Problem creating external trust between domains

When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:
This domain already has a one-way trust relationshp with specified domain.
But I cannot see it on the list of trusts either incoming or outgoing (in both domains).
For sure trust was never setup before.
In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.
Any help is welcome.

Were there error events logged in Event Viewer? Besides, did we open necessary firewall ports for creating external trust?
Regarding firewall ports, the following thread can be referred to for more information.
Creating external trust between domain on different forest
Best regards,
Frank Shen

Similar Messages

  • Unable to create Trust between domains

    Scenario. I am trying to build 2 way trust between two Windows forests &
    Highest OS in both domain is Win 2008 R2
    FFL and DFL in both is Win2003
    I added forwarders in DNS in both - It is resolving
    I disabled Antivirus
    I stopped Windows firewall in all the DCs of the domains and no n/w level port restrictions is there
    I am able to ping to all DCs from each of the DCs in both domains.
    Doing above all I am unable to create trust - in the trust wizard it is not identifying Domain names.
    Another thing is I have a Primary zone exists in name of each of the domain name. ie In I have another Primary zone created in, Likewise in I have primary zone . Will this be an issue?, If not guidelines please...

    >>In I have a Primary zone created as, Likewise in I have primary zone .
    you create these Primary zones?  Is there a zone in
    >>I am unable to put Conditional forwarders because I have a Primary zone exists in name
    of each of the domain name
    there is
    DNS zone of another domain
    then we cannot create a conditional forwarder for the other domain.
    suggest you check the SRV Records. You can try to restart the netlogon services
    to re-register SRV records.More
    specifically, in the command
    prompt, type
    net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
    Best Regards,

  • Moving SP2013 and SQL2008R2 to new domain - no trusts between domain

    I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
    migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
    the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
    as well? Or would a totally different approach make more sense? Any help would be appreciated..
    Thanks in advance, 

    You need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
    What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
    Trevor Seward
    Follow or contact me at...
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Do I need to enable trust between domains in the following scenario

    I have a domain x and domain y on 2 seperate machines. My client logs into domain x does stuff and logs out. The same client now logs into domian y and needs to do stuff, but the second domain kicks out the client by throwing an exception saying "invalid subject" etc .. But the same scenario works if I enable trust between both domains or have my client restart. What should I do so that the client can logout of domain x and login to domain y without having to enable trust betweeen domain x and y and without having to restart the client.

    Hi Mike,
    there is no switching circuitry on the UMI, that could disable the Iso Power outputs and there is nothing you need to configure in MAX. If you can't measure a voltage between Iso Power and Iso Common pins on the Dsub outputs, the UMI might be defective (e. g. blown fuse). Please contact your local NI branch for repair options.
    Thanks and kind regards,

  • Removing External Trust Type Domain

    We are in process of planning our 2003 to 2012R2 AD upgrade, yea I know, and we have a legacy External Domain that I wish to collapse. 
    The domain is setup with an external trust non-transitive. 
    It also shows another domain that we no longer have in the Trusts tab showing Realm for trust type and Yes for transitive.
    My question is when we DCPromo the last DC in the external domain are the trust settings removed automatically or do I need to ‘remove’ them on both sides of the trust prior to DCPromo process? Or does removing one side remove the other side settings?
    Any concerns about the user account being used.  In each case I have an account in both domains that is a Domain Admin with the same name but different passwords. 
    Should I sync these PW’s up for this process?
    Also, I'm correct in the though that collapsing the external trust domain should not have any affect on my primary domain that is still in place or are there other points that I should be aware of in this process?

    Yes, i would agree with others, you could remove the External Trust.
    How to Remove Existing Active Directory Trust Relationships
    Open the Active Directory Domains And Trusts console.
    In the console tree, right-click a domain that is specified in the trust relationship to be removed and select Properties from the shortcut menu.
    Click the Trusts tab.
    Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust to be removed.
    Click the Remove button alongside the box.
    In order to remove the trust from the local domain only, click the No, Remove The Trust From The Local Domain Only option, and click OK.
    In order to remove the trust from the local domain and the other domain, click the Yes, Remove The Trust From Both The Local Domain And The Other Domain option. Enter the appropriate user name and password combination in the User Name and Password boxes
    and click OK.
    Click Yes to verify the desire to remove the trust relationship.
    Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust to be removed.
    Choose the appropriate option in the Active Directory dialog box and click OK.
    Click Yes to verify the desire to remove the trust relationship.
    Please feel free to let us know if you need further assistance.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • No authentication prompt using DFS links to fileserver into another domain with no trusts between both domains

