Trusted Domains Not Trusting Anymore?
Sam Manzella
here can help me with this. Here is the situation:
I have DomainA and DomainB on the same Network. DomainA consist of two
Domain Controllers (#1 & #2), and DomainB Costist of one Domain Controller,
and we'll call it DC #3.
On DomainA: DC #1 is running AD on Windows 2000 Server, and DC #2 is also
Running AD but Windows 2003 Server.
DC #2 came on as a Replica to DC #1, and is now the Master Role holder for
DomainA.
DC #3 is running AD for DomainB and is on Windows 2000 Server.
At one point, about a year ago, trust relationships were succesfully created
between DomainA and DomainB.
I now can no longer Verify the Trust relationships because from whichever
domain or DC I try to verify them, I get an error saying that "The RPC
Server is unavailable" on the oposite DC.
I do however have sort of a 1/2 working trust between the domains, meaning
Computers on DomainA can get to shared objects on DomainB, and Viceversa,
except that Users on DomainB can only get to Shared objects on DC #1, but
can't access Shares on DC #2 even though they are both DC for DomainA.
Another observation that may help... DC #1 and DC #2 share AD items, such as
Users and Computers and such. Let's say I want to add a User from DomainB to
a Shared Folder on DomainA\DC #1, I can successfully ad the user cross
domain, and everything works OK. On the other hand, if I try the adding the
same user permissions from DomainB to a share located on DC #2, I can't even
browse DomainB through the "Look in" to find the user in DomainB.
Also, let's say I have succesfully created a shared Folder on DC #1
(DomainA), and added Security Permissions to a users from DomainB. If now I
check the properties of that folder from DC #2 (DomainA), the user from
DomainB will show up as a SID number.
I hope I didn't ramble-on too much on this. I'm trying to explain the
situation as best as I can.
Please help.
Thanks,
Sam
Sam Manzella
Server Security Policy??
Please help...
Thanks again,
Sam
"Sam Manzella" <SJMan...@HAWAinc.com> wrote in message
news:uVdC$AlnDH...@tk2msftngp13.phx.gbl...
AUSPS
config/win set/sec set/loc pol/sec opt/network
access:allow anon sid name translation to see if it is
disabled. It can get set to disabled when you are
locking it down. Our security template disabled it when
we applied it and when we set up trusts with some NT4
domains we had a similar problem. Set it back to enabled
and the names would show up instead of the SIDs. We did
still have access, but could not manage who we had given
access to with just knowing the SIDs. Hope this helps.
>.
>
Sam Manzella
seem to resolve the already configured SID(users) to the correct user from
DomainB. However, if I try to add another user from DomainB while on DC #2
from DomainA, I still can resolve a user name when I enter it in the Search
for Computers, Groups or Users. When I enter the user name, the "Name Not
Found" dialogue box appears. I also still can't verify the current Trust
relationships in place (still the no RPC Server message).
I'm using the DomMon (Domain Monitor utility) to check things out, and it
appears that DC #1 on DomanA and DC #3 on DomainB verify their trusts fine
"Success", but DC #2 on DomainA fails, and returns an "Error" message under
"Link to Trusted Domain", and on the bottom window it shows "NoLog"Svr"
under "Secure Channel Status"
I hope this makes sense to someone.
Thanks,
Sam
"AUSPS" <anon...@discussions.microsoft.com> wrote in message
news:0b9201c39e64$8ea19c20$a001...@phx.gbl...
![Michael Snyder [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Michael Snyder [MSFT]
nltest /dbflag:0x2000FFFF
Then: nltest /sc_verify:<domain name>\<dc name>
Then: Look in %windir%\debug\netlogon.log for the time when the /sc_verify
command was running.
That should provide more detailed information on the problem.
Later, you will want to run nltest /dbflag:0x00000000 or else the
netlogon.log file can grow quite large.
