Home All Groups Group Topic Archive Search About

Domain Trust

microsoft.public.windows.server.active_directory
Author
30 Jun 2009 5:47 PM
Simon
I'm working in a project to merge operations of two domains (companies
merging)
site 1 has Domain A (DC with all operation master) (win 2003 SP1  x32)
site 2 has domain B (DC with all operation master + a DC from domain A) (win
2003 SP2 x64)
The sites are located in different states
I'm setting up a Two-way trust, forest transitive and forest-wide
authentication.

* When i try to validate domain A from Domain B it is successful
* When i try to validate domain B from domain A in site 1, I get the error
"windows cannot find the domain controller for the mountainaviation.com.
Veritfy that a DC is available and then try again." I can log in to DC in
domain B using RDP.
* When i try to validate domain B from domain A in site 2, I get the error
"Unable to read forest trust information from the other domain. The error
is: there are currently no logon servers available to service the logon
request."

At the end i cannot allow users from iether domain to have access to
resources from either domain. i get the error "The following error prevented
the display of any items: the server is not operational"

Any suggestion will be apretiated.

Thanks

Simon

Author
1 Jul 2009 12:25 AM
Ace Fekay [Microsoft Certified Trainer]
In news:3B27FBE3-80E7-4053-9615-763266613610@microsoft.com,
Simon <simonh@newsgroup.nospam>, posted the following, which I replied to down below...:  Hello Simon
Show quoteHide quote
> I'm working in a project to merge operations of two domains (companies
> merging)
> site 1 has Domain A (DC with all operation master) (win 2003 SP1  x32)
> site 2 has domain B (DC with all operation master + a DC from domain
> A) (win 2003 SP2 x64)
> The sites are located in different states
> I'm setting up a Two-way trust, forest transitive and forest-wide
> authentication.
>
> * When i try to validate domain A from Domain B it is successful
> * When i try to validate domain B from domain A in site 1, I get the
> error "windows cannot find the domain controller for the
> mountainaviation.com. Veritfy that a DC is available and then try
> again." I can log in to DC in domain B using RDP.
> * When i try to validate domain B from domain A in site 2, I get the
> error "Unable to read forest trust information from the other domain.
> The error is: there are currently no logon servers available to
> service the logon request."
>
> At the end i cannot allow users from iether domain to have access to
> resources from either domain. i get the error "The following error
> prevented the display of any items: the server is not operational"
>
> Any suggestion will be apretiated.
>
> Thanks
>
> Simon

Hi Simon,

You've posted the symptoms, but you did not provide any configuration information, or how you went about setting up DNS, the trusts, firewall status, and much more, which would be helpful for any sort of diagnosis.

Forest trusts rely on DNS. How is DNS configured to allow resolution on both sides of the fence?

The best way I've found to do this is to use condition forwarders, meaning on all of A's DNS servers, configure a conditional forwarders to two of B's DNS servers, and vice versa.

Then make absolutely sure ALL ports are opened between the two locations, otherwise things will not work. If you need to

Then once configured and verified, add the Domain Users from A to the Local Domain Users on B, and vice versa, and do the same for the Domain Admins of A to the Local Administrators group on B, and vice versa. Configure permissions appropriately on resources.

Plus both forests must be a minimum 2003 Funtional Levels, which means each domain in the forest must be at that level before the forest levels can be raised.

Also make absolutely sure that no DCs are multihomed, no DCs have RRAS installed, either forest domain name is not a single label name ('domain' vs the minimal required format of 'domain.com,' 'domain.local,' etc), or there are no references to any other DNS server in any IP properties to an ISP's or router DNS, otherwise expect errors such as lack of communication and authentication to occur.

Please read the following to better help with the trust issue.