    Users  , Fileservers  and DFS root with DFS links in Domain A all work fine.
    each users from Domain A have also credentials and passwords from Domain B
    There is NO trust between Domain A and Domain B, both Domains are in different site connected with VPN-tunnel.
    Projectdata is stored at fileservers in both Domains. Now DFS links are added in the Domain A to a fileserver from Domain B
    When users from Domain A connects to fileserver in Domain B  first he/she gets a prompt to authenticated, then DFS link to the fileserver in  Domain B work.
    When users just use DFS link they get a prompt "not accessible" + "Logon failure unknown user or bad password"
    No prompt is given to users from Domain A to enter the credential for Domain B.
    We cannot created a trust between these 2 Domains due other policy's

    According to your description, there is no trust between domain A and domain B, right?
    Based on my research, if there is no trust between domains/forests, then it is not possible
    to share information across domain boundaries, because without trust, no authentication traffic can be passed across domain/forest.
    That is why the user cannot access the file he has rights to access across domain.
    Here is an article below for your references:
    Trust Technologies
    I hope this helps.
    Amy Wang

  • By default, which right has a user on a "external trusted" domain ?

    I would like to know what are the rights for users in DomA when a bidirectionnal external trust is in place with DomB ?
    By default, the user in DomA is member of "DomB\Domain User" (otherwise, how can the user in DomA can list the users in DomB for example ?)
    Is there any specifics things to know if DomB is in Win2000 compatibility domain/forest level ?
    I know this ressource and this but didn't find my answer.
    Thank you ! :)

    I've created many trusts in my day and they can get confusing... quickly...
    #1 Who is the "trusting Domain" (who is saying "yeah I, domA, will let DomB in the door")
    #2 Who is the "trusted domain" (who is "walking through the door (DomB)")
    *** I know you said "bidirectional" but it helps you visualize the "security trust" for what is actually required. **
    #3 Is that "Domain User" part of a Group? Is the Group Domain or Universal? Only certain types of groups can work across a trust.
    #4 Are you doing a domain level trust or a forest level trust? External trusts are "domain to domain". However the domains can exist in separate, non-related forests.
    If you do a two-way domain External trust -- Domain Users from DomA can access all the resources on DomB, if explicitly provided they have access to those resources. What I mean by that is if Domain User Doesn't have domain admin privileges in DomA, it won't
    get domain admin privileges to DomB and vice versa.
    This is where the trick is though. In a two-way domain External Trust -- All domain / enterprise admins in DomA will have domain /enterprise admin access in DomB and vice versa. They can grant themselves privileges to any servers and resources.
    This is why one way trusts are popular...because you only want to let one domain into the other domain. "big brother" type of trust.
    Kind of make sense?
    Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: | Mastering PowerShell Coming in April 2015!

  • Global Trust Between WebLogic Domains ?

    Hi there,
    Need clarification on "Global Trust between weblogic domains "
    My scenario :
    WebLogic Version installed                :
    Linux physical machines                     :  2
              x - machine
              y - machine
    Now, I've created new domain with AdminServer , and 2 managed servers on x-machine. And, 2 more managed servers on y-machine.
         x-machine --> AdminServer + 2 managed servers
         y-machine -->  2 managed servers
    Created a cluster for all the 4 managed servers.
    My question : Though we have created 2 domains -
                                                                                         Domain 1- on x-machine where we have Admin + 2 nodes
                                                                                         Domain 2 - on y-machine where we have 2 nodes
    Now , do we require to create/enabe "Global trust between these domains to communicate  ? And, enable cross-domain security also  ? Is this required  ?
    Or in which situations we require to enable trust between domains ?
    Can someone explain me.

