Gateway server in non trusted domain

Similar Messages

• Documentation on settings up DP, MP in non trusted domain USING HTTPS

  Is there any documentation that specifically talks about setting up a site system in a non trusted domain with management point and distribution point and communication using HTTPS.
  I see some examples but none of them talk about the certificates that are required on the DP and MP in the non trusted site server.
  Thanks Lance

  Hi Jason,
  I am stumped (and not a certificate guru) and not sure how to get certs based on the Config Manager Web Server template and Config Manager Distribution Client Template into the machine (Secondary MP/DP) that is in the untrusted domain.   I hear
  you about the untrusted domain part not making a difference.   Our secondary MP/DP in the untrusted domain does have the root certificate in the trust root store.
  I have tried MMC certificates, certreq and have tried to go directly to the CA (https://caserver/certsrv) but in neither case do the Config Manager Distribution Client nor Config Manager Web Server templates show up.
  Conversely in the domain that the CA Server resides,  I can request both of these certs in the MMC certificate plugin.
  I am certain I am missing something.
  We used this technet document to setup the certificate templates, etc.
  http://technet.microsoft.com/en-us/library/gg682023.aspx
  Thanks Lance

• OSD Across a Non-Trusted Domain

  Hello All,
  Thank you in advance for the help. I am trying to validate a configuration I would like to put in place for a client.
  The client has Configuration Manager 2012 set up to manage computers in a non-trusted domain with no MPs in the non-trusted domain. There are DPs in the non-trusted domain. The site runs in an https configuration for these clients. We have configured a subordinate
  CA in their forest that trusts the CA in the forest that hosts the ConfigMgr site servers and all certs are working fine.
  My question: Will OSD function correctly for computers in the non-trusted domain? Or so I need to have an MP in the non-trusted domain as well?
  Thanks!

  Hi Jason,
  Yes, you are correct - there are multiple HTTP MPs that are reachable from the non-trusted forest's computers on the Intranet. There is also an HTTPS MP in the DMZ which is reachable from the internal network as well (we use split-brain DNS for this). The
  DMZ MP in HTTPS mode can handle the requests from the non-trusted forest's clients and I envision DPs being configured in the non-trusted forest's domain in HTTPS mode to provide the DP service for the non-trusted domain's clients.
  One of the other respondants indicated that they believed this config would work as long as the client could reach a PXE enabled DP. I don't see a reason this won't work as well with a boot image with a cert on it or via Software Center, right?
  Does this configuration sound kosher?
  Thank you!

• Distribution/management point in non trusted domain

  Hoping somebody can clarify a stituation for us on distribution points on a machine in a non trusted domain.
  We are assuming that this distribution point uses the same certicate that the primary distribution point uses.
  Is this correct?   When we try this it says that certicate is already in use and do we want to continue.
  Thanks in advance.
  Thanks Lance

  Hi,
  Please configuring CEP/CES web service and the following blog is for your reference.
  https://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Hardware requirement for a gateway server

  plan to put a gateway server in a untrusted domain/forest to manage about 100 servers over there. what's the reasonable hardware config for it? mainly CPU, RAM and disk space. The gateway server will be built on server 2012 R2.
  thanks in advance

  Hi,
  I suggest you use System Center 2012 - Operations Manager Sizing Helper to determine the hardware requirement.
  http://www.microsoft.com/en-us/download/details.aspx?id=29270
  Juke Chou
  TechNet Community Support

• Providing voicemail in a trusted-domain Exchange 2003 - 2010 upgrade

  As a result of a merger, we are upgrading from Exchange 2003 in the same domain as a Unity 5.0 server to an Exchange 2010 server in a trusted domain in a different forest.  The Exchange 2003 server is still up, but mailboxes are being moved to the 2010 server.  The goal of getting Unity to somehow deliver voicemail to the users who have been moved to the 2010 server in the other domain is only temporary, as we will be replacing our on-premesis system with a hosted solution in a couple of months.  So I'm looking for something quick, but it doesn't have to be elegant or permanent.
  As Unity cannot connect to a partner Exchange server in a different forest, I see the most likely options as:
  Move Unity to the new domain.  Wanted to see how easy it would be to do this, as Cisco recommends that the same version of Unity be installed on a server in the new domain as is currently running the server in the old domain.  I believe I have the original install disks, but can't speak to whether or not upgrades have been applied to the current (old) server since it went in 5 years ago.
  Convert current subscribers into "Internet Subscribers" - This is not currently working, I believe, because Unity's partner server is the 2003 server, which lives in the same domain as the Unity server, but is also a part of the same Exchange group as the 2010 server in the new domain.  When I create an "internet subscriber", I'm creating a contact with an email address that already exists in the domain.
  For 1., Cisco says I have to install the same version of Unity in the new domain and then restore the database to it.  Would I need to roll back items like the Engineering Special that I just installed?  As long as the install disk is for 5.0(1) and the server's currently running 5.0(1), am I OK?
  For 2., Is it possible to do anything with Internet subscribers?  This seems like it would be easier, but also seems like it's not working because of the fact that the partner server is not recognizing addresses for the Internet subscribers as external.
  Any assistance or insights would be greatly appreciated.
  Kevin

