Explicit Trust

[Sam]

Hi there

*not sure if this is the correct group but.....*

I am having a problem on my network after creating a One Way Explicit Trust
between two Win2000 Forests.

The scenario is as follows:

Forest 1
Main Domain: cascades.local (Native Mode)
GC/DC: Win2K SP3

Forest 2
Other Domain: midlandwheel.com (Mixed Mode)
GC/DC: Win2K SP1

NTLM authentication serves the trust, with NetBios entries in the WINS
database of both domains. Both domains also have AD integrated DNS, with no
reference to each other, this is only in WINS.

The problem I *think* lies with the fact that the name of the second domain
is the same as the name of one of my DC's in the first domain. i.e. I have a
server in the first domain called midlandwheel.cascades.local.
Could this cause issues ?, if so, how do I go about fixing this ?
Below are events that show up in the servers log:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5721
Date: 21/07/2003
Time: 15:53:35
User: N/A
Computer: MIDLANDWHEEL
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller
<Unknown> for the domain CASCADES failed because the Domain Controller does
not have an account for the computer MIDLANDWHEEL.
Data:
0000: 8b 01 00 c0 ?..À

Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1051
Date: 21/07/2003
Time: 16:42:46
User: N/A
Computer: MIDLANDWHEEL
Description:
The DHCP/BINL service has determined that it is not authorized to service
clients on this network for the Windows domain: CASCADES.local.
Data:
0000: 00 00 00 00 ....

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3096
Date: 21/07/2003
Time: 19:03:07
User: N/A
Computer: MIDLANDWHEEL
Description:
The Windows NT domain controller for this domain could not be located.

Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 56
Date: 21/07/2003
Time: 19:03:23
User: N/A
Computer: MIDLANDWHEEL
Description:
The Domain Controller \\MASTER.CASCADES.local (192.168.200.12) in
CASCADES.local returned an incorrectly signed time stamp. If this DC is from
the machine's parent domain then the trust link between the domains may be
broken and must be fixed. If the DC is from this machine's own domain, then
the machine password for this machine is incorrect and should be corrected.
Data:
0000: e5 03 00 00 å...

Thanks for anyone who can help.
Regards

 

[Steven L Umbach]

Hi Sam. I am not sure if it would cause a problem or not, but I would not rule
it out - especially for netbios name resolution. I would run dcdiag on the
midlandwheel computer to see what it reports - possibly the problems are unrelated.
You can not change the name of a domain controller, but if it is not the only domain
controller you could dcpromo it back to a member server. Then change the name and
dcpromo it back to a domain controller [I would do it if it was up to me]. If it has
any fsmo roles it will offload those to another domain controller automatically
during the demotion. I would recommend that you set up dns name resolution between
the domains also. You can do that by creating a secondary zone for each domain on the
other domain's dns server or servers. Try posting in the Active_directory newsgroup
also. --- Steve

 

[Sam]

The DC has somehow lost its AD Account, and an event (On the PDC Emulator)
reports that there is no DC to service the subnet it (the troublesome DC)
was associated with and thus a diferent subnet has been assigned the task to
service logon requests for client on that site.
I found the following KB article: http://support.microsoft.com/?kbid=248132
So it looks like an OS re-install as I have around 45 DC's in our Branch
office layout.

Regards
--
Sam

Hi Sam. I am not sure if it would cause a problem or not, but I would not rule
it out - especially for netbios name resolution. I would run dcdiag on the
midlandwheel computer to see what it reports - possibly the problems are unrelated.
You can not change the name of a domain controller, but if it is not the only domain
controller you could dcpromo it back to a member server. Then change the name and
dcpromo it back to a domain controller [I would do it if it was up to me]. If it has
any fsmo roles it will offload those to another domain controller automatically
during the demotion. I would recommend that you set up dns name resolution between
the domains also. You can do that by creating a secondary zone for each domain on the
other domain's dns server or servers. Try posting in the Active_directory newsgroup
also. --- Steve

 

[Steven L Umbach]

Interesting. Thanks for reporting back what the problem was. Yeah,
after reading the KB, I would do a reinstall too. -- Steve

The DC has somehow lost its AD Account, and an event (On the PDC Emulator)
reports that there is no DC to service the subnet it (the troublesome DC)
was associated with and thus a diferent subnet has been assigned the task to
service logon requests for client on that site.
I found the following KB article: http://support.microsoft.com/?kbid=248132
So it looks like an OS re-install as I have around 45 DC's in our Branch
office layout.

Regards
--
Sam

Hi Sam. I am not sure if it would cause a problem or not, but I would not rule
it out - especially for netbios name resolution. I would run dcdiag on the
midlandwheel computer to see what it reports - possibly the problems are unrelated.
You can not change the name of a domain controller, but if it is not the only domain
controller you could dcpromo it back to a member server. Then change the name and
dcpromo it back to a domain controller [I would do it if it was up to

me].
If it has

any fsmo roles it will offload those to another domain controller automatically
during the demotion. I would recommend that you set up dns name

resolution

between
the domains also. You can do that by creating a secondary zone for each domain on the
other domain's dns server or servers. Try posting in the

Active_directory

newsgroup
also. --- Steve

with

no

is

from

may