    Looking to this Oracle Doc >>
    "Typical tasks required to manage a messaging bridge using the Administration Console include
    Creating a trusted security relationship. See "Configuring Domains for Inter-Domain Transactions" in Programming JTA for Oracle WebLogic Server"
    And, clicking the link to Configuring Domains for Inter-Domain Transactions, there's two types of communications:
    Inter-domain—The transaction communication is between servers participating in transactions that are not in the same domain.
    Intra-domain—The transaction communication is between servers participating in transactions within the same domain
    Check the rest of the doc to know how to configure each type, and apply the one that matches your case..
    Hope it helps

  • What role does a trust contact when creating a trust

    When I create a trust between ForestA/DomainA in networkA to ForestB/DomainB/NetworkB
    Does it contact the closest GC or does it contact the PDC role?

    So on my internal forest/domain on physical network (A)
    I have a DC which pretty much holds all the roles
    the on another physical network call it (B) I have another writable DC which does not hold any roles other than GC.
    then on the DMZ network of this physical network (B), I have a new forest/domain and a new writable DC
    the writable DC on this network B has rules to allow communication between the DMZ network DC and the writable DC.  When creating a trust between this DMZ DC on network (B) does the writable DC need communication to the PDC on network (A) ?
    I cannot validate the trust right now. 

  • How to create Trust between two domain

    How to create Trust between two domain:
    please help

    By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation
    Wizard. The two default trust types are defined in the following table. However there have others many types of the AD trust, please refer the following KB to determine which type you need:
    Trust types
    More relate KB:
    Creating Domain and Forest Trusts
    The related third party article:
    How to configure Forest Level Trust in Windows Server
    *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control
    these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the
    use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
    Hope this helps.
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Authentication needed after doing trust between two different domains.

    Hi There,
    I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides
    ,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :
    NY domain can get the users and computers of 2012DC1 
    but 2012DC1 can't get the users and computers of NY
    Date and time are the same,i am always getting this error 
    The session setup from computer '2012DC1' failed because the security database does not contain a trust account '' referenced by the specified computer.  
    If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and '' is a legitimate machine account
    for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise,
    the following steps may be taken to resolve this problem:  
    If '' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.  
    If '' is a legitimate interdomain trust account, then the trust should be recreated.  
    Otherwise, assuming that '' is not a legitimate account, the following action should be taken on '2012DC1':  
    If '2012DC1' is a Domain Controller, then the trust associated with '' should be deleted.  
    If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.
    Can you please help me in this error.
    Thank You in advance.

    "The session setup from computer '2012DC1' failed because the security database does not contain a trust account '' referenced by the specified computer. "
    This belongs to the machine 2012Dc1 in and not to the other domain from your trust. Seems for me that you mix the trust with the problems of the machine 2012DC1 in
    In this error message 2012DC1 has lost the trust to its OWN domain and therefore you have to find the reason. How exactly was this machine installed?
    Or was there a restore on that machine from not supported type of backup like image/clone/snapshot?
    Best regards
    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • Enabling Trust Between WebLogic Server Domains

    Hi everyone,
    We have two sites, each one running one WL 8.1 instance. The problem is that we have different users in each one, and they need to access both sites (using a RMI call).
    When the user is created in both sites, there is no problem. But we do not want to replicate all users in all sites.
    So this is what we are trying to do:
    Create the user in one site and enable trust between Weblogic Server domains (giving both sites the same password), so once one user is authenticated, the other site will not try to authenticate this user again. But since this user does not exist in the other site, he has no permission to do anything at all. Because of that we receive the following error message: "User a7ax does not have permission on br to perform lookup operation."
    Does anyone have any idea about how we can handle this, and enable the users to use other sites, without creating the user in both sites?
    Thanks in advance.

    In order to debug this issue you need to determine which kind of security has been applied on the web service deployed on remote weblogic server.
    Whether it requires username/password from the calling web service ?
    or it requires any kind of digital certificate from the calling web service etc......
    the most usual secnario where cross-domain security is required is as:
    If a user- Test calls a service- ServiceA on Weblogic Domain-domainA and provides its credentials and is authenticated properly.
    Then if this service requires to call another service -ServiceB on another Weblogic Domain - DomainB which is also secured then there should be a cross-domain trust should be enabled between the domains DomainA and DomainB so that the subject populated in the domainA can be transferred to DomainB.
    Now you should determine whether this is the secnario you are trying to achieve or it is something else.
    Also try to use the following debug flag in the DomainB where the provider service is deployed to get the exact reason why it is failing to verify the security check.
    This debug flag is enabled as JAVA_OPTIONS.