Checklist: Creating a forest trust: Active DirectoryJan 21, 2005 ... (Optional) Review the various trust types and understand forest trust concepts ... Raise the forest functional level. Create a forest trust. ....
http://technet.microsoft.com/en-us/library/cc756852(WS.10).aspx

Create a forest trust: Active DirectoryJan 21, 2005 ... To successfully create a forest trust, your environment will need to be set up properly. For more information, see the checklist for ...
http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace***@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Author
1 Jul 2009 6:05 AM
Meinolf Weber [MVP-DS]
Hello Simon,

Please give some more information how you setup DNS on both sites for the
trust. Are both domains/forests on functional level Windows server 2003?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote
> I'm working in a project to merge operations of two domains (companies
> merging)
> site 1 has Domain A (DC with all operation master) (win 2003 SP1  x32)
> site 2 has domain B (DC with all operation master + a DC from domain
> A) (win
> 2003 SP2 x64)
> The sites are located in different states
> I'm setting up a Two-way trust, forest transitive and forest-wide
> authentication.
> * When i try to validate domain A from Domain B it is successful
> * When i try to validate domain B from domain A in site 1, I get the
> error
> "windows cannot find the domain controller for the
> mountainaviation.com.
> Veritfy that a DC is available and then try again." I can log in to DC
> in
> domain B using RDP.
> * When i try to validate domain B from domain A in site 2, I get the
> error
> "Unable to read forest trust information from the other domain. The
> error
> is: there are currently no logon servers available to service the
> logon
> request."
> At the end i cannot allow users from iether domain to have access to
> resources from either domain. i get the error "The following error
> prevented the display of any items: the server is not operational"
>
> Any suggestion will be apretiated.
>
> Thanks
>
> Simon
>
Author
6 Jul 2009 7:19 PM
Simon
Ace, Meinolf, thanks for your responses.

I deleted the zone  I created in both domains and I setup condition forwards
and it worked.

Thanks Again

Simon





Show quoteHide quote
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6628b1f8cbc839d26679d7@msnews.microsoft.com...
> Hello Simon,
>
> Please give some more information how you setup DNS on both sites for the
> trust. Are both domains/forests on functional level Windows server 2003?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I'm working in a project to merge operations of two domains (companies
>> merging)
>> site 1 has Domain A (DC with all operation master) (win 2003 SP1  x32)
>> site 2 has domain B (DC with all operation master + a DC from domain
>> A) (win
>> 2003 SP2 x64)
>> The sites are located in different states
>> I'm setting up a Two-way trust, forest transitive and forest-wide
>> authentication.
>> * When i try to validate domain A from Domain B it is successful
>> * When i try to validate domain B from domain A in site 1, I get the
>> error
>> "windows cannot find the domain controller for the
>> mountainaviation.com.
>> Veritfy that a DC is available and then try again." I can log in to DC
>> in
>> domain B using RDP.
>> * When i try to validate domain B from domain A in site 2, I get the
>> error
>> "Unable to read forest trust information from the other domain. The
>> error
>> is: there are currently no logon servers available to service the
>> logon
>> request."
>> At the end i cannot allow users from iether domain to have access to
>> resources from either domain. i get the error "The following error
>> prevented the display of any items: the server is not operational"
>>
>> Any suggestion will be apretiated.
>>
>> Thanks
>>
>> Simon
>>
>
>
Author
6 Jul 2009 7:52 PM
Ace Fekay [Microsoft Certified Trainer]
"Simon" <simonh@newsgroup.nospam> wrote in message news:O693$6m$JHA.1380@TK2MSFTNGP02.phx.gbl...
> Ace, Meinolf, thanks for your responses.
>
> I deleted the zone  I created in both domains and I setup condition forwards
> and it worked.
>
> Thanks Again
>
> Simon

Good to hear, Simon!

Ace



Post Other interesting topics
w2k3 R2 time services
DCpromo issue. Health check on AD and group policy.
Inconstant netlogon folders
Tool to list group members
LSASS Bleeding Over
Enterprise CA placement
Active Directory is down
Global Catalog Server 2003/2008
WSUS question
File Replication Services