| Author |
Message |
LMiguel
Guest
|
 Posted:
Mon Sep 05, 2005 7:44 am Post subject:
Problem creating a forest trust relationship |
|
|
Hello everyone.
I'm trying to create a forest trust relationship between 2 forest, both
W2003 Enterprise Edition. The forest functional level for both forests
is "windows server 2003".
First domain: contoso.com
Server name: Server01 (DC and DNS)
IP Address: 192.168.0.101
Second domain: nwtraders.com (another forest)
Server name: Server02 (DC and DNS)
IP Address: 192.168.0.102
I've already configured DNS forwarders in both DNS servers (conditional
forwarding). Also in both DNS servers in the reverse zone for
192.168.0.x I had to add manually the IP address of the external domain
controller because only update secure are enable.
In Server01.contoso.com, when I try to create the forest trust, I
receive this message:
==================================================================
Cannot continue
The trust relationship cannot created because the following error
ocurred: The local security authority is unable to obtain an RPC
connection to the domain controller server02.nwtraders.com Please check
that the name can be resolved and that the server is available.
==================================================================
But a ping from server01.contoso.com to server02.nwtraders.com is
successful. And a ping from server02.nwtraders.com to
server01.contoso.com is successful too.
There's no firewall or router between both DCs. I'm using VMware
Workstation 5.
Any suggestion?
Thanks |
|
| Back to top |
|
 |
Ace Fekay [MVP]
Guest
|
| Posted:
Mon Sep 05, 2005 8:52 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1125888283.136755.3570@f14g2000cwb.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | Hello everyone.
I'm trying to create a forest trust relationship between 2 forest,
both W2003 Enterprise Edition. The forest functional level for both
forests is "windows server 2003".
First domain: contoso.com
Server name: Server01 (DC and DNS)
IP Address: 192.168.0.101
Second domain: nwtraders.com (another forest)
Server name: Server02 (DC and DNS)
IP Address: 192.168.0.102
I've already configured DNS forwarders in both DNS servers
(conditional forwarding). Also in both DNS servers in the reverse
zone for 192.168.0.x I had to add manually the IP address of the
external domain controller because only update secure are enable.
In Server01.contoso.com, when I try to create the forest trust, I
receive this message:
==================================================================
Cannot continue
The trust relationship cannot created because the following error
ocurred: The local security authority is unable to obtain an RPC
connection to the domain controller server02.nwtraders.com Please
check that the name can be resolved and that the server is available.
==================================================================
But a ping from server01.contoso.com to server02.nwtraders.com is
successful. And a ping from server02.nwtraders.com to
server01.contoso.com is successful too.
There's no firewall or router between both DCs. I'm using VMware
Workstation 5.
Any suggestion?
Thanks
|
I haven't tried this under VMware, but have under Microsoft VPC, which works
fine. This sounds like a Microsoft Official Curriculum classroom setup due
to the domain names.
Pinging isn't the best tool here because it's specifically looking for SRV
data. Do all the SRV records under each zone exist? They are the _msdcs,
_tcp, _sites and _udp folders. They must be there.
How did you setup conditional forwarding? It is looking for the GC record
under the _msdcs zones, which forwarding to contoso.com from nwtraders.com
should work beacuse it has a delegation and the delegation should point back
to contoso's DNS.
If you created a secondary of contoso.com and _msdcs.contoso.com under
nwtraders's DNS and doing the same the other way around, does it work? If it
does, then the forwarding isn't set correctly.
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Mon Sep 05, 2005 8:51 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
Hi Ace
Thanks for your email. I'm using a MS Press book =)
In both DNS servers exist SRV records (msdcs, _tcp, _sites and _udp
folders)
I configured conditional forwarder DNS in this way:
In server01.contoso.com
Right-click DNS server / Properties / Forwarders
New DNS domain: nwtraders.com
Selected domain's forwarder IP address list: 192.168.0.102
(Server02's IP address)
and then ADD
In server02.nwtraders.com I did the same procedure.
The result is the same."The local security authority is unable to
obtain an RPC connection to the domain controller
server02.nwtraders.com Please check that the name can be resolved and
that the server is available"
Also, in server01.contoso.com I created two secondaries zones
(nwtraders.com and _msdcs.nwtraders.com) and the transfer from the
other DNS server (server02) was sucessful.
In the server02 I did the same procedure.
The result is the same.
Any additional suggestion?
