problems with forest trust

[ilionx]

Currently we have an issue with getting policies over a forest trust and accessing an dfs over an forest trust.

Main issues:

- We cannot access data on DFS in domain A from domain B
- Neither can we access data on DFS in domain B from domain A
- logging in on a workstation in domain B with a useraccount from domain A is possible, though userpolicies (gpo's) (from domain A) are not applied.

Our situation:

Domain A in Forest A
Domain B in Forest B

Between the two forests is an two-way transitive forest trust in place.

Accessing the DFS-folders in domain A from domain A = OK
Accessing the DFS-folders in domain A from domain B = ERROR

"Configuration information could not be read from the domaincontroller, either because the machine in unavailable, or access has been denied"

Accessing the DFS-folders in domain B from domain B = OK
Accessing the DFS-folders in domain B from domain A = ERROR

"Configuration information could not be read from the domaincontroller, either because the machine in unavailable, or access has been denied"

Note: DFS in Domain A is not the same as DFS in Domain B
So we have a DFS in Domain A and we have a DFS in Domain B with both different content

Running dcdiag with target domain A from domain A = all test succeeded
Running dcdiag with target domain B from domain B = all test succeeded

Running dcdiag with target domain A from domain B = ERRORS
Running dcdiag with target domain B from domain A = ERRORS

Output of dcdiag:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC1
Starting test: Replications
......................... DC1 passed test Replications
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
[DC1] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
......................... DC1 failed test NetLogons
Starting test: Advertising
Fatal ErrorsGetDcName (DC1) call failed, error 1722
The Locator could not find the server.
......................... DC1 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: MachineAccount
Could not open pipe with [DC1]:failed with 1203: No network provid
er accepted the given network path.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN null)
* Missing SPN null)
......................... DC1 failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [DC1]:failed with 1203: No network provider accepted the given network path.
......................... DC1 failed test Services
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: frssysvol
[DC1] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
......................... DC1 failed test frssysvol
Starting test: frsevent
......................... DC1 failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error No network provider accept
ed the given network path.
......................... DC1 failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error No network provider accept
ed the given network path.
......................... DC1 failed test systemlog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : domaina
Starting test: CrossRefValidation
......................... domaina passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domaina passed test CheckSDRefDom

Running enterprise tests on : domaina.local
Starting test: Intersite
......................... domaina.local passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 172
2
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
A KDC could not be located - All the KDCs are down.
......................... domaina.local failed test FsmoCheck



We checked ADSS and NO items of historical servers were found.

Any ideas ? Cause i'm pretty stuck on this ... (

 

[ilionx]

THIS LOOKS LIKE THE ANSWER TO OUR ISSUE:
(FIRST TESTS WITH THIS WERE SUCCESFULL) ;o)

I figured out what was causing this issue. I was receiving this error due to a name resolution issue. The default funtionality for DFS is to use NetBIOS names in the response to clients. The clients in the other name does not use WINS, only DNS. Since the DFS servers were only issuing \\servername instead of \\servername.something.com the resolution would fail giving me the error above.

There are a couple of solutions to this type of problem, but we ended up pushing a GPO to all workstaions in forest1 to configure DNS Suffix Search orders and everything has been working well. I will note that there is a registry key that can be put on the DFS servers to configure it to use DNS FQDN's; however, for domain-based DFS roots it requres you to export all links and recreate your roots and then import your links with modified FQDN addresses... We choose the DNS suffix route instead for now...

 

[nervous2]

Wondering if you could help me out with a similar problem.

2 domains I need a two way full trust between the two.

We run Citrix on Domain A and I need to add all user from Domian B to Domain A's Ctrix Server's Remote Desktop group or else I can't have Domain B's user accounts authenticated.

The two way trust is fully authenticated and verified yet the AD objects from domain B do not populate on Domain A. I have recently change my symantec EP and removed the network threat protection, I have recreated the DNS and nslookup results appear valid, (i think) VPN is fully open between the sites, in Network Neighborhood I can see Domain B from Domain A and access all shares across the network without password required system seems find BUT I need to get the objects to populate, would you have any ideas what may cause this?

Thank You,

 

[ilionx]

do you have a two-way forest trust or a two-way domain trust ?

i.o.w. do you have 2 domains in differents forests or do you have 2 domains in the same forest (child-parent domain)

 

[nervous2]

Sorry I should have been more specific.

windows 2003 on both servers.

Two-way domain trust, Each domain has it's own unique name though they are under the same company one domain is in Canada the other in the USA.


One server is 2003 standard, the other is 2003 enterprise server.

I had this working before when I had the 2003 server (standard) trusted with a 2000 server, when I had problems with the 2000 server I formatted the server to 2003 enterprise server.

 

[ilionx]

some more questions to help you find your way :

- did you properly remove the 2000 server from the active directory?
- do you use the same or a different servername?
- do you use the same ip-address or a different one?
- did you check ADSS for historical elements that shouldn't be there anymore ?
- did you run dcdiag and what was the result ?

 

[nervous2]

- did you properly remove the 2000 server from the active directory?

I don't' know probably not, since the 2000 server blue screened and I could not recover it. I looked in Domain A records but did not find anything.

- do you use the same or a different servername?
After formatting the server I named it the exact same as before


- do you use the same ip-address or a different one?
This IP address is exactly the same as before.

- did you check ADSS for historical elements that shouldn't be there anymore ?

I checked AD sites and Services and did nto see any left-overs


- did you run dcdiag and what was the result ?
I ran the DCdiag noticed systemlog errors I cleared them out of the event viewer and the dcdiag did report any thing

I also ran REPLMON.exe I am unsure how to use this tool but I think I have narrowed down an issue

On Domain B When I search a domain for replication errors I search domain A from domain a using either the DNS name or the ip address and when complete a message tells me errors will be listed (there are no error)

On Domain A when I do the opposite and connect to Domain B then I get an error stating no domain at that DNS name and when I search by IP i get the same error no domain.