  Hi,
  We can move the mailbox from Exchange 2003 to Exchange 2010 as a linked mailbox in Exchange 2010. The moved mailbox would be a disabled User Object which is linked to a separate enabled user object in an Account Forest (Exchange 2003 forest).
  We can use the Prepare-MoveRequest.ps1 script in the Shell to prepare the cross-forest mailbox moves:
  https://technet.microsoft.com/en-us/library/ee861103(v=exchg.141).aspx
  Then we can create a remote legacy move request to move mailbox:
  https://technet.microsoft.com/en-us/library/dd876952(v=exchg.141).aspx
  Additionally, for more information about migration from Exchange 2003 to Exchange 2010, please read:
  http://blogs.technet.com/b/schadinio/archive/2010/08/11/exchange-2010-cross-forest-mailbox-moves.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• SQl engine service account in different trusted domain from server?

  Is it possible to use an SQL service account from a different, but still trusted, domain than the one to which the server is joined?  If so, are there any nonstandard configuration settings I need to use?
  I've got this setup running, but when I try to connect with an account from any domain other than the one to which the server is joined, I get the following error:
  Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
  I've created the SPN in the service account's domain, and verified there is both connectivity and a valid trust relationship.  The users I'm testing also have logon permissions for the server.

  Hi AccuMegalith,
  Firstly, it is possible to use an SQL Server service account from a different, trusted domain. We need to note the following configuration.
   For more details, please review this article:
  Security Account Delegation.
  1. The service account must be trusted for delegation on the domain controller.
  The following options in Active Directory Users and Computers must be specified in order for delegation to work:
  •The Account is sensitive and cannot be delegated check box must not be selected for the user requesting delegation.
  •The Account is trusted for delegation check box must be selected for the service account of SQL Server.•The
  Computer is trusted for delegation check box must be selected for the server running an instance of Microsoft SQL Server
  2. The service account must have SPNs registered on the domain controller. If the service account is a domain user account, the domain administrator must register the SPNs.
  Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
  Secondly, regarding to above error message, it means that SQL Server was able to authenticate you, but weren't able to validate with the underlying Windows permissions. 
  It could be caused by that the Windows login has no profile or that permissions could not be checked due to UAC. Please perform the following steps to troubleshoot this issue. For more details, please review this
  blog.
  1. Run SQL Server Management Studio (SSMS) as administrator and disable UAC.
  2. Check if that login is directly mapped to one of the SQL Server logins by looking into the output of sys.server_principals.
  3. If the login is directly mapped to the list of available logins in the SQL instance, then check if the SID of the login matches the SID of the Windows Login.
  Thanks,
  Lydia Zhang
  If you have any feedback on our support, please click
  here.
  Lydia Zhang
  TechNet Community Support

• Windows Server 2012 R2 non-default domain admin limitations

  Enivronment: Windows Server 2012 R2Problem: members of Domain Admins group are restricted in ways the default domain admin account is not. This is with or without UAC disabled; there are even more prompts with UAC enabled. Here are two examples:Attempt to copy to Public Desktop. Built-in domain admin or local admin account can do so without restriction; any other member of Domain Admins group is prompted for administrator permission (although clicking Continue proceeds without actually requiring further authentication/permission)Right-click -> Properties of hard drive in Explorer is missing Shadow Copies tab for non-default Domain Admin. Yes, I can simply right-click the drive and go to Configure Shadow Copies, so this one is not so important. But it is an inconsistency that means I have to access things just a bit differently...
  This topic first appeared in the Spiceworks Community

  I have already replied to that here: https://social.technet.microsoft.com/forums/windowsserver/en-US/b57abf72-90e6-44d7-93a5-0e57cb5404c9/nic-teaming-with-ws2012-ad
  I still do not see an MS statement saying that it is supported for DCs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Gateway server not able to authenticate

