RE: Trusts between two Windows 2003 forests problem
- From: "gordonah" <gordonah@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 3 Oct 2005 03:17:02 -0700
Pete
in theory for two W2K3 forests, you should only need DNS resolution, but I
keep finding that the death of NetBIOS has been greatly exageratted.
I assume that as the forests are under the same namespace, then they can
resolve each other by going up to the root if nothing else, but this can be
made more efficient by using conditional forwarding or some other way
(cross-hosting secondary zones, stub zones) of ensuring direct resolution.
Making sure you specify the domain FQDN rather than the domain NetBIOS should
also serve to 'force' use of DNS to resolve the respective domains.
If it is necessary to use NetBIOS resolution, as provided by the LMHOSTS
files, then WINS is the preferred alternative (install WINS server, point DCs
to WINS server). Note, that although LMHOSTS are generally frowned upon, they
do still have their uses, especially in a small environment where the number
of files is manageable.
The errors seem to indicate that the resources in one domain cannot find or
authenticate to resources in the other. These clients would also need to be
able to find the domain, either through DNS or NetBIOS resolution. If NetBIOS
(not unlikely given how printers and shares are accessed, and how mnay apps
are written), hten you would certainly need WINS, as local LMHOSTS on PCs
would almost certainly be unmanageable. If DNS, then it's the same as I wrote
above regarding cross-forest resolution.
Hope I'm not barking up the wrong tree, but most trusts issues I come across
are due to name resolution issues (other tend to be down-level security
issues).
Gordon
"pete" wrote:
> I have two different forest called localnet.dilbert.net and
> extweb.dilbert.net and I am running to problems with the forest wide trust.
> extweb.dilbert.net was upgrade from the windows nt4 domain called extweb. In
> order to create the trusts I had to use lmhost files on both domains to
> point to the domain controllers of the other domain, if I did not I would
> get this message:
> "The verification of the incoming trust failed with the following error(s):
> The trust password verification test was inconclusive.
> A secure channel reset will be attempted.
> The secure channel reset failed with error 1311:
> There are currently no logon servers available to service the logon request.
> "
>
> It was my understanding that the use of lmhost files was frowned upon and
> those files were being phased out. How can I create a forest trust between
> the two forest without using the lmhost file?
>
> Ever since that day that I created the forest trust people have been getting
> the following error in the event logs:
> Source: Userenv
> Eventid: 1053
> User: NT AUTHORITY\SYSTEM
> Description:
> "Windows cannot determine the user or computer name. (The specified domain
> either does not exist or could not be contacted. ). Group Policy processing
> aborted."
>
> Source: LSASRV
> Eventid: 40961
> User: N/A
> Description:
> "The Security System could not establish a secured connection with the
> server cifs/triton.dilbert.net. No authentication protocol was available."
>
> Source: NETLOGON
> Eventid: 5719
> User: NEBULA
> Description:
> "No Domain Controller is available for domain LOCALNET due to the following:
> There are currently no logon servers available to service the logon request.
> ..
> Make sure that the computer is connected to the network and try again. If
> the problem persists, please contact your domain administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.";
>
> Any help with the above would be greatly appreciated
>
>
>
.
- Prev by Date: Re: NT4 to Win 2K3 upgarding
- Next by Date: Re: Sample script for Terminal Services Profile
- Previous by thread: Re: NT4 to Win 2K3 upgarding
- Next by thread: Re: Sample script for Terminal Services Profile
- Index(es):
Relevant Pages
|
