Re: Not able to establish trust with another window 2003 domain

Hi Guys,

Thank you very much for all the suggestion. But i had try all of them and
still No Luck. The same error still come up.

Appreciated for all the help given. I will see what I can do from now.

Thank you

Eng

"Jorge Silva" wrote:

Other problems related with 40960 could be - This behavior occurs when you
restart the server that was promoted to a domain controller. In this
scenario, the Windows Time service (W32Time) tries to authenticate before
Directory Services has started.
Event IDs 40960 and 40961 in the System Event Log When You Restart Windows
Server 2003 After You Run Dcpromo.exe
http://support.microsoft.com/kb/823712/en-us
Situation 2
LSASRV Event IDs 40960 and 40961 When You Promote a Server to a Domain
Controller Role
http://support.microsoft.com/kb/824217/en-us
Other Related:
You cannot access network resources after you try to log on to a Windows XP
Service Pack 2-based computer
http://support.microsoft.com/kb/885887/en-us
You cannot access resources after you install Security Bulletin MS04-011 or
Windows XP Service Pack 2
http://support.microsoft.com/kb/891559/en-us
Logon Authentication, Active Directory Replication, and Domain Joins Do Not
Complete Successfully
http://support.microsoft.com/kb/315150/en-us
--
I hope that the information above helps you
Good Luck

Jorge Silva
MCSA
Systems Administrator

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:uLm%23qyaAHHA.4212@xxxxxxxxxxxxxxxxxxxxxxx
Hi
The 40960 Errors Can have some different Causes: - Generally, these errors
can be safely ignored. These errors occur because the DNS server doesn't
have a Reverse Lookup Zone Configured. Although Active Directory doesn't
need Reverse Lookup Zone to function, the Windows 2003 and XP tries to
make a secure PTR registration, and because the Reverse Lookup Zone isn't
configured, the OS tries to make a secure PTR registration at the
External DNS that is Authoritative over the reverse lookup of the IP on
the machine's local interface. If it's a private address it will say
cannot establish a secured connection with the server prisoner.iana.org.
Also, nslookup will report "Can't find server name for address
<IPAddressOfDNSServer>

Solution: 1-Create a Reverse Lookup Zone.

-----------

I know that I started to answer this post but unfortunately I can't see
all the thread.

Test your MTU from the problem server by pinging the gateway of your
router:
ping -f <IP> - 1472



You need to start at your problem server, with a 1472 byte packet, then
ping your machine gateway (router if any) address with a 1472 byte packet,
then ping the next gateway with 1472 byte packet, etc. until you reach the
other server.

If you ping a router that returns a time out or "Packet needs to be
fragmented but DF set.", then you should reduce the packet size to that
router until the ping returns.
Then find the issue with that router as to why it is using a reduced MTU
setting and increase the router MTU.

--
I hope that the information above helps you
Good Luck


Jorge Silva
MCSA
Systems Administrator

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23QnTwkaAHHA.1012@xxxxxxxxxxxxxxxxxxxxxxx
I don't know what else to tell you. I'm not sure the 40960 even has
anything to do with your problem.

You could use the KBB 889030 and see if there is value in it. It was
written for nt to AD but there maybe issuues in it that could help you as
well.
http://support.microsoft.com/default.aspx/kb/889030/en-us

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ED04FC4D-9D6E-43D2-942D-409C76ED91DB@xxxxxxxxxxxxxxxx
Hi,

Thank you for the reply.

No. The time of the two server is the same. No different. I had check
all
the servers and all their time is the same. No delay.

Thank you

Eng

"Paul Bergson [MVP-DS]" wrote:


Is the time on the two servers within 5 minutes of one another?


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A71801D5-051B-4A3E-9834-80EFF38AE1AC@xxxxxxxxxxxxxxxx
Hi,

I had follow exactly the same that stated in your article but still
fail.
Also, i had try to use your web tool to generate the syntax but still
fail.

I try to remove the trust that created at my Source and re-create
again.
But
this time its fail with the same error. Really headache with this
issue.

Anything else that i can try?

Thank you

Eng

"Paul Bergson [MVP-DS]" wrote:

The spaces in the lmhost names for the dc's and domain names is
critical,
be
sure that both are properly spaced, that is why I pointed to this in
my
article I sent you to read.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A3B6EA10-F93E-412F-BECC-0B566709E55A@xxxxxxxxxxxxxxxx
Hi Paul,

Thank you for your reply.

The lmhost file is working but is only working for my source
domain.
Which
mean, my source domain able to create a trust to the target, but
when I
try
to create the trust from my target to my source, its fail again
with
the
same
error.

I try to remove the lmhost file and copy from my source domain pdc
and
change the name and ip and try again. But its fail too.

On my source, I try to verify the trust after i had created the
trust
but
it
fail. (Strange, I can create the trust but I cannot verify the
trust).
I
open
event viewer and found that the following event id is log,
Event ID: 40960
Description:The Security System detected an authentication error
for
the
server cifs/ky-target.TARGET.LOCAL. The failure code from
authentication
protocol Kerberos was "The referenced account is currently
disabled and
may
not be logged on to.
(0xc0000072)".

I try to search MS website but fail to find a solution. Any idea
what
is
going on?

Thank you

Eng


"Paul Bergson [MVP-DS]" wrote:

You could try creating an LMHosts file and see if that helps.

Go to my website and lookup trust setup on an nt4 v 2003. This
should
work
for 2003 v 2003, it even has a fool proof way to setup the LMHost
records.

http://www.pbbergs.com
Select articles and click on NT4 -v- Active Directory Trust

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.

"Eng" <Eng@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9DD4123F-CA92-4087-BB2B-F05EDEDA9DB6@xxxxxxxxxxxxxxxx
Hi Paul,

Thank you for your reply.

I had followed the instruction from the website that you
provide but
still
no luck. I still getting the same error message "The Local
Security
Authority
is unable to obtain an ROC connection from the domain
controller
DC1.target.local. Please check that the name can be resolved
and
that
the
server is available" .

I had verify that the RPC services is running and the name can
be
resolve
on
each domain.

My source and target domain currently sitting on the same
subnet. I
don't
think this is a problem right? correct me if i am wrong.

Is there any other way that I can try/ do to resolve my issue?

Thank you

Eng

"Paul Bergson [MVP-DS]" wrote:

I'm unclear as to what you have setup for dns. For now try
setting
up
a
secondary of each others primary and see if you have any luck.

Secondary
.

Relevant Pages

  • Re: Migrating active directory and exchange
    ... MVP - Directory Services ... Please no e-mails, any questions should be posted in the NewsGroup ... the old site have 4 servers in them (App/Web server, Exchange server, SQL ... Building the trust between the forests can be problematic. ...
    (microsoft.public.win2000.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... The time of the two server is the same. ... MVP - Directory Services ... I had follow exactly the same that stated in your article but still fail. ... I try to remove the trust that created at my Source and re-create again. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... Other problems related with 40960 could be - This behavior occurs when you restart the server that was promoted to a domain controller. ... the Windows Time service tries to authenticate before Directory Services has started. ... > I had follow exactly the same that stated in your article but still> fail. ... > I try to remove the trust that created at my Source and re-create> again. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... MVP - Directory Services ... 2003, 2000 (Early Achiever), NT ... I try to remove the trust that created at my Source and re-create again. ... server cifs/ky-target.TARGET.LOCAL. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... MVP - Directory Services ... The time of the two server is the same. ... fail. ... I try to remove the trust that created at my Source and re-create ...
    (microsoft.public.windows.server.active_directory)