When cross-forest trusts fail, the secure channel should be verified to determine that a foreign DC can be identified and contacted. This post provides information on troubleshooting techniques in this scenario, and is really only the first step in troubleshooting - establishing that there are no DC locator issues determining what should be a valid DC across the trust.
The following commands are useful for troubleshooting secure channel issues, specifically name resolution, DC locator and connectivity:
- nltest /domain_trusts /v
- nltest /sc_query:%trusted_domain%
- nltest /sc_reset:%trusted_domain%[\%DCname%]
- nslookup -debug -type=srv _ldap._tcp.dc._msdcs.%domainFQDN%
For example, in a domain called domain.local, which trusts trusteddomain.com.au and is trusting trustindomain.local, from the domain.local domain:
List the domain trusts:
nltest /domain_trusts /v
List of domain trusts:Query the secure channel for the trusting domain:
0: TRUSTED
trusteddomain.com (NT 5) (Direct Outbound) ( Attr: quarantined )
Dom Sid:
S-1-5-21-1993962763-492894223-839522115
1: TRUSTING trustingdomain.local (NT
5) (Direct Inbound)
Dom Sid: S-1-5-21-6079874623-1494965722-2283543576
2: DOMAIN domain.local (NT 5) (Forest Tree Root) (Primary Domain) (Native)
Dom Guid: 23855607-7223-45a6-a732-13d47536f728
Dom Sid:
S-1-5-21-2037435860-7352130559-617082900
The command completed successfully
nltest /sc_query:trusteddomain.com
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc02.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Reset the secure channel for the trusting domain, using standard netlogon DC locator to find a DC:
nltest /sc_reset:trusteddomain.com
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc02.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Reset the secure channel for the trusting domain to a specific Domain Controller:
nltest /sc_reset:trusteddomain.com\dc01
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc01.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
When this doesn't work due to an inability to find a logon server for the specified domain:
Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
I_NetLogonControl failed
Lookup the service records for a trusting domain (the output below is without 'nslookup -debug' for clarity) from the trusting domain (domain.com):
nslookup -type=srv _ldap._tcp.dc._msdcs.trusteddomain.com
Notes:Server: dc01.domain.com
Address: 192.168.0.10
_ldap._tcp.dc._msdcs.trusteddomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc01.trusteddomain.com
_ldap._tcp.dc._msdcs.trusteddomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc02.trusteddomain.com
dc01.trusteddomain.com internet address = 192.168.1.20
dc02.trusteddomain.com internet address = 192.168.1.21
- The secure channel queries have a potentially different result from each Domain Controller, which will either randomly select a cross-forest DC, or use DNS service records and site information is cross-forest site synchronisation is available.
- If no logon server is found, new cross-forest authentication or authorisation attempts will not work between the source Domain Controller and the target domain. If this occurs, further DNS troubleshooting should occur as this is the primary method used between 2000 and 2003 domain trusts.
References:
How Domains and Forests Work
http://technet2.microsoft.com/windowsserver/en/library/c22cda18-263a-4ba7-a71e-76c68c217a251033.mspx
How DNS Support for Active Directory Works
http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
1 comment:
I know this post is ~7 years old, but it helped me out a ton today. Thanks!
Post a Comment