Thanks in advance
Luis Cañari |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Tue Sep 06, 2005 12:51 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1125952112.200571.241390@g43g2000cwa.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | Hi Ace
Thanks for your email. I'm using a MS Press book =)
In both DNS servers exist SRV records (msdcs, _tcp, _sites and _udp
folders)
I configured conditional forwarder DNS in this way:
In server01.contoso.com
Right-click DNS server / Properties / Forwarders
New DNS domain: nwtraders.com
Selected domain's forwarder IP address list: 192.168.0.102
(Server02's IP address)
and then ADD
In server02.nwtraders.com I did the same procedure.
The result is the same."The local security authority is unable to
obtain an RPC connection to the domain controller
server02.nwtraders.com Please check that the name can be resolved and
that the server is available"
Also, in server01.contoso.com I created two secondaries zones
(nwtraders.com and _msdcs.nwtraders.com) and the transfer from the
other DNS server (server02) was sucessful.
In the server02 I did the same procedure.
The result is the same.
Any additional suggestion?
Thanks in advance
Luis Cañari
|
I see. Thanks for responding. MS PRess? They are actually written from the
MOC material I mentioned. Good stuff. :-)
The way you setup conditional forwarding is correct. You can remove the
secondaries if you want, sine the forwarders are correct. This obviously
comes down to a problem on the nwtraders.com DC or the firewall is enabled
on it. Are there any Event log errors on server02.nwtraders.com? I'm
specifically looking for DNS, NTFRS and Directory Services errors.
Ace |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Wed Sep 07, 2005 12:52 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
I cheched Event Viewer for both servers, but there are no error
messages in the last two days.
Additional info, both servers have installed SP1.
The windows firewall is disabled.
The problem is in both servers. From server01 to server02, and from
server02 to server01
I really don't know what the problem would be.
Luis Cañari |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Wed Sep 07, 2005 12:52 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
I've just checked Application log and I found this in both servers:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 9/6/2005
Time: 5:23:34 PM
User: N/A
Computer: SERVER02
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS
DTC will continue to function and will use the existing security
settings. Error Specifics:
d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 588
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80 ...€
Thanks in advance
Luis |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Wed Sep 07, 2005 4:51 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1126048267.765509.100920@o13g2000cwo.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | I've just checked Application log and I found this in both servers:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 9/6/2005
Time: 5:23:34 PM
User: N/A
Computer: SERVER02
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS
DTC will continue to function and will use the existing security
settings. Error Specifics:
d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 588
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80 ...?
Thanks in advance
Luis
|
Interesting! Were these servers upgraded from 2000 or were they fresh
installs?
Take a look at this article:
http://www.eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1
Ace |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Fri Sep 09, 2005 12:51 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
It's a fresh install of Windows2003 (SP1)
I followed the steps in the article, and the event id didn't appear
anymore, but the problem with the relationship persists.
Any idea? |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Fri Sep 09, 2005 4:51 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1126221030.823364.81420@o13g2000cwo.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | It's a fresh install of Windows2003 (SP1)
I followed the steps in the article, and the event id didn't appear
anymore, but the problem with the relationship persists.
Any idea?
|
Is there any way I can remote into these machines?
It appears from what you said, that everything should just work. I'm not
sure where you are going wrong or what is going on. I've done this a hundred
times (literally because I am a trainer and a consultant) and it always jsut
works unless there's a DNS config issue, forest level issue or errors in
either machine.
Ace |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Sun Sep 11, 2005 8:51 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
I installed in other phisical PC, VMware Workstation and both DC with
the same configuration and it didn't work.
Finally I decided to install Microsoft Virtual PC 2004 and it worked!!
It's rare because I always used VMware Workstation v5 with W2000 Server
before and it worked perfectly. So, I think it was the problem.
Ace, thanks for your precious time and help
Regards
Luis |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Mon Sep 12, 2005 8:52 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1126464470.932376.324960@g47g2000cwa.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | I installed in other phisical PC, VMware Workstation and both DC with
the same configuration and it didn't work.
Finally I decided to install Microsoft Virtual PC 2004 and it worked!!
It's rare because I always used VMware Workstation v5 with W2000
Server before and it worked perfectly. So, I think it was the problem.
Ace, thanks for your precious time and help
Regards
Luis
|
It should work under VMWare. I've been using VPC, and it works fine. In
VMWare, which I'm not familiar with, are there any settings that block
certain type of traffic? Are the VM machines communicating on your network
or just allowed to communicate among themselves? Are there any utilities you
need to install to enhance communication between the machines?
Ace |
|
| Back to top |
|
|
LMiguel
Guest
|
| Posted:
Tue Sep 13, 2005 8:52 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
Actually, VMware has more capabilities than VPC.
You can use until 8 virtual networks and you can configure manually
DHCP server in NAT mode.
