Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

[Alex]

Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Hi. I am currently trying to create a basic one way non-transitive trust
between two Windows 2003 domains. We will be merging the domains of two
companies in the future but for the time being need to give one domain
access to resources in another. Both domains are standalone within their
own forest i.e. domain1.net is the only domain in the domain1.net forest and
domain2.net is the same. Both domain1 and domain2 have Windows Server 2003
domain and forest functional levels.

So far I have created Stub zones on the DNS servers in each domain i.e.
domain1.net has a stub zone for domain2.net and domain2.net has a stub zone
for domain1.net. Both domains have a single domain controller called DC1 on
each domain i.e. dc1.domain1.net and dc1.domain2.net. I can ping from one
DC to the other and resolve names of workstations and servers in the remote
domain. If I run a nslookup from each DC the output seems normal
(DC1.domain1.net nslookup result below).

When I try to create the one way non-transitive trust I get to the end of
the wizard and select to 'Validate' the trust, I get the error :

The secure channel (SC) reset on domain controller \\DC1.comain2.net of
domain2.net to domain domain1.net failed with error: There are currently no
logon servers available to service the logon request.

The accounts I have used in both domains are Domain and Enterprise Admins.
Only dc1.domain2.net has an error in the System Log with ID 5719 and the
same error as above i.e. logon servers not available to service the logon
request.


Can anyone suggest where I am going wrong ?

Thanks,
Alex.


DC1.domain1.net nslookup result:

C:\>nslookup
Default Server: localhost
Address: 127.0.0.1

> set type=srv
> dc1.domain2.net
Server: localhost
Address: 127.0.0.1

domain2.net
primary name server = dc1.domain2.net
responsible mail addr = hostmaster
serial = 21
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

 

[Jorge Silva]

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Hi
-Run dcdiag and netdiag for both DCs in both Domains, make sure that no
errors are shown.
-Are the domains between different subnets? Do you have WINS? Are you
creating a External Trust or a Forest Trust?
-On DC1 for domain1 do a nslookup domain2.net, also try to ping the
DC1.domain2.net from DC1.domain1.net. Do the same to the other domain. Any
FW between the Domains?
-Test DNS nslookup "domainname.tld" from each DC for each domain.
-IF everything Ok in previous tests, open Network Neighborhood and type from
DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to
access to the DC1.domain2.net, enter the password and do the same to
\\DC1.domain1.net from DC1.domain2.net.
-Try to create the trust again. When creating the trust, try using the fqdn
or the netbios name for the domain.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

[Alex]

.Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

.Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Hi Jorge. Thanks for your advice. Please find below answers to your
questions below:

Q. Run dcdiag and netdiag for both DCs in both Domains, make sure that no
errors are shown.
A. DCdiag results look fine. The two domains are not internet connected, so
the only two 'errors' in the results are 'no Forwarders or root hints are
configured' and under the network adapter results for the DC it shows 'Root
Zone on this DC/DNS server was not found'.
Netdiag similarly looks fine. There is an entry of 'Warning At least one of
the <00> 'Workstation Service', <03> 'Messenger Service', <20> ;WINS; names
is missing.

Q. Are the domains between different subnets?
A. Yes the domains are on different subnets. There are no access lists etc
between the subnets on the same switch.

Q. Do you have WINS?
A. WINS is not running on either domain. Is WINS required for trusts ? Is
there going to be an issue with the DCs and other servers having the same
names in both domains ? If WINS is required how should it be configured
between the domains i.e. should each domain have it's own WINS server and do
they replicate between domains or should both domains use the same single
WINS server ?

Q. Are you creating a External Trust or a Forest Trust?
A. I'm using an external trust (domain to domain) one way non-transitive. I
have also tested with a Forest trust and got the same error.

Q. On DC1 for domain1 do a nslookup domain2.net, also try to ping the
DC1.domain2.net from DC1.domain1.net. Do the same to the other domain.
A. nslookup on DC1.domain1.net for domain2.net returns the IP address of DC1
in domain2.net. Pinging dc1.domain2.net on dc1.domain1.net is correctly
resolved and hasn a normal responses.

Q. Any FW between the Domains?
A. No there are no firewall or access lists between the domains.

Q. Test DNS nslookup "domainname.tld" from each DC for each domain.
A. nslookup of opposing domains return the IP address of DC1 in the relevant
domain.

Q. IF everything Ok in previous tests, open Network Neighborhood and type
from DC1.DC1.domain1.net \\DC1.domain2.net you'll be asked for a password to
access to the DC1.domain2.net, enter the password and do the same to
\\DC1.domain1.net from DC1.domain2.net.
A. Unfortunately when I try and access \\dc1.domain2.net from
dc1.domain2.net I get the error \\dc1.domain2.net is not accessible. You
might not have permission to use this network resource..... There are
currently no logon servers available to service the logon request.

Q. Try to create the trust again. When creating the trust, try using the
fqdn or the netbios name for the domain.
A. I have tried creating the trust with DOMAINX.net and DOMAIN but both
result in the same error.


Thanks,
Alex.

 

[Jorge Silva]

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Re: Unable to create basic domain trust between two Windows 2003 domains - logon servers not available ?

Hi
The error sounds permissions problem, FW issues or Bad name resolution.
Before doing the trust you must be able to contact both ends of the domain
using \\dcname or \\dcname.domain.tld.


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services