2

We have a one way external trust between two domains. The trust was configured and validated both ways everything worked fine. Randomly the trust will stop functioning. If we reboot one of the domain controllers the trust will be reestablished.

The domains are connected via MPLS circuit.

The trusting DC's DNS server has a secondary zone configured for the trusted domain, and vice versa with zone transfers enabled for DNS resolution.

Can someone assist with determining troubleshooting steps? Here are the relevant logs I have found from the trusting domain controller:

System- LsaSrv - 40961 - The Security System could not establish a secured connection with the server ldap/dc1.trusteddomain.local/trusteddomain.local@trusteddomain.LOCAL. No authentication protocol was available.

System - Netlogon - 5719 - The computer was not able to set up a secure session with a domain controller in domain TRUSTEDDOMAIN due to the following: There are no logon servers available to service the logon request.

Application - SceCli - 1202 - Security policies were propagated with warning 0x534. No mapping between account names and security IDs was done.

It seems to me that the trusting domain loses connection via the MPLS circuit to the trusted domain controller. However whenever we test this it is functioning. So maybe the trust is broken and is never restablished?

Any help is appreciated thanks!

floyd
  • 1,530
  • 4
  • 18
  • 30
  • How/what are you testing when the trust stops working? – joeqwerty Sep 25 '12 at 22:41
  • We notice trust is not working when users from the trusted domain are not able to login to servers they were able to before on trusting domain. I test connection via ping etc. and the connection is there. Just the trust seems to be down. We can even use the domain/trust mmc and verify the trust is active. – floyd Sep 25 '12 at 22:44
  • 1
    How are you handling DNS name resolution for the Trust? Does each domain's DNS servers have conditional forwarders configured for the other domain's DNS servers? – joeqwerty Sep 25 '12 at 23:16
  • The DNS zone for the trusted domain is configured as a secondary DNS zone on the trusting domain's DC. – floyd Sep 25 '12 at 23:23
  • 1
    So the AD DNS zone isn't AD integrated and it's configured as a secondary zone on the trusting domains DC with zone transfers enabled? When the trust fails try testing DNS resolution using the method here for your secondary zone: http://technet.microsoft.com/en-us/library/ee307976(v=ws.10).aspx – joeqwerty Sep 25 '12 at 23:39
  • To clarify my suggestion: I'm not saying that DNS name resolution is the problem but it's certainly one of the first things I would test based on the symptoms. Beyond that, you can verify the trust when the problem occurs by using the netdom utility. – joeqwerty Sep 26 '12 at 00:59
  • Now that you have mentioned DNS, I went to DNS server logs on trusting domain and noticed some errors with zone transfers. There are also errors with dynamic registration. Not alot, but a few int he last couple days. The DNS client settings on trusting DC have itself as primary, and the ip of the trusted domain as the secondary IP. Is that a problem? – floyd Sep 26 '12 at 17:14
  • 1
    I can't say for sure if that configuration would cause your problem but the DC should have DNS servers in it's own domain configured, not DNS servers in other domains, especially considering the fact that the server hosts a secondary copy of the other zone. – joeqwerty Sep 26 '12 at 21:38

0 Answers0