  Hello SCOMMers :)
  I have a issue with my SCOM 2012 R2 system that i just can't get my head around.
  We just purchased a brand new SCOM server that I have migrated our environment to, moved the databases, reporting server and finally i got things up and running after some issues with the DB move.
  So i now have 2 SCOM management servers in my environment and four gateway servers, the gateway servers are communicating to the old SCOM server and i want to move them over to the new SCOM server. 
  I ran the powershell commands from this technet article and thought everything was under
  control. But none of the GW servers started communicating with the new SCOM server. 
  I have of course checked the certificates, hosts file, DNS and firewalls, and i reran the MOMCertImport.exe utility. Also checked that the certificate serial number was correctly inserted to the registry after the MOMCertImport.exe was run. (HKLM\Software\Microsoft\Microsoft
  OperationsManager\3.0\Machine Settings, binary value named ChannelCertificateSerialNumber contains the serial number of the certificate in a reverse order)
  Still i was unable to get the GW server to communicate to the correct management server so i decided i to reinstall the GW server so I could set the name of the new SCOM management server during the GW setup. Before i did the reinstall i ran the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
  with the /Delete parameter, the command ran successfully.
  When i do the install i still cannot get the communication up and running, the GW server gives me the following errors in the eventlog.
  The GW server appears in my Management Servers list but stays in the Not monitored state.
  Event ID: 20057
  Failed to initialize security context for target MSOMHSvc/<ServerFQDN> The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
  Event ID: 20071
  The OpsMgr Connector connected to tmg-app92.mg.local, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
  Event ID: 21001
  The OpsMgr Connector could not connect to MSOMHSvc/<ServerFQDN> because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
  Event ID: 21016
  OpsMgr was unable to set up a communications channel to <ServerFQDN> and there are no failover hosts. Communication will resume when <ServerFQDN> is available and communication from this computer is allowed.
  I have installed new certificated on both GW and management server, and i did the SCOM GW installation multiple times, but the issue is the same and the eventlog error also are the same.
  Does anyone have any clue to what might be wrong?
  Thanks!
  Bjørn

  Hi,
  After you deleting the gateway with Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, the gateway object is only marked as deleted in databases. Therefore, try to use different name for the new installed gateway, so the old parameters will not
  be associated with the new gateway.
  For the communication\certificates problems check these links:
  http://blog.coretech.dk/msk/common-issues-when-working-with-certificates-in-opsmgr/
  http://www.assemblein.info/system-center/steps-to-resolve-scom-2012-gateway-server-error-unmonitored-state/
  http://www.eventid.net/display-eventid-21016-source-OpsMgr%20Connector-eventno-8983-phase-1.htm
  Natalya

• SCOM Agents in DMZ via Gateway Server

  I need to monitor all the web servers in our DMZ by placing a Gateway Server between them and SCOM RMS.
  Jus a  simple Question I have ................do I need to install certificates on all my web servers in DMZ to talk to SCOM Gateway Server or not????
  If I need certificates on all my DMZ webservers then what is the purpose of a gateway server?
  thanx

  Hi There,
  The certificate installation depends on the scenario.
  Scenario 1# If the Gateway server is in domain but, the servers in DMZ are not part of domain. We need certificate for each server to create Trust with Gateway server. Otherwise Gateway may not authenticate agent servers due to domain mismatch. And AD authentication
  is must while installing Agents.
  Scenario 2# If the Gateway Server and Agent Servers are in same domain in DMZ. In this scenario we need to have certificate only for Agent Servers not for Agent Servers, as the agents will be authenticated using AD (due to same domain).
  Scenario 3# If none of the Gateway server or Agent Server are in Domain. This case we need to issue certificate for each Server, including Gateway Server. This scenario the Gateway server will work as a mediator for communication only(in a Manner of speaking).
  Be sure that Gateway server concept can be avoided with servers DMZ and not in domain, but this will increase the security risk by authorizing multiple endpoint rules in firewall.
  Below link will give you more info about Gateway servers and its uses.
  http://technet.microsoft.com/en-us/library/hh212823.aspx
  http://technet.microsoft.com/en-us/library/hh230684.aspx
  Thanks,
  Goutam Nepak

