I don't trust my trusts

[Ric_]

I have 2 domains, admin and curriculum, and a 2-way non-transitive trust set up between them (I need to have access to shares from both networks on both networks - don't ask!). I know a flat netowrk would be better and just as secure, etc.

My trusts aint working though and I get errors about not being able to find the DCs, etc.

Off I toddled to the MS website and it said to give netdiag a go but it keeps skipping the trust test, even using the command:

Code:

netdiag /debug /test:Trust

Any help is appreciated.

[ChrisH]

Sorry couldnt resist. Im in a funny mood after teh day Ive had :P

[Geoff]

Sounds like a DNS problem. Are the domains in the same forest?

[Ric_]

Come on Geoff! One of thm is a Westfield configured admin domain!

(For all those not in Lancashire - no)

[Geoff]

ok you'll need to add the DNS zone for the first domain as a stub zone to the second domain. You'll then need to do the reverse for the second domain.

You'll also need to allow zone transfers.

[Ric_]

I knew that I'd missed something - will maybe do it tomorrow (been at Lancaster Uni today).

[Ric_]

Okay, tried to create a stub zone to no avail - I simply have a message returned that says:

The zone cannot be created. The request is not supported.

Any more ideas people?

There may be another option to achieve my aim which is to simply have access to shared drivespace on each network from the other network (preferably without requiring further authentication).

[Geoff]

You didn't allow zone transfers.

[Ric_]

Yes I did :P

Zone transfers are allowed on all zones and to any server. I ensured that this was the case before beginning.

[Geoff]

ok, but do they work? Just because you allowed them doesn't mean they do. Check your security settings.

[Ric_]

I still cannot create a stub zone, however I have been able to create a secondary zone.

I have recreated my trust and Windows says that all is fine and dandy, however I cannot aa groups and users from my admin domain to the security permissions on my curriculum domain still. (I can do this on the admin domain with curriculum groups). It is a 2-way trust.

[Geoff]

And the event log says?

[Ric_]

The only related error that I can see is:

Product: Windows Operating System
ID: 5719
Source: NETLOGON
Version: 5.0
Symbolic Name: NELOG_NetlogonAuthNoDomainController
Message: This computer was not able to set up a secure session with a domain controller in domain %1 due to the following:
%2
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

Running 'nltest /dclist:<admin domain name>' returns:

Get list of DCs in domain '<admin domain name>' from '\\<admin server>'.<FQDN> [PDC] [DS] Site: <site-name>
The command completed successfully

[Geoff]

Using a secondary zone implies the domains are in the same forest and therefore there is replication between the domain controllers.

[Ric_]

The way I understand it, a secondary zone is simply a copy of a primary zone on another server. Replication of DNS will occur but it is simply UDP packets - the stub zone was invented to reduce this traffic but since that isn't working for me, I cannot use it.

There must be some permissions somewhere that are preventing my trust working in one direction. I just don't know how best to troubleshoot this since I haven't got much experience in the field of trusts.