No Logon servers available for Forest Trust between two 2008 R2 Servers
"The secure channel (SC) reset on Active Directory Domain Controller \\DC1.west.local of domain west.local to domain central.local failed with error: There are currently no logon servers available to service the logon request." This is the message that pops up on both sides of the forest trust when I try to validate and the trust between my domains: central.local and west.local. NSlookup works for both, the firewalls have been set to allow all incoming and outgoing by default and all the default rules enabled to allow. Both domains can ping each other by domain name and IP address because DC1.west.local and DC1.central.local have DNS installed and are primaries of their respective domains and secondary for the other. The net logon service is running and has been restarted numerous times. I'm out of ideas as to why I can't form a forest trust between my two domains that are located on the same subnet.
February 9th, 2011 3:04pm
I forgot to mention both domains are in their own forest.
February 9th, 2011 3:06pm
Okay, I found out the problem when I did dcdiag. Even though they were both in different domains, my DC's were both named "DC1" (DC1.west.local and DC1.central.local) I renamed them and my forests can form a trust now.. Why would that be?
February 9th, 2011 4:19pm
the first thing that came to my mind when i read your initial post was DNS.. i actually think with the same name it should work but could be that your DNS zones had not yet fully updated... and so your server didnt know where to find central.local ;] i think that could have been the problem.. will have to research more on this.. but good that your trust is now working :)tech-nique
February 9th, 2011 4:41pm
Hello0, which option in DNS manamgent did you use to prepare the trust, conditional forwarder, secondary zone or a stub zone?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
February 10th, 2011 7:46am
I had the same issue and the culprit was traffic being filterd by the Windows firewalls on each DC. You need ports open end to end between the two DC's involved in forming the trust. Set up trusts on both sides from the internal forest LDAP (389 UDP and TCP) Microsoft SMB (445 TCP) Kerberos (88 UDP) Endpoint resolution — portmapper (135 TCP) Net Logon fixed port N/A Internal domain domain controllers–External domain domain controllers (all ports) Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only) LDAP (389 UDP) Microsoft SMB (445 TCP) Endpoint resolution — portmapper (135 TCP) Net Logon fixed port N/A Internal domain domain controllers–External domain domain controllers (all ports)
February 25th, 2011 10:59am