Re: Not able to establish trust with another window 2003 domain
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Mon, 6 Nov 2006 14:10:33 -0000
Other problems related with 40960 could be - This behavior occurs when you restart the server that was promoted to a domain controller. In this scenario, the Windows Time service (W32Time) tries to authenticate before Directory Services has started.
Event IDs 40960 and 40961 in the System Event Log When You Restart Windows Server 2003 After You Run Dcpromo.exe
http://support.microsoft.com/kb/823712/en-us
Situation 2
LSASRV Event IDs 40960 and 40961 When You Promote a Server to a Domain Controller Role
http://support.microsoft.com/kb/824217/en-us
Other Related:
You cannot access network resources after you try to log on to a Windows XP Service Pack 2-based computer
http://support.microsoft.com/kb/885887/en-us
You cannot access resources after you install Security Bulletin MS04-011 or Windows XP Service Pack 2
http://support.microsoft.com/kb/891559/en-us
Logon Authentication, Active Directory Replication, and Domain Joins Do Not Complete Successfully
http://support.microsoft.com/kb/315150/en-us
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:uLm%23qyaAHHA.4212@xxxxxxxxxxxxxxxxxxxxxxx
Hi
The 40960 Errors Can have some different Causes: - Generally, these errors can be safely ignored. These errors occur because the DNS server doesn't have a Reverse Lookup Zone Configured. Although Active Directory doesn't need Reverse Lookup Zone to function, the Windows 2003 and XP tries to make a secure PTR registration, and because the Reverse Lookup Zone isn't configured, the OS tries to make a secure PTR registration at the External DNS that is Authoritative over the reverse lookup of the IP on the machine's local interface. If it's a private address it will say cannot establish a secured connection with the server prisoner.iana.org. Also, nslookup will report "Can't find server name for address <IPAddressOfDNSServer>
Solution: 1-Create a Reverse Lookup Zone.
-----------
I know that I started to answer this post but unfortunately I can't see all the thread.
Test your MTU from the problem server by pinging the gateway of your router:
ping -f <IP> - 1472
You need to start at your problem server, with a 1472 byte packet, then ping your machine gateway (router if any) address with a 1472 byte packet, then ping the next gateway with 1472 byte packet, etc. until you reach the other server.
If you ping a router that returns a time out or "Packet needs to be fragmented but DF set.", then you should reduce the packet size to that router until the ping returns.
Then find the issue with that router as to why it is using a reduced MTU setting and increase the router MTU.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:%23QnTwkaAHHA.1012@xxxxxxxxxxxxxxxxxxxxxxxI don't know what else to tell you. I'm not sure the 40960 even has anything to do with your problem.
You could use the KBB 889030 and see if there is value in it. It was written for nt to AD but there maybe issuues in it that could help you as well.
http://support.microsoft.com/default.aspx/kb/889030/en-us
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:ED04FC4D-9D6E-43D2-942D-409C76ED91DB@xxxxxxxxxxxxxxxxHi,
Thank you for the reply.
No. The time of the two server is the same. No different. I had check all
the servers and all their time is the same. No delay.
Thank you
Eng
"Paul Bergson [MVP-DS]" wrote:
Is the time on the two servers within 5 minutes of one another?
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A71801D5-051B-4A3E-9834-80EFF38AE1AC@xxxxxxxxxxxxxxxx
> Hi,
>
> I had follow exactly the same that stated in your article but still > fail.
> Also, i had try to use your web tool to generate the syntax but still
> fail.
>
> I try to remove the trust that created at my Source and re-create > again.
> But
> this time its fail with the same error. Really headache with this > issue.
>
> Anything else that i can try?
>
> Thank you
>
> Eng
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> The spaces in the lmhost names for the dc's and domain names is >> critical,
>> be
>> sure that both are properly spaced, that is why I pointed to this in >> my
>> article I sent you to read.
>>
>>
>> -- >> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A3B6EA10-F93E-412F-BECC-0B566709E55A@xxxxxxxxxxxxxxxx
>> > Hi Paul,
>> >
>> > Thank you for your reply.
>> >
>> > The lmhost file is working but is only working for my source >> > domain.
>> > Which
>> > mean, my source domain able to create a trust to the target, but >> > when I
>> > try
>> > to create the trust from my target to my source, its fail again >> > with
>> > the
>> > same
>> > error.
>> >
>> > I try to remove the lmhost file and copy from my source domain pdc >> > and
>> > change the name and ip and try again. But its fail too.
>> >
>> > On my source, I try to verify the trust after i had created the >> > trust
>> > but
>> > it
>> > fail. (Strange, I can create the trust but I cannot verify the >> > trust).
>> > I
>> > open
>> > event viewer and found that the following event id is log,
>> > Event ID: 40960
>> > Description:The Security System detected an authentication error >> > for
>> > the
>> > server cifs/ky-target.TARGET.LOCAL. The failure code from
>> > authentication
>> > protocol Kerberos was "The referenced account is currently >> > disabled and
>> > may
>> > not be logged on to.
