2

I have 2 forests - domainA.com and domainB.net. There are two-way trust set up on each. When I try search objects located on domainB.net from domainA.com it gives me following error:

The system cannot contact a domain controller to service the authentication request.

If I try search vice versa (on domainA.com from domainB.net) everything works.

Here are some tests I've made at the moment:

C:\Windows\system32>nltest /sc_verify:domainB.net
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DCNAME.domainB.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

PS C:\Windows\system32> Get-ADTrust -filter {name -eq "domainB.net"}

Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=domainB.net,CN=System,DC=domainA,DC=com
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : domainB.net
ObjectClass             : trustedDomain
ObjectGUID              : 4cfb2e5b-6c89-05a0-bb33-64fec64344e4
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=domainA,DC=com
Target                  : domainB.net
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           : 
TrustingPolicy          : 
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

There are also 3 different forests with same settings as domainB.net and same error.

I'm new to forest trust relationship, so any help is appreciated.

FanteG
  • 161
  • 1
  • 7

2 Answers2

1

I've found the root of the issue. In forest A there are couple of domains, so account from which I've tried to list forest B resources belong to a C domain included in A forest, though account was in enterprise admin group. Problem solved by creating account in forest A root domain. Thanks for help.

FanteG
  • 161
  • 1
  • 7
0

This isn't DNS related is it? 'Cannot contact a domain controller' implies it either can't get through (which it can as it can connect the other way) or doesn't know where to look.

If you nslookup domainA.net from your domainB.net DCs and vice versa do they resolve correctly (ie a list of all DCs)? Does this work from all DCs in your 2 forests?

How do the 2 domain's DNS servers reference the other domains DNS domains? Do you have stub zones or conditional forwarders set up on both sides, and do all DCs in all domains have this set correctly?

Jim ReesPotter
  • 308
  • 1
  • 10