I'm trying to set up Windows Network Policy Server to allow RADIUS authentication in a multiple forest scenario with one-way trusts. We have several domains (each in a single domain-forest) containing user accounts, and one domain "OPS" with servers and services. OPS trusts the other domains, but they do not trust OPS.
I have configured NPS with a policy which grants access when the users is in a specific group in the OPS domain. This works fine for domain local users, such as OPS\carlpett
, but when I try to use an account from another domain such as EXTAD\john.doe
, I get an error logged with event id 4402 and description
There is no domain controller available for domain EXTAD.
An info event 6274 is also logged with details of the rejected request, where the reason is set to
The NPS server is unavailable because of low hardware resources or because it failed to receive the name of a domain controller, which can be due to a security accounts manager (SAM) database failure on the local computer or an NT directory service (NTDS) failure.
However, I can contact several domain controllers from EXTAD. I've tried both Test-NetConnection -Port 389 dc01.extad.domain.com
and Microsofts PortQry
tool which does a lot of connection tests.
When using a domain local account, this is logged:
A LDAP connection with domain controller ad01.ops.domain.net for domain OPS is established.
This seems to indicate that only LDAP is needed? Checking open TCP connections while attempting to use an external account, I can see an established connection on port 389 to a domain controller in their domain.
Any ideas what to try? I've seen some recommendations to add the NPS server to the "RAS and IAS Servers" group, but that would seem to require a two-way trust.