>> > (0xc0000072)".
>> >
>> > I try to search MS website but fail to find a solution. Any idea >> > what
>> > is
>> > going on?
>> >
>> > Thank you
>> >
>> > Eng
>> >
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> You could try creating an LMHosts file and see if that helps.
>> >>
>> >> Go to my website and lookup trust setup on an nt4 v 2003. This >> >> should
>> >> work
>> >> for 2003 v 2003, it even has a fool proof way to setup the LMHost
>> >> records.
>> >>
>> >> http://www.pbbergs.com
>> >> Select articles and click on NT4 -v- Active Directory Trust
>> >>
>> >> -- >> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2003, 2000 (Early Achiever), NT
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the >> >> NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers >> >> no
>> >> rights.
>> >>
>> >> "Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:9DD4123F-CA92-4087-BB2B-F05EDEDA9DB6@xxxxxxxxxxxxxxxx
>> >> > Hi Paul,
>> >> >
>> >> > Thank you for your reply.
>> >> >
>> >> > I had followed the instruction from the website that you >> >> > provide but
>> >> > still
>> >> > no luck. I still getting the same error message "The Local >> >> > Security
>> >> > Authority
>> >> > is unable to obtain an ROC connection from the domain >> >> > controller
>> >> > DC1.target.local. Please check that the name can be resolved >> >> > and
>> >> > that
>> >> > the
>> >> > server is available" .
>> >> >
>> >> > I had verify that the RPC services is running and the name can >> >> > be
>> >> > resolve
>> >> > on
>> >> > each domain.
>> >> >
>> >> > My source and target domain currently sitting on the same >> >> > subnet. I
>> >> > don't
>> >> > think this is a problem right? correct me if i am wrong.
>> >> >
>> >> > Is there any other way that I can try/ do to resolve my issue?
>> >> >
>> >> > Thank you
>> >> >
>> >> > Eng
>> >> >
>> >> > "Paul Bergson [MVP-DS]" wrote:
>> >> >
>> >> >> I'm unclear as to what you have setup for dns. For now try >> >> >> setting
>> >> >> up
>> >> >> a
>> >> >> secondary of each others primary and see if you have any luck.
>> >> >>
>> >> >> Secondary
>> >> >> http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html
>> >> >>
>> >> >> http://support.microsoft.com/default.aspx/kb/816518/en-us
>> >> >>
>> >> >> -- >> >> >> Paul Bergson
>> >> >> MVP - Directory Services
>> >> >> MCT, MCSE, MCSA, Security+, BS CSci
>> >> >> 2003, 2000 (Early Achiever), NT
>> >> >>
>> >> >> http://www.pbbergs.com
>> >> >>
>> >> >> Please no e-mails, any questions should be posted in the >> >> >> NewsGroup
>> >> >> This posting is provided "AS IS" with no warranties, and >> >> >> confers no
>> >> >> rights.
>> >> >>
>> >> >> "Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:CA618BAD-1FB8-44E5-8974-5CD31DB0AC6C@xxxxxxxxxxxxxxxx
>> >> >> > Hi guys,
>> >> >> >
>> >> >> > My mistake. when I ping using the "ping <gateway ip
>> >> >> > address> -f -l
>> >> >> > 1472" i
>> >> >> > got reply. Not the "Packet needs to be fragmented but DF >> >> >> > set".
>> >> >> > But
>> >> >> > when
>> >> >> > I
>> >> >> > ping using the "ping <gateway ip address> -f -l 1742", then >> >> >> > I get
>> >> >> > the
>> >> >> > "Packet
>> >> >> > needs to be fragmented but DF set" reply. I think the 1st >> >> >> > time I
>> >> >> > run
>> >> >> > is
>> >> >> > using
>> >> >> > the wrong packet size.
>> >> >> >
>> >> >> > Beside, I try to use my target domain to create a trust to >> >> >> > one of
>> >> >> > my
>> >> >> > production domain and its work. Only when I try to use my >> >> >> > target
>> >> >> > domain
>> >> >> > to
>> >> >> > establish a trust to my source, its fail.
>> >> >> >
>> >> >> > I not sure what's going wrong but I believe that is >> >> >> > something not
>> >> >> > right
>> >> >> > with
>> >> >> > my source domain.
>> >> >> >
>> >> >> > Hope to hear from you all guys soon.
>> >> >> >
>> >> >> > Thanks
>> >> >> >
>> >> >> > Eng
>> >> >> >
>> >> >> > "Paul Bergson [MVP-DS]" wrote:
>> >> >> >
>> >> >> >> The error message you are recieving has to do with routing >> >> >> >> not
>> >> >> >> Windows.
>> >> >> >> The
>> >> >> >> size of the packets are too big for the routers and the >> >> >> >> routers
>> >> >> >> are
>> >> >> >> not
>> >> >> >> allowed to break them up.
