Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

[Guest Alex]

Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Hi. I am currently trying to create a basic one way non-transitive trust

between two Windows 2003 domains. We will be merging the domains of two

companies in the future but for the time being need to give one domain

access to resources in another. Both domains are standalone within their

own forest i.e. domain1.net is the only domain in the domain1.net forest and

domain2.net is the same. Both domain1 and domain2 have Windows Server 2003

domain and forest functional levels.

 

So far I have created Stub zones on the DNS servers in each domain i.e.

domain1.net has a stub zone for domain2.net and domain2.net has a stub zone

for domain1.net. Both domains have a single domain controller called DC1 on

each domain i.e. dc1.domain1.net and dc1.domain2.net. I can ping from one

DC to the other and resolve names of workstations and servers in the remote

domain. If I run a nslookup from each DC the output seems normal

(DC1.domain1.net nslookup result below).

 

When I try to create the one way non-transitive trust I get to the end of

the wizard and select to 'Validate' the trust, I get the error :

 

The secure channel (SC) reset on domain controller \\DC1.comain2.net of

domain2.net to domain domain1.net failed with error: There are currently no

logon servers available to service the logon request.

 

The accounts I have used in both domains are Domain and Enterprise Admins.

Only dc1.domain2.net has an error in the System Log with ID 5719 and the

same error as above i.e. logon servers not available to service the logon

request.

 

 

Can anyone suggest where I am going wrong ?

 

Thanks,

Alex.

 

 

DC1.domain1.net nslookup result:

 

C:\>nslookup

Default Server: localhost

Address: 127.0.0.1

> set type=srv

> dc1.domain2.net

Server: localhost

Address: 127.0.0.1

 

domain2.net

primary name server = dc1.domain2.net

responsible mail addr = hostmaster

serial = 21

refresh = 900 (15 mins)

retry = 600 (10 mins)

expire = 86400 (1 day)

default TTL = 3600 (1 hour)

[Guest Jorge Silva]

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Hi

-Run dcdiag and netdiag for both DCs in both Domains, make sure that no

errors are shown.

-Are the domains between different subnets? Do you have WINS? Are you

creating a External Trust or a Forest Trust?

-On DC1 for domain1 do a nslookup domain2.net, also try to ping the

DC1.domain2.net from DC1.domain1.net. Do the same to the other domain. Any

FW between the Domains?

-Test DNS nslookup "domainname.tld" from each DC for each domain.

-IF everything Ok in previous tests, open Network Neighborhood and type from

DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to

access to the DC1.domain2.net, enter the password and do the same to

\\DC1.domain1.net from DC1.domain2.net.

-Try to create the trust again. When creating the trust, try using the fqdn

or the netbios name for the domain.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

[Guest Alex]

.Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

.Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Hi Jorge. Thanks for your advice. Please find below answers to your

questions below:

 

Q. Run dcdiag and netdiag for both DCs in both Domains, make sure that no

errors are shown.

A. DCdiag results look fine. The two domains are not internet connected, so

the only two 'errors' in the results are 'no Forwarders or root hints are

configured' and under the network adapter results for the DC it shows 'Root

Zone on this DC/DNS server was not found'.

Netdiag similarly looks fine. There is an entry of 'Warning At least one of

the <00> 'Workstation Service', <03> 'Messenger Service', <20> ;WINS; names

is missing.

 

Q. Are the domains between different subnets?

A. Yes the domains are on different subnets. There are no access lists etc

between the subnets on the same switch.

 

Q. Do you have WINS?

A. WINS is not running on either domain. Is WINS required for trusts ? Is

there going to be an issue with the DCs and other servers having the same

names in both domains ? If WINS is required how should it be configured

between the domains i.e. should each domain have it's own WINS server and do

they replicate between domains or should both domains use the same single

WINS server ?

 

Q. Are you creating a External Trust or a Forest Trust?

A. I'm using an external trust (domain to domain) one way non-transitive. I

have also tested with a Forest trust and got the same error.

 

Q. On DC1 for domain1 do a nslookup domain2.net, also try to ping the

DC1.domain2.net from DC1.domain1.net. Do the same to the other domain.

A. nslookup on DC1.domain1.net for domain2.net returns the IP address of DC1

in domain2.net. Pinging dc1.domain2.net on dc1.domain1.net is correctly

resolved and hasn a normal responses.

 

Q. Any FW between the Domains?

A. No there are no firewall or access lists between the domains.

 

Q. Test DNS nslookup "domainname.tld" from each DC for each domain.

A. nslookup of opposing domains return the IP address of DC1 in the relevant

domain.

 

Q. IF everything Ok in previous tests, open Network Neighborhood and type

from DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to

access to the DC1.domain2.net, enter the password and do the same to

\\DC1.domain1.net from DC1.domain2.net.

A. Unfortunately when I try and access \\dc1.domain2.net from

dc1.domain2.net I get the error \\dc1.domain2.net is not accessible. You

might not have permission to use this network resource..... There are

currently no logon servers available to service the logon request.

 

Q. Try to create the trust again. When creating the trust, try using the

fqdn or the netbios name for the domain.

A. I have tried creating the trust with DOMAINX.net and DOMAIN but both

result in the same error.

 

 

Thanks,

Alex.

[Guest Jorge Silva]

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

 

Hi

The error sounds permissions problem, FW issues or Bad name resolution.

Before doing the trust you must be able to contact both ends of the domain

using \\dcname or \\dcname.domain.tld.

 

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services