  • Two-way forest trust between two (single domain) forests with multiple identical user ID's

    Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
    We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
    are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
    I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
    something go wrong. 
    Any suggestions for the easiest way to setup this forest trust?

    To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
    The SID for domain account/group consists of a
    Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
    name from two forests have the same SID.
    The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
    If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
    Here are some related articles below for your references:
    How Security Identifiers Work
    Security Identifier Structure
    Security Identifier
    I hope this helps.
    Amy Wang

  • Memeber server in a domain connected with external trust. The agent operation failed, DPM could not communicate with the DPM agent. Error ID 270

    I manually installed the agent on a member server in a domain (domainB) that has an external trust with the domain the DPM 2010 server,,  is in.
    I pointed the agent on myprotectedserver with setdpmserver -dpmservername
    I successfully ran attach-productionserver.ps1 in DPM Management Shell.
    When I click refresh in DPM 2010 Administrator Console/Management/Agents I get error id: 270
    The agent operation failed on because DPM could not communicate with the DPM protection agent. The computer may be protected by another DPM server, or the protection agent may have been uninstalled on the protected computer.
    If is a workgroup server, the password for the DPM user account could have been changed or may have expired.
    I can ping from
    DPM 2010 backup of the works fine.
    The application log on does not show any DPMRA related event logged.
    The firewall on myprotectedserver is off.
    Computers in domainA and domainB use their own networks connected through a router.
    from mydpmserver
    net view \\ /all - successfull
    sc \\ query  OpenSCManager FAILED 5, Access is denied
    wmic / OS list brief Error 0x80070005, Access is denied
    sc \\ query  successfull
    wmic / OS list successfull
    Any suggestions on how can I fix this?

    I know this is old but are you still having a problem?

  • How do i reset a domain external trust

    Does anyone know if this command should be working?
    netdom trust local_domain /d:remote_domain /ud:domain\local_admin /pd:* /uo:domain\remote_admin /po:* /reset /verbose
    I keep getting the below and yet i was able to create the external trust with these 2 accounts.
    netdom trust trustingDomain /d:trustedDomain /ud:domain\local_admin /pd:* /uo:domain\remote_admin /po:* /reset
    Type the password associated with the domain user:
    Type the password associated with the object user:
    Access is denied.
    The command failed to complete successfully.

    PDC and FSMO are not the same role. Even if PDC is a NT legacy, it still be used by trusts relationship.
    In fact you can create the trust relationship without PDC available but in this case the trust is not completely validated (specially with 2003). You receive a "temporary" validation which expire 30 days after the creation.
    This link should be good to check the PDC:
    To check Tombstone:
    What is the outpout of netdom verify? :

Maybe you are looking for

  • CUCM 8.6 VPN Advance Feature Missing

    As per the title, i have installed Cisco UCM 8.6. I am deploying SSL VPN on the router and Cisco IP-Phones as SSL client to be connected to CUCM. I cannot find any VPN service/feature in CUCM 8.6 which i have recently installed. There is no VPN optio

  • Monitor question/issue in photoshop

    I have a 23inch Apple Cinema Display. It is about 4-5 years old. I do mostly print work. LAtely I have been getting jobs back where my silouhettes (not clipping paths-- just silos against white) have been sloppy around the edges. It turns out that I

  • Automap Lookup values in Import Manager

    Hi, I have  lookup field in main table for country code.  In import map I can do automap and then can run the import. But when the new data comes in, new valid country code values are not automatically mapped. I have to click on automap again. I have

  • Upload text in SAP Routings CA01 Transaction

    I tried to upload Long Text in CA02 Transaction in the Opertions Tab using SAVE_TEXT. Sy-subrc return 0. when I check in transaction, it is not showing text. If I use read_text , then it returning the text that i have upload. Surprised by the way it

  • Oracle Cloud Market Place App Development Process

    Hi, I want to know the process to follow to develop and submit Oracle Cloud Market Place Apps. I would also want to know the link for developer documentation for Oracle Cloud Market Place. Thanks Anil