Trust relationship test.... Failed

[Victor Geyyer]

Hello everybody,

I have upgraded from NT4.0 domain (MyDom) to Win2K domain (MyDomain.com/
NetBios name MyDom). I have 2 DCs: DC1 and DC2...

Some of my clients have a problem... When I run NetDiag on them I get:

Trust relationship test.... Failed
Secure channel to domain [MyDom] is broken

When I try to reset secure channel using either netdom or nltest utilities,
I am successful, but then when I try NetDiag I am still getting an error:

[FATAL] Cannot test secure channel for domain 'MyDom' to DC 'DC1'.
[ERROR_NO_SUCH_DOMAIN]

I have checked the DNS settings on the client and sure it points to the
correct servers DC1 and DC2 (both DCs are also DNS servers).

The only fix I found so far is re-adding the client to domain
(MyDomain.com)...

I'm wondering why it's happenned for large number of clients and is there
any way to fix the secure channel problem (other than re-adding the client
to domain)? I have tried 'netdom' and 'nltest'... Did not help much...

Thanks in advance!

Victor Geyyer,
MCSE NT4, 2000

 

[Buz [MSFT]]

Make sure you have netbios name resolution between the PDC and the PDC
emulator in both domains. Once you have that break and recreate the trust.

A great deal of trust issues are usually related to name resolution
problems. The following simple steps should, in most cases, always be
performed first, especially when setting up a new trust fails with "No
Domain Controller for this domain" type of errors. Keep in mind that at this
time only 2 Windows 2003 Full Native Mode Forests can establish a trust
using Kerberos. All other trusts will use NTLM, hence we need Netbios name
resolution.



Type NBTSTAT - c from both of the DCs we are trying to setup the trust
from, we should see a 1B record that references the other domain.



If we do not have this record this is most likely the issue or part of the
issue:



Create an LMHOSTS file using Lmhosts.htm



Place this file in the Winnt\System32\Drivers\Etc directory.



Then from a command prompt run the following



NBTSTAT -R (reload the cache)

NBTSTAT - c )view the Netbios Nametable)



After typing the above, you should receive a display similar to the
following showing a 1B record for the other domain and the IP address of the
PDC in the other domain:



Node IpAddress: [10.0.0.5] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
----------------------------------------------------------
PDCName <03> UNIQUE 10.0.0.1 -1
PDCName <00> UNIQUE 10.0.0.1 -1
PDCName <20> UNIQUE 10.0.0.1 -1
Domain <1B> UNIQUE 10.0.0.1 -1




180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://support.microsoft.com/?id=180094


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

Hello everybody,

I have upgraded from NT4.0 domain (MyDom) to Win2K domain (MyDomain.com/
NetBios name MyDom). I have 2 DCs: DC1 and DC2...

Some of my clients have a problem... When I run NetDiag on them I get:

Trust relationship test.... Failed
Secure channel to domain [MyDom] is broken

When I try to reset secure channel using either netdom or nltest utilities,
I am successful, but then when I try NetDiag I am still getting an error:

[FATAL] Cannot test secure channel for domain 'MyDom' to DC 'DC1'.
[ERROR_NO_SUCH_DOMAIN]

I have checked the DNS settings on the client and sure it points to the
correct servers DC1 and DC2 (both DCs are also DNS servers).

The only fix I found so far is re-adding the client to domain
(MyDomain.com)...

I'm wondering why it's happenned for large number of clients and is there
any way to fix the secure channel problem (other than re-adding the client
to domain)? I have tried 'netdom' and 'nltest'... Did not help much...

Thanks in advance!

Victor Geyyer,
MCSE NT4, 2000