help you as
    well.
    http://support.microsoft.com/default.aspx/kb/889030/en-us
     
    Paul Bergson [MVP-DS], Nov 6, 2006
    #17
  18. Eng

    Jorge Silva Guest

    Hi
    The 40960 Errors Can have some different Causes: - Generally, these errors
    can be safely ignored. These errors occur because the DNS server doesn't
    have a Reverse Lookup Zone Configured. Although Active Directory doesn't
    need Reverse Lookup Zone to function, the Windows 2003 and XP tries to make
    a secure PTR registration, and because the Reverse Lookup Zone isn't
    configured, the OS tries to make a secure PTR registration at the External
    DNS that is Authoritative over the reverse lookup of the IP on the machine's
    local interface. If it's a private address it will say cannot establish a
    secured connection with the server prisoner.iana.org. Also, nslookup will
    report "Can't find server name for address <IPAddressOfDNSServer>

    Solution: 1-Create a Reverse Lookup Zone.

    -----------

    I know that I started to answer this post but unfortunately I can't see all
    the thread.

    Test your MTU from the problem server by pinging the gateway of your router:
    ping -f <IP> - 1472



    You need to start at your problem server, with a 1472 byte packet, then ping
    your machine gateway (router if any) address with a 1472 byte packet, then
    ping the next gateway with 1472 byte packet, etc. until you reach the other
    server.

    If you ping a router that returns a time out or "Packet needs to be
    fragmented but DF set.", then you should reduce the packet size to that
    router until the ping returns.
    Then find the issue with that router as to why it is using a reduced MTU
    setting and increase the router MTU.

    --
    I hope that the information above helps you
    Good Luck


    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Nov 6, 2006
    #18
  19. Eng

    Jorge Silva Guest

    Other problems related with 40960 could be - This behavior occurs when you
    restart the server that was promoted to a domain controller. In this
    scenario, the Windows Time service (W32Time) tries to authenticate before
    Directory Services has started.
    Event IDs 40960 and 40961 in the System Event Log When You Restart Windows
    Server 2003 After You Run Dcpromo.exe
    http://support.microsoft.com/kb/823712/en-us
    Situation 2
    LSASRV Event IDs 40960 and 40961 When You Promote a Server to a Domain
    Controller Role
    http://support.microsoft.com/kb/824217/en-us
    Other Related:
    You cannot access network resources after you try to log on to a Windows XP
    Service Pack 2-based computer
    http://support.microsoft.com/kb/885887/en-us
    You cannot access resources after you install Security Bulletin MS04-011 or
    Windows XP Service Pack 2
    http://support.microsoft.com/kb/891559/en-us
    Logon Authentication, Active Directory Replication, and Domain Joins Do Not
    Complete Successfully
    http://support.microsoft.com/kb/315150/en-us
    --
    I hope that the information above helps you
    Good Luck

    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Nov 6, 2006
    #19
  20. Eng

    Eng Guest

    Hi Guys,

    Thank you very much for all the suggestion. But i had try all of them and
    still No Luck. The same error still come up.

    Appreciated for all the help given. I will see what I can do from now.

    Thank you

    Eng
     
    Eng, Nov 8, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.