how to establish an inter-forest trust

  • Thread starter Alexis Crawford
  • Start date
A

Alexis Crawford

Hello,

I must set up an inter-forest trust because Veritas backup
admin account must have the right to restore the
information store on the other forest. So i try to set up
an inter-forest one-way non transitive trusts without any
success (KBQ315053. The error i am getting is the rpc
server is unavailable. So i check under services and the
RPC service is started. I go under security in the event
viewer and there is an error 529 (bad password or wrong
username). I re do the trust and the same error occurs. I
then check both DNS settings and yes i can ping each
namespace.
I believe that this problem has something to do with the
authentication used between 2 forests. I am using NTLM.
Could someone please tell me how to resolve this issue.

Many thanks,

Alexis Crawford
 
H

Herb Martin

I must set up an inter-forest trust because Veritas backup
admin account must have the right to restore the
information store on the other forest. So i try to set up

Forest trusts require Windows 2003 Domains both running
in Windows 2003 Forest functional level (all domains in each
must be in Win2003 Domain functional level.)

You can only use external trusts (between pairs of domains,
not forests) if the two forests are anything less.
 
K

Kit

Alexis

More information please. Are you trying to set up a trust
between two W2K domains? or is this 2003? Native mode?

This product runs fine for me between W2K & NT4, using an
user based in the NT4 domain. There was already a two way
trust between the domains.

Just a thought - are you specifying the name in a way
that Veritas recognises? domain name\user name?
(Sometimes it is always good to check from the beginning.)

HTH
Kit
 
A

Alexis Crawford

I am trying to set up a trust in 2 domains. These 2
domains are in separate forests. In order for me to
restore the information store i must install W2K server
and create a new forest. Once this is done then i can
restore the information store using Veritas. All W2K
servers are in native mode and we are running W2K server
sp4. the thing is that i am unable to restore a backup due
to rpc server being unavailable.
I cannot see the other forest in network neighbourhood but
i can ping each one by their namespace.
 
A

Ace Fekay [MVP]

In
Alexis Crawford said:
I am trying to set up a trust in 2 domains. These 2
domains are in separate forests. In order for me to
restore the information store i must install W2K server
and create a new forest. Once this is done then i can
restore the information store using Veritas. All W2K
servers are in native mode and we are running W2K server
sp4. the thing is that i am unable to restore a backup due
to rpc server being unavailable.
I cannot see the other forest in network neighbourhood but
i can ping each one by their namespace.


Usually RPC errors are saying that there is no resolution between them (DNS
or NetBIOS, depending on what function you're trying to perform).

Domain trusts between domains of different W2k forests require NTLM, as you
pointed out in your original post, and NTLM requires NetBIOS name resolution
functionality, so therefore, there must be some sort of means for NetBIOS
name resolution between the two domains.

Are the two domains in different subnets? If you cannot see them in Network
Neighborhood, then that is telling me that you don't have NetBIOS resolution
support between them and they are in fact on different subnets. I would
suggest to use WINS and it should then work fine.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Ace Fekay [MVP]

In
Alexis Crawford said:
Hello Ace,

Thanks for the reply. Yes both these forests are on the
same subnet and Wins is installed on both DC. However i
still get the same message that the RPC server is
unavailable. What am i missing? I would really like for
the trusts to work.

Please help,

Alexis Crawford

Same subnet, hmm. WINS is not needed in such a scenario since NetBIOS is
boundaried by routers. Are the domains or any of the DCs using the same
name? That will cause issues. As I said, RPC server unavailable errors are
simply saying it can't resolve to the name or the DC is truly down.

Can you maybe give us some more info, such as an ipconfig /all of both DCs
of the different forests you're trying to accomplish this from?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Alexis Crawford

Thanks for the reply!
Both DC's have different names and each of them are in
different forests. DCtest is 192.168.1.19 , its dns is
192.168.1.19 and DG 192.168.1.254 the production
environmet DC is 192.168.1.21, its dns is 192.168.1.21 dg
is 192.168.1.254. Again i can ping each namespace with a
successfull reply back on either server. But when i
establish the trust on my production DC i get a message
the RPC server is unavailable. At this point i will
install a W2K server on a new machine and try to
establish the inter-forest forest trusts.
If you come up with an idea please let me know.

Alexis Crawford
 
A

Ace Fekay [MVP]

In
Alexis Crawford said:
Thanks for the reply!
Both DC's have different names and each of them are in
different forests. DCtest is 192.168.1.19 , its dns is
192.168.1.19 and DG 192.168.1.254 the production
environmet DC is 192.168.1.21, its dns is 192.168.1.21 dg
is 192.168.1.254. Again i can ping each namespace with a
successfull reply back on either server. But when i
establish the trust on my production DC i get a message
the RPC server is unavailable. At this point i will
install a W2K server on a new machine and try to
establish the inter-forest forest trusts.
If you come up with an idea please let me know.

Alexis Crawford


Hmm, that is strange that the RPC message is consistenly coming up in your
scenario. Are all the services enabled on the other machine and is NetBIOS
enabled (which would cause this)?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Ace Fekay [MVP]

In Alexis Crawford <[email protected]> posted their thoughts,
then I offered mine

Also makes sure MS Client and F&P services are enabled on the NICs too.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top