Re: Not able to establish trust with another window 2003 domain
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 20 Oct 2006 11:56:21 +0100
Ok...
What type of trust are trying to stablish?
Use conditional forwarding and make sure that both ends can resolve
eachother, which means that you must configure in both ends the conditional
forwarding, then perform the test in both ends:
what results?nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
nltest /dsgetdc:domain-name.com
When trying to stablish the trusts use both PDCe for both domains. The PDCe
on both sides of the trust need to be able to resolve one another.
also take another close look at
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442
If none of this work check
Remember generally broadcast traffic isn't allowed between routers (unless
you have relay agents, some switching/routers tha allow this,etc).
The MTU can be an Issue Test your MTU from the problem server by pinging the
gateway of your router:
ping -f <router gateway IP> -l 1472
You will get one of three responses;
the ping will return, "Packet needs to be fragmented but DF set." or it will
timeout.
If the ping timeout, that means a downstream router has a mismatched MTU,
and is the probable reason for your connectivity issue. Incrementally reduce
the 1472 until the ping returns.
If you get the packet needs to be fragmented but DF set, at a low number of
less than 1400, see if you can increase the MTU without a timeout. Ideally
you would really like a number as close to 1500 as you can get.Carefull MTU
to a much too low of a number and it would affect your network performance.
Check the MTU max size on your router.
Also check:
Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060
I also though about UDP fragmentation, do you see any kerberos errors on
your event viewer?
By default, Kerberos authentication uses User Datagram Protocol (UDP) to
transmit its data,UDP provides no guarantee that a packet sent along the
network will reach its destination intact. Thus, in environments with a high
amount of network congestion it is common for packets to get lost or
fragmented on the way to their destination, because the only way to decrease
the likelihood of UDP fragmentation occurring is to reduce network traffic,
a usually impractical solution, it is almost always better to configure the
Kerberos authentication service to use TCP instead of UDP. TCP provides a
guarantee that a packet that is sent will reach its destination intact and
can therefore be used in any network environment. In order to force Kerberos
authentication to use TCP, see
http://support.microsoft.com/kb/244474
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7BA0494F-DC18-441F-9AED-D34D04AC7C3D@xxxxxxxxxxxxxxxx
Hi Guys,
Thank you for the information. I had tried the suggestions by you all guys
but no luck. All the result using the Port Query tools with the result on
all
port is "listening" and "exit with return code 0x00000000. I assume all
the
port is opened and working.
Also, i install a new server on each domain and try to create a DNS zone
for
each of the domain. Then i try to establish the trust but still fail. I
try
to create a secondary zone on the newly created DNS server and try to
establish the trust again but its still fail. I also try to create a Stub
zone for both domain and establish the trust again and still fail.
Conditional forwarding also try on both Domain DNS and trust still fail.
I had check with the network guy and all the port had been open up on the
firewall.
Is there anyway that I can try to do beside all these?
Thank you very much for the suggestions. Hope to hear more you all guys.
Thank you
Eng
"Jorge Silva" wrote:
Hi
Download port query and test the availabel ports for domain and trust
http://support.microsoft.com/kb/310099
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE9430A2-6132-40CC-8AF3-3E4DFB60B5D2@xxxxxxxxxxxxxxxx
Hi All,
I have a problem establish a trust with one of my domain. I have an
existing
windows 2003 domain call Source and I am planning for a migration. I
setup
a
test Target domain,windows 2003 as well, call Target, to test the
migration.
I try to create/establish trust between this 2 domain but fail with the
following error :""The Local Secutiry Authority is unable to obtain an
RPC
connection to the domain controller w2k3.source.local. Please check the
name
can be resolve and the server is available."
I had check the name resolution and its working. I had created
conditional
forwarding but still fail. Also, I had edit the lmhost file on both
Domain
PDC but its still fail. RPC server services on both domain is started.
I had perform the NLTEST and NSLOOKUP and comeback with a positive
result.
nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
nltest /dsgetdc:domain-name.com
But I still not able to resolve this issue.
I had tried to create a secondary zone on each DNS on each domain but
still
fail to establish the trust. Which mean, on Source DNS, I created the
secondary zone of Target domain, and on Target domain DNS, I created a
secondary zone of Source domain.
Can anyone tell me what's wrong with my environment? Or something that
I
can
do to resolve this issue?
Thank you
Eng
.
- Follow-Ups:
- References:
- Prev by Date: Re: Why domain logon is so slow for XP clients which are just rebo
- Next by Date: Re: Disable Windows Live Messenger
- Previous by thread: Re: Not able to establish trust with another window 2003 domain
- Next by thread: Re: Not able to establish trust with another window 2003 domain
- Index(es):
Relevant Pages
|
