Announcement

Collapse
No announcement yet.

Help with trusts between 2000 & 2008 domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with trusts between 2000 & 2008 domains

    Afternoon all,

    We have one domain with a number of 2000 advance servers in it some of which are dc's and one new 2008 server which is a domain controller. I had to make the 2008 server a domain controller a couple of weeks back due to Terminal server issues we were having.

    We have a number of remote sites which are connect via a vpn connection which is very stable. All the other external domains are windows 2000 advance server. All the external domains were trusted and they all working fine until a couple of weeks ago and we started to get issues with an error saying "there are currently no logon servers available to service your request" if we map a drive with the other domains username & password it works ok. I have had a look at dns and it appears to be working ok according to netdiag and the eventlog on the other domains and servers.

    If I try and verify the trusts I get another error saying "the trust relationship between the primary domain and the trusted domain failed"

    If I map on the 2008 server with the domain details of the domain I am trying to connect to it also works.

    Can anyone give me some advice??

    I hope you understand what I am try to explain?

    Thanks,
    Simon

  • #2
    Re: Help with trusts between 2000 & 2008 domains

    How was the DNS configured when setting up the trust?
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Help with trusts between 2000 & 2008 domains

      Originally posted by L4ndy View Post
      How was the DNS configured when setting up the trust?
      Hi,

      Thanks for your reply!

      I have made the 2008 server a DNS server since....

      Does that make any difference?

      Thanks,
      Simon

      Comment


      • #4
        Re: Help with trusts between 2000 & 2008 domains

        Is the trust a one way or a two way trust? and can you post a DCdiag and Netdiag (from 2000 only) and an IPconfig /all from both.
        What is the SP level on the windows 2000? and maybe look into issues with encrypted LDAP traffic: http://technet.microsoft.com/en-us/l...36(WS.10).aspx
        Last edited by L4ndy; 11th February 2010, 17:34.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Help with trusts between 2000 & 2008 domains

          Also run NETDOM QUERY TRUST /VERIFY and see what the response is.
          And, have you also changed, configured or disabled the Windows firewall on Windows 2008 machine?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Help with trusts between 2000 & 2008 domains

            Originally posted by Dumber View Post
            Also run NETDOM QUERY TRUST /VERIFY and see what the response is.
            And, have you also changed, configured or disabled the Windows firewall on Windows 2008 machine?
            Thanks!

            The firewall is off and the results of the above command are not found?

            Thanks for help!

            Simon

            Comment


            • #7
              Re: Help with trusts between 2000 & 2008 domains

              Originally posted by L4ndy View Post
              Is the trust a one way or a two way trust? and can you post a DCdiag and Netdiag (from 2000 only) and an IPconfig /all from both.
              What is the SP level on the windows 2000? and maybe look into issues with encrypted LDAP traffic: http://technet.microsoft.com/en-us/l...36(WS.10).aspx
              Hi,

              below is the netdiag from the 2000 server and the NETDOM query too.

              C:\Documents and Settings\Administrator.CADNET>netdiag

              ......................................

