Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

"The local security authority is unable to obtain an RPC connection to the Domain controller <REMOTE DC>."

5,932 views
Skip to first unread message

VFR

unread,
May 21, 2006, 5:30:32 AM5/21/06
to
Hello...
This is not necessarily a request for help... it is an outburst of
frustration, and a request for a more "practical / secure" solution...
It may also help others with the same issue.

Every time I tried to create a trust between two Windows Server 2003 R2
forests, I would receive this annoying popup message just after putting
in the Domain FQDN or NETBIOS name:

"The local security authority is unable to obtain an RPC
connection to the Domain controller <REMOTE DC>."

I spent two whole days on this issue..
Verified WINS, DNS, dcdiag, netdiag etc.etc.etc in both forests..
I even added LMHOSTS entries to ensure that the related DC's in each
forest could see each other.

I even tried all tips provided in the following post (including
pre-connecting to the external forest DC's):
http://groups.google.com.au/group/microsoft.public.windows.server.active_directory/browse_thread/thread/da25050e7d2bad8e/810cfb59b835d31d?lnk=st&q=The+local+security+Authority+is+unable+to+obtain+an+RPC+connection&rnum=2&hl=en#810cfb59b835d31d

It was a very frustrating experience to say the least...

Finally i fixed it....
You will never believe this.....
I had to have the enterprise administrator password in sync in both
forests...

Now... Microsoft... do you really think this is a practical solution??

My guess is that maybe Microsoft has increase security on the RPC
service to prevent unauthorized access... and this has prevented
non-trusted domains from communicating with each other during the
initial trust handshake process.

I believe this is unacceptable solution..!

I would be very interested if anyone has identified a more practical
solution to this problem...
e.g.: temporarily reducing the security on RPC the service...

Regards,
VFR

Jorge de Almeida Pinto [MVP]

unread,
May 21, 2006, 5:53:20 AM5/21/06
to
Hold your horses.... relax! I know you are pissed because it took you a crap
load of time to solve this. (trust me you are not the only one! ;-)) )

First things first: are you using VMware?

If the answer is "yes" AND the environment consists of W2K3 SP1 DCs (you are
using R2 and that is basically the same)
see the following:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/12/17/297.aspx

I found a while ago (last year) that this issue occurs in VMware under
certain conditions (see the blog posts). It does not, however, occur in
Virtual PC or Virtual Server or physical hardware.

If the answer is "no, I'm not using VMware", well then I think you found
another case


And NO, it is not a requirement that the passwords of both administrators in
different domains/forests are in sync to create trusts!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"VFR" <paech....@saugov.sa.gov.au> wrote in message
news:1148203832.7...@y43g2000cwc.googlegroups.com...

VFR

unread,
May 21, 2006, 8:21:33 AM5/21/06
to
Wow, thanks for the quick answer!!
You were 100% correct :-)

I was using VMWare...
I apologise for jumping the gun :-)

Regards,
VFR

Joe Richards [MVP]

unread,
May 21, 2006, 10:17:23 AM5/21/06
to
Jorge did you bug this (ldaybug), I think you did but I forget?

Have you gotten traces when doing it on non-VMWARE and on VMWARE and isolated
the problem?

Is the problem by any chance in the signing/sealing of the secure channel?


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Scott Lowe

unread,
May 22, 2006, 3:01:02 PM5/22/06
to
On 2006-05-21 05:53:20 -0400, "Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyF...@gmail.com> said:

> Hold your horses.... relax! I know you are pissed because it took you a
> crap load of time to solve this. (trust me you are not the only one!
> ;-)) )
>
> First things first: are you using VMware?
>
> If the answer is "yes" AND the environment consists of W2K3 SP1 DCs
> (you are using R2 and that is basically the same)
> see the following:
> http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx
> http://blogs.dirteam.com/blogs/jorge/archive/2005/12/17/297.aspx
>
> I found a while ago (last year) that this issue occurs in VMware under
> certain conditions (see the blog posts). It does not, however, occur in
> Virtual PC or Virtual Server or physical hardware.
>
> If the answer is "no, I'm not using VMware", well then I think you
> found another case
>
>
> And NO, it is not a requirement that the passwords of both
> administrators in different domains/forests are in sync to create
> trusts!

It looks like the VMware issue may have been resolved:

<http://www.activedir.org/article.aspx?aid=75>

I don't have any direct experience, so I can't verify that.

HTH.

--
Regards,
Scott Lowe
ePlus Technology Inc.

0 new messages