• Gateway server cant comunicate with managemant server

  Hi all,
  I have some issues with a gateway server. So I've installed the new server following Microsoft documentation. I've add the new server in OP console, I can see him but is unmonitored. I've installed same certificate on both servers in Trusted store (computer).
  ON GW I've check and 5723 it's opened. On GW I have this errors:
  EV 20057, OpsMgr Connector
  Failed to initialize security context for target MSOMHSvc/computer The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  EV 20057, OpsMgr Connector
  Failed to initialize security context for target MSOMHSvc/computer The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  EV 21001, OpsMgr Connector
  The OpsMgr Connector could not connect to MSOMHSvc/copscomsvr01.corp.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship
  between the two domains.
  EV 20071, OpsMgr Connector
  The OpsMgr Connector connected to copscomsvr01.corp.local, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check
  the event log on the server and on the agent for events which indicate a failure to authenticate.
  Any ideas?

  Hi,
  Please check the registry. Go to the OPS reg hive and check if the FQDN name is supplied for the Networkname and AuthenticationName. If this doesn’t match your certificate common name you will get the 20071 event.
  Just change it and restart the OpsMgr service.
  More details:
  https://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Install agent between trusted domain

  I just installed scom 2012 agent into domain B server. The management server located in Domain A. Both Domain already form a two ways trusted. After the agent installed, domian B server can't communicate with SCOM management server. Checked no firewall issue
  and set automatice approval from manually install client the SCOM server. Pls advice

  The only way you can do to install Gateway server using CA certificate in domain B to communicate MS server in domain A and then all agents in domain B is report to gateway server.
  You may refer to the following blog for how to deploy gateway server in untrust domain
  http://systemcentering.blogspot.hk/2011/11/steps-for-deploying-scom-to-untrusted.html
  http://jimmoldenhauer.blogspot.hk/2012/11/scom-2012-install-and-configure-gateway.html
  http://scompanion.wordpress.com/2012/10/18/gateway-server-install-for-another-untrusted-domain/
  Roger

• Add non-AD Domain

  We have exchange setup for our AD domain. We have some non-AD domains that we need to accept mail on using exchange 2013. How do i set this up in exchange 2013?
  I have added these domains in accepted domains but when i try to add users, i can only select from the AD domain.

  If you want to add users from different domain to the exchange server then you need to create trust between those domain.
  If you want have email address of non-domain user then create email address policy and add the accepted domain that you have created.
  This will fulfil of stamping of exchange smtp address for the user account.
  But if you want a mailbox for those non -domain (e.g user located in novel or linux) then you need to manually import the user list to the Active Directory console then you add them in Exchange server for mailbox created.
  If you want to have the only the UPN suffix name of non domain then add the addtional upn suffix in the active directory console.
  Exchange Queries

• Network challenge - trusted domains

  Within my organization, I have two domains A and B. There is a Classic ASP web intranet application hosted in an IIS server
  in Domain B (Windows Authentication enabled, all other authentication modes disabled). As for as I know, A and B is
  in a Domain Trust relationship.
  The problem here is, when users logged in to Domain A try to access the web application mentioned above, it prompts for the Domain
  B user id and password. My understanding is that since both domains are trusted, Domain A users should also be able to access the web application. Please suggest any possible
  reasons for this behavior.

  The App Pool Identity seems to be one using Classic Mode, and it has "No Managed Code" selected.
  The application hosted is developed using Classic ASP.
  This has nothing to do with the identity
  REF: Application
  pool identity
  The site is not added in the IE trusted zones - we cannot do this on all client computers. I am looking
  for whether there exists some Active Directory/Network setting that displays this prompt.
  You can do it with a GPO, but meantime you can do it manually on a client just for troubleshooting purpose
  REF:
  How to configure Internet Explorer security zone sites using group polices 
  Not sure whether the IIS host trusted for delegation or not. Could you please let me know what
  it does?
  Delegates IIS to request a kerberos ticket on behalf of the user
  Some info here: http://www.adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

  Hi,
  SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
  But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
  the SharePoint Logs I found out the below exception
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
   fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
  11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     The SPPersistedObject with
  Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
  domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
  sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
  at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
  11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
  persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
  sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
  T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
  11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
  at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
  id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
  currentVe...
  Please guide me on the above issue ,this will be of great help
  Thanks.

  I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
  The problem is caused by User profile Synch Service:
  UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
  The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
  Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
  identifier, T grantRightsMask, T denyRigh...        
  08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
          0x293C        SharePoint Portal Server              User Profiles                
          eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
  Please let me know if you any solution found for this?
  Regards,
  Kunal