Cannot establish trust between two domains

September 4, 2010 at 09:40:10
Specs: Windows 7
I am attempting to join two domains with a trust. I currently have mycompany.com and company2.local. From reading other posts this problem appears to be related to one forest being a .local instead of being registered through a DNS server. What solutions do I have to fix this problem?

DC1 on mycompany,com is on windows 2000 and has a trust established on "domains trusted by this domain".
DC2 on company2.local is windows 2003 sbs edition.


See More: Cannot establish trust between two domains

Report •

#1
September 4, 2010 at 18:28:24
Here is a quote from another forum. Let us know if it helps.

What is not working? Still cannot ping ABC.local from DEF.com? If so, then you next step is to find out why is the DNS zone of ABC.local not being able to replicate to the DEF.com DNS server.
On your DEF.com DNS server, see if you have the ABC.local zone under the "Forward Lookup Zones". If not, right click on the Forward Lookup Zones and click on "New Zone...". Go through the GUY and for simplicty and consistency of this thread, select "Secondary zone"(as suggested above Stub zone) can be used. But since I don't believe you have such a huge DNS database, it generally a very small database even with a couple of thousand of entries. So a Secondary zone would replicate exactly what you have in your primary zone). Typing the zone name of ABC.local click on Next then enter the IP of the DNS server that hosting your ABC.local DNS which assuming it's the DC of ABC.local. After entering the IP just click on next next and you are done. Right click on the secondary zone of "ABC.local" you have just created and click on "transfer from master". If you don't get the transfer, then go the DNS server of ABC.local and right click on the primary zone(or ADIZ zone) and select Properties. Click on the tab "Zone Transfer". Under the "Only to the following servers, make sure the IP of the DNS server, assuming it your DC of DEF.COM is added. Then on your DEF.COM's DNS server, do the transfer from Master again. If you still can't transfer and replicate the ABC.Local DNS to DEF.com, then it is most likely block by firewall. If you have no problem replicating the DNS zone of ABC.Local to the DNS server of DEF.COm, then you should be able to ping the name of the ABC.local.

How do you know when a politician is lying? His mouth is moving.


Report •

#2
September 4, 2010 at 18:49:49
I apologize I should have elaborated more.

Both DCs can ping each other fine. I have performed DNS zone transfers on both DCs and this replication is working.

DC1 on mycompany.com has a trust setup for company.local but it will not verify. Error of SC query failed due to does not exist or could not be contacted. Additionally if I attempt to remove this non-working trust an error of active directory is busy is returned.

DC2 on company2.local returns the error of trust cannot be established because the specified domain cannot be contacted.

I have added both dcs under the hosts file located within windows\systeme32\drivers\etc

I have attempted to establish WINS lookup but this is returning errors Connection aborted from the remote WINS

I am not sure of what else needs to be checked.


Report •

#3
September 4, 2010 at 18:57:33
Join the forum at minasi.com

They will be able to give you a complete answer.

How do you know when a politician is lying? His mouth is moving.


Report •

Related Solutions

#4
September 4, 2010 at 20:48:30
I don't appreciate your comment one bit.

Report •

#5
September 4, 2010 at 21:00:52
Why not? Those guys know better than anyone here & you will have an answer right away.

How do you know when a politician is lying? His mouth is moving.


Report •

#6
September 4, 2010 at 21:05:27
Your comments appear to be degrading. I looked at that website and all I could see is about training seminars. Is there a forum on that website that I should sign up to instead of here?

Report •

#7
September 5, 2010 at 06:37:16
Who said anything about that forum instead of this forum? I participate in both forums. Each has it's own personality.

If you aren't interested in that forum or if you have a problem scrolling on that page to find it, it's okay. I'm sure someone else here can give you a more specific answer than I can.

I'm sorry I couldn't be of more assistance but my suggestion was anything but degrading.

How do you know when a politician is lying? His mouth is moving.


Report •

#8
September 5, 2010 at 08:46:33
Sorry I didn't see your post earlier nporterfield.

First thing you need to understand is that "I currently have mycompany.com and company2.local." are not two domains. They are two FORESTS. Each has its own unique namespace.

Sales.mycompany.com and AP.mycompany.com are examples of two domains in the same forest under the root forest mycompany.com.

You need to do a forst trust.

Here is some good material to review. I hope it helps
http://technet.microsoft.com/en-us/...

Also going to wins /hosts was the wrong direction to take. It should be dns and dns only for name resolution.


Report •

#9
September 6, 2010 at 21:25:42
Thank you for your reply wanderer.

What I really need to know is if the trust errors are due to one forest being controlled by windows 2003 and another forest being controlled by windows 2000. From the research that I have found, both DCs need to be on the same system (Preferably windows 2003). We have a VMware server setup so a windows 2003 DC can be created to accomplish this function if needed.

If the trust can be created as is, what could the possible problems be due to?


Report •

#10
September 7, 2010 at 08:02:16
2000 does not have the ability to do forest trusts. 2003 and above have that feature.

Report •

#11
September 8, 2010 at 06:01:25
Thanks wanderer. I will setup a Win2003 DC.

Report •

Ask Question