Problem Setting up Trust

I am going to migrating from domain A to domain B so I need to create a
trust between them because I will be migrating 1 office at a time and their
files but my other offices will need access to those files on Domain B. I
have Domain B setup as a secondary zone in Domain A and vice versa. I can
ping any computer in the other domain and the domain itself on both.

My issue is that when I go to Domain A Domains and Trusts and right click on
domain A go to properties and then the trust tab. I click New Trust, put in
the FQN of domain B and select either External or Forest trust, then two-way
trust, then Both this domain and the specified domain, give it a domain
admin account info for the other domain. I get the following.
Cannot Continue
The trust relationship cannot be created because the following error
occurred:
The operation failed. The error is: Access is denied.

Just a note that if I go to domain B and check the security log it shows my
admin getting successfully authenticated from the domain A server.

Thanks much
Brett Bishop
MCSE

Jorge
Fri Mar 28 08:57:52 PDT 2008

Hi
-Any firewall between both DCs? check the fw log for both machines and check
for errors or denied protocols.
-Are these machines Virtual Machines? Try to create the trust using the
netdom cmd, or try from the other side of the trust, additionally you may
set in both ends the PW for both Admins (strange I know...). Try to access
both servers using \\servernane you'll be asked for a authentication user
and correspondent password, do that in both DCs, try again...
-Open network monitor to check for additional info about what is being
denied.
-Assuming 2 different subnets, setup at least one WINS server and point both
servers to the same WINS server, rightclick on the NIC and choose repair in
both servers, after that try to create the trust using the NetBIOS domain
name and if fails use the DNS name.
-Make sure that both DC/DNS can ping eachother using their FQDN.

good luck.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Brett
Fri Mar 28 09:14:41 PDT 2008

First off, No Firewall. They are on the same Subnet/LAN.
Not Virtual
netdom status: Access is denied
When I do \\servername and give it the domain\administrator with the admin
password or any other account it gives me an error.
Both servers/domains can ping other domain and other server using FQDN.

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:6C86C171-F02C-47F1-83B7-6412AE421E49@microsoft.com...
> Hi
> -Any firewall between both DCs? check the fw log for both machines and
> check for errors or denied protocols.
> -Are these machines Virtual Machines? Try to create the trust using the
> netdom cmd, or try from the other side of the trust, additionally you may
> set in both ends the PW for both Admins (strange I know...). Try to access
> both servers using \\servernane you'll be asked for a authentication user
> and correspondent password, do that in both DCs, try again...
> -Open network monitor to check for additional info about what is being
> denied.
> -Assuming 2 different subnets, setup at least one WINS server and point
> both servers to the same WINS server, rightclick on the NIC and choose
> repair in both servers, after that try to create the trust using the
> NetBIOS domain name and if fails use the DNS name.
> -Make sure that both DC/DNS can ping eachother using their FQDN.
>
> good luck.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services

Jorge
Fri Mar 28 09:25:33 PDT 2008

-you should be able to access directly to each server, you say you get an
error? what error when doing \\servername?
-Any previous wrong cached credentials may also cause that.


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Brett
Fri Mar 28 10:11:37 PDT 2008

When I try \\servername it comes back with the login box again and has info
bubble that says:
Logon unsuccessful:
Windows is unable to log you on. Be sure that your user name and password
are correct.
Don't think there is any previous wrong cached credentials.

Thanks,
Brett Bishop
MCSE

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:513ACD76-9FA1-4863-96A9-F2F32C77740E@microsoft.com...
> -you should be able to access directly to each server, you say you get an
> error? what error when doing \\servername?
> -Any previous wrong cached credentials may also cause that.
>
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services

Jorge
Sat Mar 29 01:13:46 PDT 2008

-You should be prompted for a user name and password.
-Check cached credentials in control painel.
-Check policies that might be preventing the connection.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Paul
Mon Mar 31 06:06:27 PDT 2008

Any time I have had trouble setting up a trust it has been dns. I am
assuming both forests are at the same o/s level is that correct?

How do you have the dns setup? When you ping are you using the FQDN or the
ip address?

One thing to check for connectivity try to see if you can get the NTFRS
version from one forest to the other. From a command prompt on a dc from
each forest run the following:

NTFRSUTL version server_name

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Brett Bishop" <brett_bishop@innb.uscourts.gov> wrote in message
news:A3A898D6-A532-40B6-A01F-E5CC81AB4AE9@microsoft.com...
>I am going to migrating from domain A to domain B so I need to create a
>trust between them because I will be migrating 1 office at a time and their
>files but my other offices will need access to those files on Domain B. I
>have Domain B setup as a secondary zone in Domain A and vice versa. I can
>ping any computer in the other domain and the domain itself on both.
>
> My issue is that when I go to Domain A Domains and Trusts and right click
> on domain A go to properties and then the trust tab. I click New Trust,
> put in the FQN of domain B and select either External or Forest trust,
> then two-way trust, then Both this domain and the specified domain, give
> it a domain admin account info for the other domain. I get the following.
> Cannot Continue
> The trust relationship cannot be created because the following error
> occurred:
> The operation failed. The error is: Access is denied.
>
> Just a note that if I go to domain B and check the security log it shows
> my admin getting successfully authenticated from the domain A server.
>
> Thanks much
> Brett Bishop
> MCSE

Brett
Mon Mar 31 06:07:19 PDT 2008

I do get a prompted but it doesn't work with any of the user accounts I try.
I used Domain\Username and the password for 3 different domain admin
accounts. There is nothing in the cached credentials. I check the policies
and didn't see anything that might interfer with this.

