SC lost trust relationship between parent-child domains

Discussion in 'Active Directory' started by Oswaldo., Mar 24, 2005.

  1. Oswaldo.

    Oswaldo. Guest

    I have some troubles with Windows AD2k trust relationships between
    parent-child domains.
    when I try to verify ( and then reset sc ) the trust relationship by using
    domains and trusts it shows me the error:

    The database on the server does not have a computer account for this
    workstation trust relationship

    Whenever I try to use nltest to reset the parent domain SC on the child DC i
    got the error:

    I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

    I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED


    Im using an enterprise admin account to log on to the servers.

    Any help would be greatly appreciated

    regards
    Oswaldo.
     
    Oswaldo., Mar 24, 2005
    #1
    1. Advertisements

  2. Oswaldo.

    ptwilliams Guest

    This is a DNS problem. The trust is maintained by the PDCe in each domain.
    Therefore the DCs need to be able to resolve DCs and PDCe SRV records in
    both domains.

    How is your name resolution setup?

    Usually a delegation is made in the parent to the child, and the child holds
    a secondary of the parent or forwards to the parent.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
     
    ptwilliams, Mar 24, 2005
    #2
    1. Advertisements

  3. Oswaldo.

    Oswaldo. Guest

    that is the way DNS resolution is working.

    Parent domain has a delegation to the child domain and both domains hold a
    secondary zone for its opposite. already checked NSLOOKUP from child to
    parent domain servers and viceversa and worked fine.

    any suggestion?

    Regards
    Oswaldo.
     
    Oswaldo., Mar 25, 2005
    #3
  4. Oswaldo.

    ptwilliams Guest

    Have you tested SRV records though? Standard name-to-IP is good, but not
    everything. You should also check that you can resolve the
    _ldap._tcp.dc._msdcs.domain-name.com and
    _ldap._tcp.pdc._msdcs.domain-name.com records.

    Otherwise, there's a host of KB articles in this link that might be of help:
    --
    http://www.eventid.net/display.asp?eventid=5721&eventno=674&source=NETLOGON&phase=1


    Please let us know if any of this helped.

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
     
    ptwilliams, Mar 30, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.