Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Discussion in 'Active Directory' started by Alex, Aug 19, 2008.

  1. Alex

    Alex Guest

    Hi. I am currently trying to create a basic one way non-transitive trust
    between two Windows 2003 domains. We will be merging the domains of two
    companies in the future but for the time being need to give one domain
    access to resources in another. Both domains are standalone within their
    own forest i.e. domain1.net is the only domain in the domain1.net forest and
    domain2.net is the same. Both domain1 and domain2 have Windows Server 2003
    domain and forest functional levels.

    So far I have created Stub zones on the DNS servers in each domain i.e.
    domain1.net has a stub zone for domain2.net and domain2.net has a stub zone
    for domain1.net. Both domains have a single domain controller called DC1 on
    each domain i.e. dc1.domain1.net and dc1.domain2.net. I can ping from one
    DC to the other and resolve names of workstations and servers in the remote
    domain. If I run a nslookup from each DC the output seems normal
    (DC1.domain1.net nslookup result below).

    When I try to create the one way non-transitive trust I get to the end of
    the wizard and select to 'Validate' the trust, I get the error :

    The secure channel (SC) reset on domain controller \\DC1.comain2.net of
    domain2.net to domain domain1.net failed with error: There are currently no
    logon servers available to service the logon request.

    The accounts I have used in both domains are Domain and Enterprise Admins.
    Only dc1.domain2.net has an error in the System Log with ID 5719 and the
    same error as above i.e. logon servers not available to service the logon
    request.


    Can anyone suggest where I am going wrong ?

    Thanks,
    Alex.


    DC1.domain1.net nslookup result:

    C:\>nslookup
    Default Server: localhost
    Address: 127.0.0.1
    Server: localhost
    Address: 127.0.0.1

    domain2.net
    primary name server = dc1.domain2.net
    responsible mail addr = hostmaster
    serial = 21
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
     
    Alex, Aug 19, 2008
    #1
    1. Advertisements

  2. Alex

    Jorge Silva Guest

    Hi
    -Run dcdiag and netdiag for both DCs in both Domains, make sure that no
    errors are shown.
    -Are the domains between different subnets? Do you have WINS? Are you
    creating a External Trust or a Forest Trust?
    -On DC1 for domain1 do a nslookup domain2.net, also try to ping the
    DC1.domain2.net from DC1.domain1.net. Do the same to the other domain. Any
    FW between the Domains?
    -Test DNS nslookup "domainname.tld" from each DC for each domain.
    -IF everything Ok in previous tests, open Network Neighborhood and type from
    DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to
    access to the DC1.domain2.net, enter the password and do the same to
    \\DC1.domain1.net from DC1.domain2.net.
    -Try to create the trust again. When creating the trust, try using the fqdn
    or the netbios name for the domain.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 19, 2008
    #2
    1. Advertisements

  3. Alex

    Alex Guest

    Hi Jorge. Thanks for your advice. Please find below answers to your
    questions below:

    Q. Run dcdiag and netdiag for both DCs in both Domains, make sure that no
    errors are shown.
    A. DCdiag results look fine. The two domains are not internet connected, so
    the only two 'errors' in the results are 'no Forwarders or root hints are
    configured' and under the network adapter results for the DC it shows 'Root
    Zone on this DC/DNS server was not found'.
    Netdiag similarly looks fine. There is an entry of 'Warning At least one of
    the <00> 'Workstation Service', <03> 'Messenger Service', <20> ;WINS; names
    is missing.

    Q. Are the domains between different subnets?
    A. Yes the domains are on different subnets. There are no access lists etc
    between the subnets on the same switch.

    Q. Do you have WINS?
    A. WINS is not running on either domain. Is WINS required for trusts ? Is
    there going to be an issue with the DCs and other servers having the same
    names in both domains ? If WINS is required how should it be configured
    between the domains i.e. should each domain have it's own WINS server and do
    they replicate between domains or should both domains use the same single
    WINS server ?

    Q. Are you creating a External Trust or a Forest Trust?
    A. I'm using an external trust (domain to domain) one way non-transitive. I
    have also tested with a Forest trust and got the same error.

    Q. On DC1 for domain1 do a nslookup domain2.net, also try to ping the
    DC1.domain2.net from DC1.domain1.net. Do the same to the other domain.
    A. nslookup on DC1.domain1.net for domain2.net returns the IP address of DC1
    in domain2.net. Pinging dc1.domain2.net on dc1.domain1.net is correctly
    resolved and hasn a normal responses.

    Q. Any FW between the Domains?
    A. No there are no firewall or access lists between the domains.

    Q. Test DNS nslookup "domainname.tld" from each DC for each domain.
    A. nslookup of opposing domains return the IP address of DC1 in the relevant
    domain.

    Q. IF everything Ok in previous tests, open Network Neighborhood and type
    from DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to
    access to the DC1.domain2.net, enter the password and do the same to
    \\DC1.domain1.net from DC1.domain2.net.
    A. Unfortunately when I try and access \\dc1.domain2.net from
    dc1.domain2.net I get the error \\dc1.domain2.net is not accessible. You
    might not have permission to use this network resource..... There are
    currently no logon servers available to service the logon request.

    Q. Try to create the trust again. When creating the trust, try using the
    fqdn or the netbios name for the domain.
    A. I have tried creating the trust with DOMAINX.net and DOMAIN but both
    result in the same error.


    Thanks,
    Alex.
     
    Alex, Aug 20, 2008
    #3
  4. Alex

    Jorge Silva Guest

    Hi
    The error sounds permissions problem, FW issues or Bad name resolution.
    Before doing the trust you must be able to contact both ends of the domain
    using \\dcname or \\dcname.domain.tld.


    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 20, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.