Establish Windows 2000 to 2003 Active Directory Domain Trust with

Trying to establish a Trust between an AD2003/AD2000 domain through a
firewall. Firewall doesn't seem to be blocking any traffic, although when I
run NLTEST /SC_QUERY:domain name, I get I_NetLogonControl Failed : Status =
1355 0x52b ERROR_NO_SUCH_DOMAIN, but if I do NLTEST /DSGETDC:DOMAIN NAME I
get all the information regarding DC's etc back.

NLTEST /DCLIST:DOMAIN NAME cannot DSBind to domain_name status = 2148074290
0x80090332 SEC_E_SECURITY_QOS_FAILED
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND

NLTEST /DCNAME:DOMAIN NAME NetGetDCName Failed: status 2453 0x995
NERR_DCNotFound

Any help would be greatly appreciated.

[SPollack]

Can you actually create & validate the trust in AD Domains & trust. If you can then u can use Netdom command instead to verify the trust between the two domains. I believe the systax is like this:
netdom trust /d:firstdomain 2ndomain /verify /twoway

Thanks for your response. I can create the trust in AD Domains and Trusts,
but not validate it, we are trying to establish a one way trust where the
w2k3 domain trusts the w2k domain.

Regards,

Ross Bale.

"SPollack" wrote:

>
> Can you actually create & validate the trust in AD Domains & trust. If
> you can then u can use Netdom command instead to verify the trust
> between the two domains. I believe the systax is like this:
> netdom trust /d:firstdomain 2ndomain /verify /twoway
>
>
> --
> SPollack
> ------------------------------------------------------------------------
> SPollack's Profile: http://forums.techarena.in/members/5880.htm
> View this thread: Establish Windows 2000 to 2003 Active Directory Domain Trust with
> Visit - http://forums.techarena.in/archive/index.php/
>
>

[SPollack]

Whats the error message that you get when you try to validate the trust using the Gui?

I haven't tried to validate the trust using the GUI as there was an Error in
the W2K Domain Controller System Event Log:
Source: NetLogon
Event ID: 5721
The session setup to the Windows NT or Windows 2000 Domain controller
<unknown> for the Domain xxx failed because the Domain Controller does not
have an account for the computer xxxxx.

Domain xxx is the remote domain AD 2003, computer xxxx is the domain
controller for the local domain W2K.

"SPollack" wrote:

>
> Whats the error message that you get when you try to validate the trust
> using the Gui?
>
>
> --
> SPollack
> ------------------------------------------------------------------------
> SPollack's Profile: http://forums.techarena.in/members/5880.htm
> View this thread: Establish Windows 2000 to 2003 Active Directory Domain Trust with
> Visit - http://forums.techarena.in/archive/index.php/
>
>

[SPollack]

The only thing that comes to my mind right now is to verify that the secure channel is not broken and that netlogon service has started.

Delete the trust, fix name resolution and create the trust again.

You need to be able to resolve SRV RRs in the other domain, particularly the
PDCe (and you must be able to physically contact the PDCe).

This is usually done through holding a secondary copy of that zone file.

Look at using NETDOM to delete the trust. However you could, as suggested
by SPollack, simply try resetting the secure channel --however, the trust
hasn't properly been created in my eyes.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net