>> >> >> >>
>> >> >> >> http://support.microsoft.com/default.aspx/kb/159211
>> >> >> >>
>> >> >> >>
>> >> >> >> -- >> >> >> >> Paul Bergson
>> >> >> >> MVP - Directory Services
>> >> >> >> MCT, MCSE, MCSA, Security+, BS CSci
>> >> >> >> 2003, 2000 (Early Achiever), NT
>> >> >> >>
>> >> >> >> http://www.pbbergs.com
>> >> >> >>
>> >> >> >> Please no e-mails, any questions should be posted in the
>> >> >> >> NewsGroup
>> >> >> >> This posting is provided "AS IS" with no warranties, and >> >> >> >> confers
>> >> >> >> no
>> >> >> >> rights.
>> >> >> >>
>> >> >> >> "Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> >> news:4B89048B-F082-44FD-8B23-D16A4B1DC24A@xxxxxxxxxxxxxxxx
>> >> >> >> > Hi Jorge,
>> >> >> >> >
>> >> >> >> > Thank you for your reply.
>> >> >> >> >
>> >> >> >> > The trust that I try to create is external trust.
>> >> >> >> >
>> >> >> >> > I had try to create conditional forwarding and perform >> >> >> >> > the
>> >> >> >> > test
>> >> >> >> > at
>> >> >> >> > both
>> >> >> >> > end
>> >> >> >> > using
>> >> >> >> >>> > nslookup -type=srv >> >> >> >> >>> > _ldap._tcp.pdc._msdcs.domain-name.com
>> >> >> >> >> >> > nslookup -type=srv >> >> >> >> >> >> > _ldap._tcp.dc._msdcs.domain-name.com
>> >> >> >> > The result at below:
>> >> >> >> > C:\Documents and >> >> >> >> > Settings\Administrator>nslookup -type=srv
>> >> >> >> > _ldap._tcp.pdc._msdcs.target.local
>> >> >> >> > Server: localhost
>> >> >> >> > Address: 127.0.0.1
>> >> >> >> >
>> >> >> >> > Non-authoritative answer:
>> >> >> >> > _ldap._tcp.pdc._msdcs.target.local SRV service location:
>> >> >> >> > priority = 0
>> >> >> >> > weight = 100
>> >> >> >> > port = 389
>> >> >> >> > svr hostname = ky-target.target.local
>> >> >> >> >
>> >> >> >> > ky-target.target.local internet address = 10.30.101.228
>> >> >> >> >
>> >> >> >> > :\Documents and Settings\Administrator>nslookup -type=srv
>> >> >> >> > _ldap._tcp.dc._msdcs.target.local
>> >> >> >> > Server: localhost
>> >> >> >> > Address: 127.0.0.1
>> >> >> >> >
>> >> >> >> > Non-authoritative answer:
>> >> >> >> > _ldap._tcp.dc._msdcs.target.local SRV service location:
>> >> >> >> > priority = 0
>> >> >> >> > weight = 100
>> >> >> >> > port = 389
>> >> >> >> > svr hostname = ky-target.target.local
>> >> >> >> >
>> >> >> >> > ky-target.target.local internet address = 10.30.101.228
>> >> >> >> >
>> >> >> >> > Also, I had check the event viewer but there is no >> >> >> >> > Keberos
>> >> >> >> > related
>> >> >> >> > error.
>> >> >> >> > I
>> >> >> >> > had apply the patch 913446 but still no luck.
>> >> >> >> >
>> >> >> >> > I try to ping the gateway using ping -f <gateway ip> -l >> >> >> >> > 1742
>> >> >> >> > and
>> >> >> >> > it
>> >> >> >> > reply
>> >> >> >> > with the "Packet needs to be fragmented but DF set." Is >> >> >> >> > this
>> >> >> >> > the
>> >> >> >> > correct
>> >> >> >> > result? I had read through your explanation but i still >> >> >> >> > not
>> >> >> >> > really
.
- Follow-Ups:
- References:
- Re: Not able to establish trust with another window 2003 domain
- From: Paul Bergson [MVP-DS]
- Re: Not able to establish trust with another window 2003 domain
- From: Eng
- Re: Not able to establish trust with another window 2003 domain
- From: Paul Bergson [MVP-DS]
- Re: Not able to establish trust with another window 2003 domain
- From: Eng
- Re: Not able to establish trust with another window 2003 domain
- From: Paul Bergson [MVP-DS]
- Re: Not able to establish trust with another window 2003 domain
- From: Jorge Silva
- Re: Not able to establish trust with another window 2003 domain
- Prev by Date: Re: Roaming Profile Not Unloading To Server
- Next by Date: Re: How can I offer Remote Assistance from the ADUC MMC
- Previous by thread: Re: Not able to establish trust with another window 2003 domain
- Next by thread: Re: Not able to establish trust with another window 2003 domain
- Index(es):
Relevant Pages
|
Loading
