Trust Relationship between 2 domains

[ioki]

1) Domain A and Domain B is seperated by an ADSL WAN with the weakest bandwidth at approx. 256kb
2) all communications between A and B takes place over a VPN over the WAN dscribed above
3) All DCs in both domains are in native mode and are windows 2000 server SP3, there are TWO DCs in each domain
4) trust relationship appear to be created when seen from AD Domains and Trust Tools

this is where our trouble starts:

we used to have a working trust relationship between the domain, it was very very slow in network response time when browsing the other domain through Network Neighbourhood, but hey. it worked!!

then our trouble started.. peridodically through out the day we'd get errors like "no logon servers available"

so we thought we'd remove the trust and re-create it, but we haven't been able to get authenticate into the other network since.

some more facts: when in either domain's DC and execute &quot;nltest /sc_query:<other Domain Name>&quot;,
sometimes we get success and other times we get ERROR_NO_LOGON_SERVERS

but running netdom on any of the DCs will produce &quot;secure channel from <DC Name> to the domain <THe other domain> has been verified.

any suggestions?

i think it might have something to do with the outbound of the ADSL link which currently stands at 256kb, but have no prove of it.

i've tried to adjust the &quot;expectDialUpDelay&quot; registry to say 300 seconds and all that seem to do is slow the startup time of the DC to a crawl.

thanx in advance

 

[Jpoandl]

Go into Sites and Services and define your two SUBNETS...if you haven't already done this. sometimes people make the mistake of leaving computers in the defualt bucket... This would be a mistake becuase all computers would &quot;think&quot; that they are local (LAN connected) to one another.

If you define your sites properly, the clients will look to the local DC rather then trying to logon though the DSL connection.

-just a thought.

Joseph L. Poandl
MCSE 2000

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.esavio.com

 

[ioki]

as the two domains are 2 distinct domain, not 2 sites under the one domain, would your solution still hold?

 

[Jpoandl]

Yes, I would define my sites (in each domain)

If you have multiple subnets, you should always define your site...rule of thumb.

Give it a try..

Joseph L. Poandl
MCSE 2000

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[ioki]

dear all,

this issue is now resolved.

the core of the problem was traced to one of microsoft's RPC security bug (M0030-10 from memory), as a result of the security alert, we patched our firewall (checkpoint-1) to check and drop malformed RPC packets.

events that occured right after an initiation of verification of trust:

* initial emap (RPC) packet sent from either DC was accpeted and passed on by firewall
* all subsequent emap packets were deemed malformed and dropped silently.

Microsoft was suppose to have resolved the issue with a RPC patch, but the version number
supplied with &quot;Q331953_W2K_SP4_X86_EN.exe&quot; did not install the correct DLL version.

perhaps SP4 will nail the RPC issue.