              Computer Name: CADSERV02
              DNS Host Name: cadserv02.local.cadnet
              System info : Windows 2000 Server (Build 2195)
              Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel
              List of installed hotfixes :
              KB329115
              KB822343
              KB823182
              KB823559
              KB824105
              KB824146
              KB824151
              KB825027
              KB825119
              KB826232
              KB828035
              KB828741
              KB828749
              KB832353
              KB832359
              KB835732
              KB837001
              KB839643
              KB839645
              KB840315
              KB840987
              KB841356
              KB841533
              KB841872
              KB841873
              KB842526
              KB842773
              KB871250
              KB873333
              KB873339
              KB883935
              KB883939-IE6SP1-20050428.125228
              KB885250
              KB885834
              KB885835
              KB885836
              KB888113
              KB889293-IE6SP1-20041111.235619
              KB890046
              KB890175
              KB890859
              KB890923-IE6SP1-20050225.103456
              KB891781
              KB893066
              KB893086
              KB893756
              KB893803v2
              KB894320
              KB896358
              KB896422
              KB896423
              KB896424
              KB897715-OE6SP1-20050503.210336
              KB899587
              KB899589
              KB899591
              KB900725
              KB901017
              KB901214
              KB904368
              KB904706
              KB905414
              KB905495-IE6SP1-20050805.184113
              KB905749
              KB908519
              KB908531
              KB911280
              KB911564
              KB912919
              KB913580
              KB914388
              KB914389
              KB917008
              KB917422
              KB917537
              KB917736
              KB917953
              KB920213
              KB920670
              KB920683
              KB920685
              KB920958
              KB921398
              KB922582
              KB922616
              KB923191
              KB923414
              KB923694-OE6SP1-20061106.120000
              KB923980
              KB924191
              KB924270
              KB925398_WMP64
              KB925454-IE6SP1-20061116.120000
              KB926247
              KB929969-IE6SP1-20061220.120000
              Q147222
              Q828026
              Update Rollup 1


              Netcard queries test . . . . . . . : Passed



              Per interface results:

              Adapter : Lan Connection

              Netcard queries test . . . : Passed

              Host Name. . . . . . . . . : cadserv02
              IP Address . . . . . . . . : 198.168.1.7
              Subnet Mask. . . . . . . . : 255.255.254.0
              Default Gateway. . . . . . : 198.168.1.35
              Dns Servers. . . . . . . . : 198.168.1.7
              198.168.1.5


              AutoConfiguration results. . . . . . : Passed

              Default gateway test . . . : Passed

              NetBT name test. . . . . . : Passed
              [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
              r Service', <20> 'WINS' names is missing.

              WINS service test. . . . . : Skipped
              There are no WINS servers configured for this interface.


              Global results:


              Domain membership test . . . . . . : Passed


              NetBT transports test. . . . . . . : Passed
              List of NetBt transports currently configured:
              NetBT_Tcpip_{F18C766E-A8F5-4377-A92A-D62FF9CD471D}
              1 NetBt transport currently configured.


              Autonet address test . . . . . . . : Passed


              IP loopback ping test. . . . . . . : Passed


              Default gateway test . . . . . . . : Passed


              NetBT name test. . . . . . . . . . : Passed
              [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
              ce', <03> 'Messenger Service', <20> 'WINS' names defined.


              Winsock test . . . . . . . . . . . : Passed


              DNS test . . . . . . . . . . . . . : Passed
              PASS - All the DNS entries for DC are registered on DNS server '198.168.1.7'
              and other DCs also have some of the names registered.
              PASS - All the DNS entries for DC are registered on DNS server '198.168.1.5'
              and other DCs also have some of the names registered.


              Redir and Browser test . . . . . . : Passed
              List of NetBt transports currently bound to the Redir
              NetBT_Tcpip_{F18C766E-A8F5-4377-A92A-D62FF9CD471D}
              The redir is bound to 1 NetBt transport.

              List of NetBt transports currently bound to the browser
              NetBT_Tcpip_{F18C766E-A8F5-4377-A92A-D62FF9CD471D}
              The browser is bound to 1 NetBt transport.


              DC discovery test. . . . . . . . . : Passed


              DC list test . . . . . . . . . . . : Passed


              Trust relationship test. . . . . . : Passed
              Secure channel for domain 'CADNET' is to '\\GLGHOTS01.local.cadnet'.


              Kerberos test. . . . . . . . . . . : Passed


              LDAP test. . . . . . . . . . . . . : Passed


              Bindings test. . . . . . . . . . . : Passed


              WAN configuration test . . . . . . : Skipped
              No active remote access connections.


              Modem diagnostics test . . . . . . : Passed

              IP Security test . . . . . . . . . : Passed
              IPSec policy service is active, but no policy is assigned.


