Domain trust issue

[pc00830]

We are trying to create two-way trust between two 2003
servers via site-to-site VPN. When we click the Validate
under AD Domain and Trust in domainA, we get this
message: "The trust cannot be validated for the following
reasons: The outgoing trust was successfully validated.
The secure channel (SC) reset on the domain controller
\\cpq2003\domainB of domain domainB.com to domain
domainA.net failed with error: There are currently no
logon server available to service the logon request."
When doing the same in domainB, we receive this
message: "Windows cannot find the domain controller for
domainA."

We can ping each other by IP or DNS name. We also make
sure that we type the correct logon name and password. Any
suggestion?

 

[Herb Martin]

We are trying to create two-way trust between two 2003
servers via site-to-site VPN.

Servers don't have "trusts" so I presume you mean between
the DCs of two domains.

When we click the Validate
under AD Domain and Trust in domainA, we get this
message: "The trust cannot be validated for the following
reasons: The outgoing trust was successfully validated.
The secure channel (SC) reset on the domain controller
\\cpq2003\domainB of domain domainB.com to domain
domainA.net failed with error: There are currently no
logon server available to service the logon request."

Probably an "RPC timeout" error but I guess it COULD be
a firewall issue or due to the failure below...

When doing the same in domainB, we receive this
message: "Windows cannot find the domain controller for
domainA."

This is likely a NetBIOS name resolution problem. As I have
been told, external trusts are dependent on NetBIOS resolution,
since they must work with NT domains.

Answer: Both DCs must use the same WINS database;
WINS server(s), replicated.

We can ping each other by IP or DNS name. We also make
sure that we type the correct logon name and password. Any
suggestion?

Netbios must resolve and the DC traffic must pass the firewall.

 

[Guest]

Hi Herb,

Thank you for the help. I guess it is name resolution
issue. I found the domianA DNS doesn't update the records
and doesn't have _msdcs, _sites, _tcp, _udp
DomainDnsZones and ForestDnsZones. Then I removed it and
deleted the dns data from dns folder. After re-installed
DNS, it is still the same problem, no update, no _msdcs,
_sites, _tcp, _udp DomainDnsZones and ForestDnsZones. Any
suggestions?

 

[Herb Martin]

Thank you for the help. I guess it is name resolution

issue. I found the domianA DNS doesn't update the records
and doesn't have _msdcs, _sites, _tcp, _udp
DomainDnsZones and ForestDnsZones. Then I removed it and
deleted the dns data from dns folder. After re-installed
DNS, it is still the same problem, no update, no _msdcs,
_sites, _tcp, _udp DomainDnsZones and ForestDnsZones. Any
suggestions?

Do I understand correctly that this is ONE of your DNS servers,
or the only one?

One of: If it is a secondary (you cannot have multiple 'ordinary'
primaries) then do a manual zone transfer -- make sure the "master"
address (source for pulling zone transfer's is correct to the other
DNS server) AND that the 'master' allows transfers to (at least)
this secondary.

One of: If it is one of several AD Integrated DNS servers, then
you probably have AD replication AND DNS problems with them
both dependendent on each other -- change it back to secondary
(using the correct DNS server as master); manual zone transfer;
ensure AD replicates fully; then you can change it back.

If the only one: Make sure it is dynamic and ALL of your internal
machines -- including itself and the DCs, they are DNS clients too
-- use ONLY the internal, dynamic DNS. (Restart NetLogon on
each DC after fixing it.)

 

[pc00830]

This is only DC and DNS. All TCPIP point the internal DNS.
I am reinstalling the server since it is test server.
thanks any way.