Side note a long time ago I was messing with Certs and I had a CA but it is
not on anymore but there may be Certs on my servers still. Could that have
anything to do with this? (Don't really have a whole lot of experience with
certs)

Thanks,
Brett Bishop
MCSE

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:E578A9DD-48F9-462E-9F05-BAAD96EB112D@microsoft.com...
> -You should be prompted for a user name and password.
> -Check cached credentials in control painel.
> -Check policies that might be preventing the connection.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services

Brett
Mon Mar 31 06:20:43 PDT 2008

Thanks for the reply. So, I can ping each other using FQDN or IP with no
problems. When I do the NTFRSUTL from my new server I get this.

C:\>NTFRSUTL version homestar
NtFrsApi Version Information
NtFrsApi Major : 0
NtFrsApi Minor : 0
NtFrsApi Compiled on: Feb 16 2007 20:01:19
ERROR - Cannot RPC to computer, homestar; 000006d2 (1746)

On my old server I get and error message that comes up and says.
"The procedure entry point NtFrsApi_ForceReplication could not be located in
the dynamic link library NTFRSAPI.DLL.

Old Domains main server with all the roles on it is 2003 Standard Edition
and the New Domain server is 2003 R2 SP2 Enterprise Edition if any of that
matters. Both domains are running 2003 native mode.

Thanks
Brett Bishop
MCSE

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:eMymIAzkIHA.1280@TK2MSFTNGP05.phx.gbl...
> Any time I have had trouble setting up a trust it has been dns. I am
> assuming both forests are at the same o/s level is that correct?
>
> How do you have the dns setup? When you ping are you using the FQDN or
> the ip address?
>
> One thing to check for connectivity try to see if you can get the NTFRS
> version from one forest to the other. From a command prompt on a dc from
> each forest run the following:
>
> NTFRSUTL version server_name
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Brett Bishop" <brett_bishop@innb.uscourts.gov> wrote in message
> news:A3A898D6-A532-40B6-A01F-E5CC81AB4AE9@microsoft.com...
>>I am going to migrating from domain A to domain B so I need to create a
>>trust between them because I will be migrating 1 office at a time and
>>their files but my other offices will need access to those files on Domain
>>B. I have Domain B setup as a secondary zone in Domain A and vice versa.
>>I can ping any computer in the other domain and the domain itself on both.
>>
>> My issue is that when I go to Domain A Domains and Trusts and right click
>> on domain A go to properties and then the trust tab. I click New Trust,
>> put in the FQN of domain B and select either External or Forest trust,
>> then two-way trust, then Both this domain and the specified domain, give
>> it a domain admin account info for the other domain. I get the following.
>> Cannot Continue
>> The trust relationship cannot be created because the following error
>> occurred:
>> The operation failed. The error is: Access is denied.
>>
>> Just a note that if I go to domain B and check the security log it shows
>> my admin getting successfully authenticated from the domain A server.
>>
>> Thanks much
>> Brett Bishop
>> MCSE
>
>

Brett
Mon Mar 31 09:09:47 PDT 2008

Another note is I was able to created the trust if I go to Domain B and
create it from there and it can validate the trust just fine but when I
connect to Domain A and try to validate the trust through there is just
returns the login box over and over. Doesn't work.
Thanks,
Brett Bishop
MCSE

"Brett Bishop" <brett_bishop@innb.uscourts.gov> wrote in message
news:A3A898D6-A532-40B6-A01F-E5CC81AB4AE9@microsoft.com...
>I am going to migrating from domain A to domain B so I need to create a
>trust between them because I will be migrating 1 office at a time and their
>files but my other offices will need access to those files on Domain B. I
>have Domain B setup as a secondary zone in Domain A and vice versa. I can
>ping any computer in the other domain and the domain itself on both.
>
> My issue is that when I go to Domain A Domains and Trusts and right click
> on domain A go to properties and then the trust tab. I click New Trust,
> put in the FQN of domain B and select either External or Forest trust,
> then two-way trust, then Both this domain and the specified domain, give
> it a domain admin account info for the other domain. I get the following.
> Cannot Continue
> The trust relationship cannot be created because the following error
> occurred:
> The operation failed. The error is: Access is denied.
>
> Just a note that if I go to domain B and check the security log it shows
> my admin getting successfully authenticated from the domain A server.
>
> Thanks much
> Brett Bishop
> MCSE

Paul
Tue Apr 01 05:59:46 PDT 2008

I am not sure how the system is going to react if the CA wasn't properly
cleaned up. You should go through the link below and verify your system is
clean.

http://support.microsoft.com/kb/889250

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Brett Bishop" <brett_bishop@innb.uscourts.gov> wrote in message
news:B5FBE38F-9D55-4E9F-9707-0B69E4CEF892@microsoft.com...
>I do get a prompted but it doesn't work with any of the user accounts I
>try. I used Domain\Username and the password for 3 different domain admin
>accounts. There is nothing in the cached credentials. I check the
>policies and didn't see anything that might interfer with this.
>
> Side note a long time ago I was messing with Certs and I had a CA but it
> is not on anymore but there may be Certs on my servers still. Could that
> have anything to do with this? (Don't really have a whole lot of
> experience with certs)
>
> Thanks,
> Brett Bishop
> MCSE
>
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:E578A9DD-48F9-462E-9F05-BAAD96EB112D@microsoft.com...
>> -You should be prompted for a user name and password.
>> -Check cached credentials in control painel.
>> -Check policies that might be preventing the connection.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>