Re: Not able to establish trust with another window 2003 domain
- From: Eng <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Oct 2006 02:06:01 -0700
Hi guys,
My mistake. when I ping using the "ping <gateway ip address> -f -l 1472" i
got reply. Not the "Packet needs to be fragmented but DF set". But when I
ping using the "ping <gateway ip address> -f -l 1742", then I get the "Packet
needs to be fragmented but DF set" reply. I think the 1st time I run is using
the wrong packet size.
Beside, I try to use my target domain to create a trust to one of my
production domain and its work. Only when I try to use my target domain to
establish a trust to my source, its fail.
I not sure what's going wrong but I believe that is something not right with
my source domain.
Hope to hear from you all guys soon.
Thanks
Eng
"Paul Bergson [MVP-DS]" wrote:
The error message you are recieving has to do with routing not Windows. The.
size of the packets are too big for the routers and the routers are not
allowed to break them up.
http://support.microsoft.com/default.aspx/kb/159211
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4B89048B-F082-44FD-8B23-D16A4B1DC24A@xxxxxxxxxxxxxxxx
Hi Jorge,
Thank you for your reply.
The trust that I try to create is external trust.
I had try to create conditional forwarding and perform the test at both
end
using
The result at below:nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
C:\Documents and Settings\Administrator>nslookup -type=srv
_ldap._tcp.pdc._msdcs.target.local
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
_ldap._tcp.pdc._msdcs.target.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ky-target.target.local
ky-target.target.local internet address = 10.30.101.228
:\Documents and Settings\Administrator>nslookup -type=srv
_ldap._tcp.dc._msdcs.target.local
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
_ldap._tcp.dc._msdcs.target.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = ky-target.target.local
ky-target.target.local internet address = 10.30.101.228
Also, I had check the event viewer but there is no Keberos related error.
I
had apply the patch 913446 but still no luck.
I try to ping the gateway using ping -f <gateway ip> -l 1742 and it reply
with the "Packet needs to be fragmented but DF set." Is this the correct
result? I had read through your explanation but i still not really
understand. Can you eleborate more on this? Thanks.
Thank you
Eng
"Jorge Silva" wrote:
Ok...
What type of trust are trying to stablish?
Use conditional forwarding and make sure that both ends can resolve
eachother, which means that you must configure in both ends the
conditional
forwarding, then perform the test in both ends:
what results?nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
nltest /dsgetdc:domain-name.com
When trying to stablish the trusts use both PDCe for both domains. The
PDCe
on both sides of the trust need to be able to resolve one another.
also take another close look at
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442
If none of this work check
Remember generally broadcast traffic isn't allowed between routers
(unless
you have relay agents, some switching/routers tha allow this,etc).
The MTU can be an Issue Test your MTU from the problem server by pinging
the
gateway of your router:
ping -f <router gateway IP> -l 1472
You will get one of three responses;
the ping will return, "Packet needs to be fragmented but DF set." or it
will
timeout.
If the ping timeout, that means a downstream router has a mismatched MTU,
and is the probable reason for your connectivity issue. Incrementally
reduce
the 1472 until the ping returns.
If you get the packet needs to be fragmented but DF set, at a low number
of
less than 1400, see if you can increase the MTU without a timeout.
Ideally
you would really like a number as close to 1500 as you can get.Carefull
MTU
to a much too low of a number and it would affect your network
performance.
Check the MTU max size on your router.
Also check:
Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060
I also though about UDP fragmentation, do you see any kerberos errors on
your event viewer?
By default, Kerberos authentication uses User Datagram Protocol (UDP) to
transmit its data,UDP provides no guarantee that a packet sent along the
network will reach its destination intact. Thus, in environments with a
high
amount of network congestion it is common for packets to get lost or
fragmented on the way to their destination, because the only way to
decrease
the likelihood of UDP fragmentation occurring is to reduce network
traffic,
a usually impractical solution, it is almost always better to configure
the
Kerberos authentication service to use TCP instead of UDP. TCP provides a
guarantee that a packet that is sent will reach its destination intact
and
can therefore be used in any network environment. In order to force
Kerberos
authentication to use TCP, see
http://support.microsoft.com/kb/244474
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7BA0494F-DC18-441F-9AED-D34D04AC7C3D@xxxxxxxxxxxxxxxx
Hi Guys,
Thank you for the information. I had tried the suggestions by you all
guys
but no luck. All the result using the Port Query tools with the result
on
all
port is "listening" and "exit with return code 0x00000000. I assume all
the
port is opened and working.
Also, i install a new server on each domain and try to create a DNS
zone
for
each of the domain. Then i try to establish the trust but still fail. I
try
to create a secondary zone on the newly created DNS server and try to
establish the trust again but its still fail. I also try to create a
Stub
zone for both domain and establish the trust again and still fail.
Conditional forwarding also try on both Domain DNS and trust still
fail.
I had check with the network guy and all the port had been open up on
the
firewall.
Is there anyway that I can try to do beside all these?
Thank you very much for the suggestions. Hope to hear more you all
guys.
Thank you
Eng
"Jorge Silva" wrote:
Hi
Download port query and test the availabel ports for domain and trust
http://support.microsoft.com/kb/310099
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE9430A2-6132-40CC-8AF3-3E4DFB60B5D2@xxxxxxxxxxxxxxxx
Hi All,
I have a problem establish a trust with one of my domain. I have an
existing
windows 2003 domain call Source and I am planning for a migration. I
setup
a
test Target domain,windows 2003 as well, call Target, to test the
migration.
I try to create/establish trust between this 2 domain but fail with
the
following error :""The Local Secutiry Authority is unable to obtain
an
RPC
connection to the domain controller w2k3.source.local. Please check
the
name
can be resolve and the server is available."
I had check the name resolution and its working. I had created
conditional
forwarding but still fail. Also, I had edit the lmhost file on both
Domain
PDC but its still fail. RPC server services on both domain is
started.
I had perform the NLTEST and NSLOOKUP and comeback with a positive
result.
nslookup -type=srv _ldap._tcp.pdc._msdcs.domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
nltest /dsgetdc:domain-name.com
But I still not able to resolve this issue.
I had tried to create a secondary zone on each DNS on each domain
but
still
fail to establish the trust. Which mean, on Source DNS, I created
the
secondary zone of Target domain, and on Target domain DNS, I created
a
secondary zone of Source domain.
Can anyone tell me what's wrong with my environment? Or something
that
I
can
do to resolve this issue?
Thank you
Eng
- Follow-Ups:
- Re: Not able to establish trust with another window 2003 domain
- From: Paul Bergson [MVP-DS]
- Re: Not able to establish trust with another window 2003 domain
- References:
- Re: Not able to establish trust with another window 2003 domain
- From: Jorge Silva
- Re: Not able to establish trust with another window 2003 domain
- From: Eng
- Re: Not able to establish trust with another window 2003 domain
- From: Jorge Silva
- Re: Not able to establish trust with another window 2003 domain
- From: Eng
- Re: Not able to establish trust with another window 2003 domain
- From: Paul Bergson [MVP-DS]
- Re: Not able to establish trust with another window 2003 domain
- Prev by Date: Re: DCDiag errors frssysvol and kccevent
- Next by Date: Re: Active directory upgrade/expansion question
- Previous by thread: Re: Not able to establish trust with another window 2003 domain
- Next by thread: Re: Not able to establish trust with another window 2003 domain
- Index(es):
Relevant Pages
|
