AD trust issues

  • 234 Views
  • Last Post 22 August 2017
SmitaCarneiro posted this 21 August 2017

I have a strange problem here and am hoping someone will help me understand what is going on.   We have a 2 domain forest called that I will call A. There are 2 other single domain forests called B and C. C is a test domain that I try to keep as similar to B as possible. I have a 2-way forest trust between A and B, and another 2-way forest trust between A and C.   I got a ticket in about the trust being broken between A and C and checked. I could not add a user or a Universal group from C to a Domain Local group in A. I can see the domain and select the user or group in ADUC, but when I hit OK I get this message:   The Active Directory Domain Controllers required to find the selected objects in the following domain are not available: Domain C fqdn Ensure the ActiveDirectory Domain Controllers are available, and try to select the objects again       Nltest, netdom and the AD Domains and Trusts utility all said the trusts were fine. I removed and re-created the trusts but have the same issue.   One the C domain, I can add a user or Universal group from A to a domain local group in C.   I can resolve the DC names of domain C from my machine that is in domain A and vice versa. Test-connection works between the 2 infrastructure master roles in each domain.   I looked at the ports open between the DCs in both domain and verified with the firewall team that the required ports are open.   So I started thinking of the Infrastructure Master Role. All our DCs are also Global Catalogs so I do not know how much of a role the Infrastructure Master actually plays. However if there was a problem with this role, I would assume I cannot add a member from any other domain. On the A domain however I can add a user from B to a domain local group in A.   I’m not sure what to look at and any pointers would be helpful.   Thanks,     Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy www.itap.purdue.edu        

Order By: Standard | Newest | Votes
barkills posted this 21 August 2017

In my experience, most trust issues are either DNS or firewall caused.

 

Can an A DC resolve the global catalog DNS records for C? i.e.



gc.tcp.<C’s FQDN> SRV

gc.tcp.<C’s site>.sites. <C’s FQDN> SRV

gc.
msdcs. <C’s FQDN> A

ldap.tcp.gc._msdcs. <C’s FQDN> SRV

 

There are 3 SRV records and 1 A record in that list.



 

If yes, can an A DC connect to the 3268 tcp port on the C DC (which is a GC)? (Microsoft’s portqry tool is useful for checking this).

 

On another line of inquiry, I wonder whether there is any hierarchical DNS relationship between A and C, e.g. A=blah.something.com & C=bit.blah.something.com,

or even if you are using explicit UPNs which have that kind of relationship. If there is, then it is possible you have a Kerberos name suffix routing issue. Basically this is giving the trust object in one domain “hints” to help find trusted domains. I provided

help on this topic 3 months ago on this list, and here’s a link to a specific example on how to setup a name suffix mapping:



https://itconnect.uw.edu/wares/msinf/other-help/faq/cross-forest/#suffixMapping.



 

Brian

 

show

cduers posted this 21 August 2017

Are lower range dynamic RPC ports open? I had something similar – the network team had opened all of the required ports as in several articles, however it turned

out that one of the Domain Controllers (DC) in the domain sending lower range dynamic ports while connecting to the other DCs of the local domain. We tried running a specific command to set the higher range dynamic ports on the local DC, which did not resolve

the issue – However when we ended up allowing dynamic RPC I think it was port 1000 and below it started working. Stuck me for 3 days - :P

 

 



Christopher Duers

XL Catlin,

Identity and Security

203-979-3914

chris.duers@xxxxxxxxxxxxxxxx

 



 



 

show

idarryl posted this 21 August 2017

PortQryUI is your friend: https://www.microsoft.com/en-us/download/details.aspx?id=24009
~Darryl


show

SmitaCarneiro posted this 22 August 2017

Thanks you all for your replies.

 

Brian, you hit the nail on the head with the UPN suffix.



 

The 2 domains are completely separate.

However we are doing some debugging because of Outlook issues, and the messaging team had asked me to add the purdue.edu suffix to the C domain (the fqdn for

this is C.purdue.edu)

One the A domain side (whose fqdn is a.x.lcl), the routing for purdue.edu was disabled for the trust with c.purdue.edu. I did not know this. Once I removed the

purdue.edu suffix from the C domain, the routing on A changed automatically to Enabled for c.purdue.edu.

 

I’m going to do some research on excluding name suffixes from routing now.

 

Thanks so much!

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

Close