I used it extensively with W2000 AS and it worked fine. I also
installed ISA Server, Exchange Server and SQL Server in differents
Virtual PC (VMware) working together and it was ok. Another benefit is
you can also install Linux, Novell Netware and Sun Solaris
All related with commucation setup is ok.
Today I received a email from VMware saying that there's a new beta
version (VMware Workstation 5.5 Beta)
You can download it from
http://www.vmware.com/products/desktop/ws_features.html
Since now, I'll use VPC until a new version of VMware will be released.
Regards
Luis |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Tue Sep 13, 2005 12:51 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
In news:1126588224.797853.8550@o13g2000cwo.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
| Quote: | Actually, VMware has more capabilities than VPC.
You can use until 8 virtual networks and you can configure manually
DHCP server in NAT mode.
I used it extensively with W2000 AS and it worked fine. I also
installed ISA Server, Exchange Server and SQL Server in differents
Virtual PC (VMware) working together and it was ok. Another benefit is
you can also install Linux, Novell Netware and Sun Solaris
All related with commucation setup is ok.
Today I received a email from VMware saying that there's a new beta
version (VMware Workstation 5.5 Beta)
You can download it from
http://www.vmware.com/products/desktop/ws_features.html
Since now, I'll use VPC until a new version of VMware will be
released.
Regards
Luis
|
I'll have to try VMWare. I've beend dedicated to using VPC since the new
courses are VPC based. It would take too much time to convert to VMWare at
this point, even though I know of other trainers that prefer VMWare.
Let us know if VPC does the trick for you.
Ace |
|
| Back to top |
|
|
Wool Cool
Guest
|
| Posted:
Fri Sep 23, 2005 7:50 am Post subject:
Re: Problem creating a forest trust relationship |
|
|
This must be a bug in VMware product including Workstation & GSX Server
(I don't have a test bed to vertify ESX) though VMware declare the new version
(Workstation 5.0 and GSX Server 3.2) supports W03 SP1 guest OS.
I could reproduct this problem in both this two product the same as you for
sure!
"Ace Fekay [MVP]" wrote:
| Quote: | In news:1126588224.797853.8550@o13g2000cwo.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
Actually, VMware has more capabilities than VPC.
You can use until 8 virtual networks and you can configure manually
DHCP server in NAT mode.
I used it extensively with W2000 AS and it worked fine. I also
installed ISA Server, Exchange Server and SQL Server in differents
Virtual PC (VMware) working together and it was ok. Another benefit is
you can also install Linux, Novell Netware and Sun Solaris
All related with commucation setup is ok.
Today I received a email from VMware saying that there's a new beta
version (VMware Workstation 5.5 Beta)
You can download it from
http://www.vmware.com/products/desktop/ws_features.html
Since now, I'll use VPC until a new version of VMware will be
released.
Regards
Luis
I'll have to try VMWare. I've beend dedicated to using VPC since the new
courses are VPC based. It would take too much time to convert to VMWare at
this point, even though I know of other trainers that prefer VMWare.
Let us know if VPC does the trick for you.
Ace
|
|
|
| Back to top |
|
|
Englishman
Guest
|
| Posted:
Mon Oct 31, 2005 1:50 pm Post subject:
Re: Problem creating a forest trust relationship |
|
|
I don't know if you resolved the problem, but I just completed a forest
migration and found a solution to your problem.
If you don't have DNS setup properly between the forests, your trusts will
fail. Please try the following:
- setup a conditional forwarder in DNS for each forest.
- On the servers that you are using to setup the trusts, go to the network
connections > local area conn > tcp/ip properties. Under DNS, ensure that the
primary DNS is the local domain DNS and add an additional DNS of the other
forest DNS server. Then go to advanced and under DNS, select append these DNS
suffixes. Then add each local DNS domain fisrt and then the DNS domain of the
other forest.
Once DNS is prepared, use nslookup to query the servers in each forest. If
this works nicely, you should be able to do the trusts.
Hope this helps
"Ace Fekay [MVP]" wrote:
| Quote: | In news:1126221030.823364.81420@o13g2000cwo.googlegroups.com,
LMiguel <luis.canari@gmail.com> made this post, which I then commented about
below:
It's a fresh install of Windows2003 (SP1)
I followed the steps in the article, and the event id didn't appear
anymore, but the problem with the relationship persists.
Any idea?
Is there any way I can remote into these machines?
It appears from what you said, that everything should just work. I'm not
sure where you are going wrong or what is going on. I've done this a hundred
times (literally because I am a trainer and a consultant) and it always jsut
works unless there's a DNS config issue, forest level issue or errors in
either machine.
Ace
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in