I have a strange problem here and am hoping someone will help me understand what is going on. We have a 2 domain forest called that I will call A. There are 2 other single domain forests called B and C. C is a test domain that I try to keep as similar to B as possible. I have a 2-way forest trust between A and B, and another 2-way forest trust between A and C. I got a ticket in about the trust being broken between A and C and checked. I could not add a user or a Universal group from C to a Domain Local group in A. I can see the domain and select the user or group in ADUC, but when I hit OK I get this message: The Active Directory Domain Controllers required to find the selected objects in the following domain are not available: Domain C fqdn Ensure the ActiveDirectory Domain Controllers are available, and try to select the objects again Nltest, netdom and the AD Domains and Trusts utility all said the trusts were fine. I removed and re-created the trusts but have the same issue. One the C domain, I can add a user or Universal group from A to a domain local group in C. I can resolve the DC names of domain C from my machine that is in domain A and vice versa. Test-connection works between the 2 infrastructure master roles in each domain. I looked at the ports open between the DCs in both domain and verified with the firewall team that the required ports are open. So I started thinking of the Infrastructure Master Role. All our DCs are also Global Catalogs so I do not know how much of a role the Infrastructure Master actually plays. However if there was a problem with this role, I would assume I cannot add a member from any other domain. On the A domain however I can add a user from B to a domain local group in A. I’m not sure what to look at and any pointers would be helpful. Thanks, Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy www.itap.purdue.edu
AD trust issues
- 645 Views
- Last Post 22 August 2017
In my experience, most trust issues are either DNS or firewall caused.
Can an A DC resolve the global catalog DNS records for C? i.e.
gc.tcp.<C’s FQDN> SRV
gc.tcp.<C’s site>.sites. <C’s FQDN> SRV
gc.msdcs. <C’s FQDN> A
ldap.tcp.gc._msdcs. <C’s FQDN> SRV
There are 3 SRV records and 1 A record in that list.
If yes, can an A DC connect to the 3268 tcp port on the C DC (which is a GC)? (Microsoft’s portqry tool is useful for checking this).
On another line of inquiry, I wonder whether there is any hierarchical DNS relationship between A and C, e.g. A=blah.something.com & C=bit.blah.something.com,
or even if you are using explicit UPNs which have that kind of relationship. If there is, then it is possible you have a Kerberos name suffix routing issue. Basically this is giving the trust object in one domain “hints” to help find trusted domains. I provided
help on this topic 3 months ago on this list, and here’s a link to a specific example on how to setup a name suffix mapping:
Are lower range dynamic RPC ports open? I had something similar – the network team had opened all of the required ports as in several articles, however it turned
out that one of the Domain Controllers (DC) in the domain sending lower range dynamic ports while connecting to the other DCs of the local domain. We tried running a specific command to set the higher range dynamic ports on the local DC, which did not resolve
the issue – However when we ended up allowing dynamic RPC I think it was port 1000 and below it started working. Stuck me for 3 days - :P
Identity and Security
PortQryUI is your friend: https://www.microsoft.com/en-us/download/details.aspx?id=24009
Thanks you all for your replies.
Brian, you hit the nail on the head with the UPN suffix.
The 2 domains are completely separate.
However we are doing some debugging because of Outlook issues, and the messaging team had asked me to add the purdue.edu suffix to the C domain (the fqdn for
this is C.purdue.edu)
One the A domain side (whose fqdn is a.x.lcl), the routing for purdue.edu was disabled for the trust with c.purdue.edu. I did not know this. Once I removed the
purdue.edu suffix from the C domain, the routing on A changed automatically to Enabled for c.purdue.edu.
I’m going to do some research on excluding name suffixes from routing now.
Thanks so much!
Smita Carneiro, GCWN
Active Directory Systems Engineer
IT Security and Policy