              The command completed successfully

              C:\Documents and Settings\Administrator.CADNET>NETDOM QUERY TRUST /VERIFY
              Direction Trusted\Trusting domain Via domain Status

              ========= ======================= ========== ======

              <-> HUNTNET.local Brok
              en
              MELNET.LOCAL Doma
              in not found
              GARDNET.local Doma
              in not found
              ENDSNET.local Doma
              in not found
              The command completed successfully.

              C:\Documents and Settings\Administrator.CADNET>

              Thanks for your help,
              Simon

              Comment


              • #8
                Re: Help with trusts between 2000 &amp; 2008 domains

                and here is the dcdiag result from the 2000 server!

                Thanks


                C:\Documents and Settings\Administrator.CADNET>dcdiag

                Domain Controller Diagnosis

                Performing initial setup:
                Done gathering initial info.

                Doing initial required tests

                Testing server: Default-First-Site-Name\CADSERV02
                Starting test: Connectivity
                ......................... CADSERV02 passed test Connectivity

                Doing primary tests

                Testing server: Default-First-Site-Name\CADSERV02
                Starting test: Replications
                ......................... CADSERV02 passed test Replications
                Starting test: NCSecDesc
                ......................... CADSERV02 passed test NCSecDesc
                Starting test: NetLogons
                ......................... CADSERV02 passed test NetLogons
                Starting test: Advertising
                ......................... CADSERV02 passed test Advertising
                Starting test: KnowsOfRoleHolders
                ......................... CADSERV02 passed test KnowsOfRoleHolders
                Starting test: RidManager
                ......................... CADSERV02 passed test RidManager
                Starting test: MachineAccount
                ......................... CADSERV02 passed test MachineAccount
                Starting test: Services
                ......................... CADSERV02 passed test Services
                Starting test: ObjectsReplicated
                ......................... CADSERV02 passed test ObjectsReplicated
                Starting test: frssysvol
                There are errors after the SYSVOL has been shared.
                The SYSVOL can prevent the AD from starting.
                ......................... CADSERV02 passed test frssysvol
                Starting test: kccevent
                ......................... CADSERV02 passed test kccevent
                Starting test: systemlog
                ......................... CADSERV02 passed test systemlog

                Running enterprise tests on : local.cadnet
                Starting test: Intersite
                ......................... local.cadnet passed test Intersite
                Starting test: FsmoCheck
                ......................... local.cadnet passed test FsmoCheck

                C:\Documents and Settings\Administrator.CADNET>

                Comment


                • #9
                  Re: Help with trusts between 2000 &amp; 2008 domains

                  For easier reading you could past the output from the Netdom into code tags

                  Anyhow, if I see this it looks like it's DNS related...
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Help with trusts between 2000 &amp; 2008 domains

                    Originally posted by Dumber View Post
                    For easier reading you could past the output from the Netdom into code tags

                    Anyhow, if I see this it looks like it's DNS related...
                    Thanks!

                    Wasn't sure how to do the tags?


                    Any thoughts on how to sort the dns issue?

                    Thanks for your help!

                    Comment


                    • #11
                      Re: Help with trusts between 2000 &amp; 2008 domains

                      Try using nslookup on the different DC's to see if you can resolve the correct hostnames...
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Help with trusts between 2000 &amp; 2008 domains

                        Thanks!

                        I have just looked at nslookup and it appears to be returning the correct ips, in the eventlog on the 2008 box i have the following warning.

                        "The DNS server was unable to create the built-in directory partition ForestDnsZones.local.cadnet. The error was 9906".

                        I guess it is a dns error but I am un sure what's up?

                        Thanks,

                        Comment


                        • #13
                          Re: Help with trusts between 2000 &amp; 2008 domains

                          I have just seen this.....http://www.eggheadcafe.com/software/...unable-to.aspx

                          So if I have read it right i need to transfer the roles to the 2008 machine? All current roles are on 2k machines.

                          Thanks,

                          Comment


                          • #14
                            Re: Help with trusts between 2000 &amp; 2008 domains

                            It's worth trying it...
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Help with trusts between 2000 &amp; 2008 domains

                              Cool, will give it a shot!

                              Thanks

                              Comment

                              Working...
                              X