--
Michael Snyder
Active Directory Admin Tool Test
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sam Manzella" <SJMan...@HAWAinc.com> wrote in message
news:eHpP1mmn...@TK2MSFTNGP09.phx.gbl...
Sam Manzella
Thank you for your assistance. However, I'm running into a problem while
trying to run the nltest utility. When I try to execute the commands as you
suggested through the command line, I get the following error:
nltest.exe - Entry Point Not Found
X - The Procedure Entry Point NetEnumerateTrustedDomainEx could not be
located in the dynamic link library NETAP132.DLL
Please help...
Thank you,
Sam
"Michael Snyder [MSFT]" <mic...@online.microsoft.com> wrote in message
news:uUhd4Snn...@TK2MSFTNGP12.phx.gbl...
Michael Snyder [MSFT]
the OS. (ie. you are on a W2k3 box and the nltest is from w2k, etc.)
--
Michael Snyder
Active Directory Admin Tool Test
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sam Manzella" <sjman...@hawainc.com> wrote in message
news:%23QqNW2x...@tk2msftngp13.phx.gbl...
Sam Manzella
I didn't realize that the new nltest.exe is included in the Windows 2003. I
was using one from the Windows 2000 Resource Kit, and I was searching for
the 2003 Resource kit which I don't believe is out yet.
Anyway, I was able to generate a Netlogon.log file, but I'm not really sure
how to interpret some of the "Critical" lines. Can I send this file to you
for inspection, and hopefully point me in right direction?
Also, when I tried to run the "nltest /sc_query:domainname\DCname" I
recieved the following error:
I_netlogonControl Failed Status=1355 0x54f ERROR_NO_LOGON_SERVERS
I found some information on Microsoft's website, suggesting to use the FQDN
instead of breaking the syntax up in Domainname\DCname, but it still didn't
work.
I also tried running the following switch just to try:
nltest /dcname:domainname
and I got this error:
NetGetDCName Failed: Status=2453 0x995 NERR_DCNotFound
I'm really lost here.
Thanks again for your help.
Sam
"Michael Snyder [MSFT]" <mic...@online.microsoft.com> wrote in message
news:uHLD0h9n...@tk2msftngp13.phx.gbl...
Michael Snyder [MSFT]
controllers?
If you still want to send the logs, just remove the online from my email
address and I can take a look.
--
Michael Snyder
Active Directory Admin Tool Test
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sam Manzella" <sjman...@hawainc.com> wrote in message
news:uVFIznio...@TK2MSFTNGP12.phx.gbl...
Sam Manzella
I just sent you an email with an nltest and some dcdiag results. Please let
me know if you don't receive the email.
Thanks again for your help.
Sam
"Michael Snyder [MSFT]" <mic...@online.microsoft.com> wrote in message
news:OJ5Ytyjo...@tk2msftngp13.phx.gbl...
Michael Snyder [MSFT]
DCs are not correctly registered, both dcdiag and the netlogon.log file
indicated failures with DNS registration and/or finding the DNS records of
other DCs.
At the moment, it appears that DNS issues are causing the problems verifying
the trusts in these forests.
--
Michael Snyder
Active Directory Admin Tool Test
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sam Manzella" <sjman...@hawainc.com> wrote in message
news:eHUUyMlo...@TK2MSFTNGP09.phx.gbl...
Brian Brezina
Sam Manzella
Michael gave lots of tips on how to go about fixing the problem. From the
DCdiag tests he had me run, he determined that it was a problem with my DNS
configurations. I changed things around, and my DCDiag test came back
looking better, but the problem still exist. I sort of gave up for a while.
I'm going to focus on it again after the Holidays. I'm currently getting
trust between my older windows 2000 Servers, so I have my cross-domain
shared folders there, but I want to move things to the new 2003 server once
I get it figured out.
Sam
"Brian Brezina" <brian_...@ncsu.edu> wrote in message
news:8A8A58E2-6236-4C9F...@microsoft.com...