none
No Logon servers available for Forest Trust between two 2008 R2 Servers

    Question

  • "The secure channel (SC) reset on Active Directory Domain Controller \\DC1.west.local of domain west.local to domain central.local failed with error: There are currently no logon servers available to service the logon request."

    This is the message that pops up on both sides of the forest trust when I try to validate and the trust between my domains: central.local and west.local.

    NSlookup works for both, the firewalls have been set to allow all incoming and outgoing by default and all the default rules enabled to allow.

    Both domains can ping each other by domain name and IP address because DC1.west.local and DC1.central.local have DNS installed and are primaries of their respective domains and secondary for the other. The net logon service is running and has been restarted numerous times.

    I'm out of ideas as to why I can't form a forest trust between my two domains that are located on the same subnet. 
    Wednesday, February 09, 2011 7:58 PM

Answers

  • Okay, I found out the problem when I did dcdiag. Even though they were both in different domains, my DC's were both named "DC1" (DC1.west.local and DC1.central.local) I renamed them and my forests can form a trust now.. Why would that be?
    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:16 AM
    Wednesday, February 09, 2011 9:19 PM
  • the first thing that came to my mind when i read your initial post was DNS.. i actually think with the same name it should work but could be that your DNS zones had not yet fully updated... and so your server didnt know where to find central.local  ;] i think that could have been the problem.. will have to research more on this.. but good that your trust is now working :)
    tech-nique
    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:16 AM
    Wednesday, February 09, 2011 9:41 PM
  • I had the same issue and the culprit was traffic being filterd by the Windows firewalls on each DC.

    You need ports open end to end between the two DC's involved in forming the trust.

    Set up trusts on both sides from the internal forest

    LDAP (389 UDP and TCP)

    Microsoft SMB (445 TCP)

    Kerberos (88 UDP)

    Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

     N/A

    Internal domain domain controllers–External domain domain controllers (all ports)

    Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only)

    LDAP (389 UDP)

    Microsoft SMB (445 TCP)

    Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

     N/A

    Internal domain domain controllers–External domain domain controllers (all ports)

    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:15 AM
    Friday, February 25, 2011 3:59 PM

All replies

  • I forgot to mention both domains are in their own forest.
    Wednesday, February 09, 2011 8:00 PM
  • Okay, I found out the problem when I did dcdiag. Even though they were both in different domains, my DC's were both named "DC1" (DC1.west.local and DC1.central.local) I renamed them and my forests can form a trust now.. Why would that be?
    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:16 AM
    Wednesday, February 09, 2011 9:19 PM
  • the first thing that came to my mind when i read your initial post was DNS.. i actually think with the same name it should work but could be that your DNS zones had not yet fully updated... and so your server didnt know where to find central.local  ;] i think that could have been the problem.. will have to research more on this.. but good that your trust is now working :)
    tech-nique
    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:16 AM
    Wednesday, February 09, 2011 9:41 PM
  • Hello0,

    which option in DNS manamgent did you use to prepare the trust, conditional forwarder, secondary zone or a stub zone?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, February 10, 2011 12:40 PM
  • I had the same issue and the culprit was traffic being filterd by the Windows firewalls on each DC.

    You need ports open end to end between the two DC's involved in forming the trust.

    Set up trusts on both sides from the internal forest

    LDAP (389 UDP and TCP)

    Microsoft SMB (445 TCP)

    Kerberos (88 UDP)

    Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

     N/A

    Internal domain domain controllers–External domain domain controllers (all ports)

    Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only)

    LDAP (389 UDP)

    Microsoft SMB (445 TCP)

    Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

     N/A

    Internal domain domain controllers–External domain domain controllers (all ports)

    • Marked as answer by Bruce-Liu Friday, March 04, 2011 5:15 AM
    Friday, February 25, 2011 3:59 PM
  • Okay, I found out the problem when I did dcdiag. Even though they were both in different domains, my DC's were both named "DC1" (DC1.west.local and DC1.central.local) I renamed them and my forests can form a trust now.. Why would that be?

    VERY useful

    thanks sir

    Sunday, March 25, 2012 12:09 PM
  • Hello,

    using the same names, even in different domains/forests, as in your case DC1.domain1.com and DC1.domain2.com result in a NetBios name of DC1 which may create the conflict. NetBios is used during the trust creation process and this results in a conflict with 2 times the same name.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, March 25, 2012 12:28 PM
  • Okay, I found out the problem when I did dcdiag. Even though they were both in different domains, my DC's were both named "DC1" (DC1.west.local and DC1.central.local) I renamed them and my forests can form a trust now.. Why would that be?

    confirmed

    Regards,

    Costa Mitri

    MCSE : Server Infrastructure 2012

    MCSE : Messaging 2013

    Monday, February 24, 2014 5:26 PM
  • Thank you very much!

    I had this issue in my virtual environment... naming the Domain Controllers dc.contoso.com and dc.adatum.com turned out to not be a very good idea.

    Monday, April 28, 2014 7:31 AM
  • Works perfect... thanks a lot for solving this problem :)
    9 hours 14 minutes ago