DinkytoyMemberJun 15, 2011 at 11:25 am #155072
It’s not like the last one, promise :).
Ok I have a two site domain that is trusted by another two site domain based in our DMZ. LAN.local and DMZ.local lets say.
The two domains have a common site name ‘DMZ’ and a single RODC sat in the common DMZ site.
All ports are open between RODC and all domain controllers in both sites/domains. This is temporary while troubleshooting is completed, to be restricted down to ipsec later. The RW DCs do not have cross domain communications direct to each other.
The trust is up and running but has the following symptoms.
1. If I add a LAN user group to Administrators restricted group in group policy to give my local admins admin access I get the following and it fails to add the group and thus I can not login.
In the event log
Security policies were propagated with warning. 0x6fc : The trust relationship between the primary domain and the trusted domain failed.
In the winlogin.log
—-Configure Group Membership…
Error 1788: The trust relationship between the primary domain and the trusted domain failed.
Error occurred during lookup of all accounts.
2. If I login to the server and add the same group to Administrators on a test server it takes it and allows me to login as a member of that group, but produces the following warning and error in the local event log.
Warning: CN=Admin One,OU=Admins,DC=lan,DC=local from a different forest logged onto this machine. Cross Forest Group Policy processing is disabled and loopback processing has been enforced in this forest for this user account.
Error: Windows cannot determine the computer name. (Access is denied. ). Group Policy processing aborted.
If I drop the remote group the processing completes as expected.
3. On the DMZ.local DC I get the following Netlogon errors occasionally.
The session setup to the Windows NT or Windows 2000 Domain Controller \RODC-1.lan.local for the domain LAN failed because the Domain Controller did not have an account capital.acl.dmz. needed to set up the session by this computer DMZ-DC1.
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
In addition almost all the cross domain groups are being display in the DMZ.local domain as SIDs rather than the appropriate name. I don’t know if this is expected.
I get the feeling that it’s probably something simple that I’m missing like a permission somewhere or a policy setting. I’ve googled it to death and not found anything helpful, everything seemed to come back to NT4 articles.
Anyone got any suggestions? I’m so close on this frustrating project I’ll be glad to see the back of it.
You must be logged in to reply to this topic.