No announcement yet.

Outgoing trusts losing trusts after validation of another

  • Filter
  • Time
  • Show
Clear All
new posts

  • Outgoing trusts losing trusts after validation of another

    I have a strange problem that I just can't figure out.

    I have the setup of a central domain (call it containing administrative accounts, and other domains (i.e. and which will allow access to these trusted credentials on the central domain.

    So, the idea is to set up two incoming forest trusts into, from and respectively. The test domains will then add these objects to local groups to support administration etc.

    All works fine when I create only a single trust either from or The administrative groups work correctly in that domain. The problem comes when I try to create both. The last one created works fine, but the other fails with a DCE RPC fault trying to translate the SIDs of the central domain objects, and where they are groups cannot enumerate the members.

    Even wierder, I can swap which one is working by performing a trust validation on the non-working trust - this switches that trust to working but the other one breaks. Each time the validation works absolutely fine. So, it doesn't seem like any of the normal policy issues for anonymous logons etc as individually the trusts operate fine - they just seem to interfere with each other.

    BTW SIDs look fine, they are not repeated images or anything like that. The one slight quirk is that the hostname of the dc (each forest here contains only a single domain controller) for the and domains is the same - mydc

    Any help appreciated!

  • #2
    Re: Outgoing trusts losing trusts after validation of another

    A little bit more on this

    What is actually occurring in the failing trust relationship is that any LsarLookup going on (for sids / names etc) fails and causes an MSRPC fault response with status 0x721 ( P { margin-bottom: 0.21cm; }A:link { } RPC_S_SEC_PACKAGE_ERROR)

    Again, if I validate the other trust this goes away, so it is not that there is a security error with the trust per-se but that there is an interaction with the other trust such that in terms of security being checked here, the last one wins - not sure what this can be however


    • #3
      Re: Outgoing trusts losing trusts after validation of another

      And a bit more information

      This seems to be linked to the DCs having the same computer name !!!!!!

      Have DC (single in forest) in domain A,local (netbios A) with name X forest trust to central domain, and another DC (single in forest) in domain B.local (netbios B) with same name X forest trust to central domain issues occur with SID translation MSRPC fault previously

      However, change one of the DC names to Y and all ok!!!