none
Problem with set up two way forest trust

    Question

  • Hello,

    I have a problem with set up two way forest trust relationship between two forests. I have ForestA and ForestB. ForestA's root domain name is domain1.com and ForestB's is sub.domain1.com

    Although sub.domain1.com looks child of domain1.com it's not child domain. It is a separate forest. Both domain names look same.

    There is an Organizational Unit named "Library_Clients_OU" in ForestB and i have Group Policy named "Library_Clients_GPO" that linked to "Library_Clients_OU". Also i have about 20 Windows 10 Ent. that added "Library_Clients_OU". 


    My goals will be:

    + ForestA and ForestB users can be authenticate to Windows 10 computers in "Library_Clients_OU" (To do this, need to two way forest trust)

    + If both forest users authenticate to "Library_Clients_OU"s computers, they must be affected by "Library_Clients_GPO" (To do this, i need to set 'Allow Cross-Forest User Policy and Roaming User Profiles' in GPO settings but two way cross forest function must work properly. Also, we need to two way forest trust)

    + Thanks to "Loopback Policy" option, both forest users affected by just "Library_Clients_GPO" User Group Policy. No need to do this for Computer Group Policy. (To do this, need to two way forest trust)
    "Library_Clients_OU"s computers,


    Observerd Problems:

    When i attempt to create "two way forest trust", two way trust names appear on ForestA and ForestB Domain Contoller's "Active Directory Domains and Trusts" window. Trusts seem to have been established, but this error message appears at the end:

    ---
    Cannot Continue:

    The attempt to read the names claimed by the specified domain has failed.

    The operation failed. The error is: The securiy database on the server does not have a computer account for this workstation trust relationship.
    --

    To check the trusts, i tried to login to the a computer in "Library_Clients_OU" with a user1@sub.domain1.com, the user has successfully logged in. But ForestA user, user1@domain.com, could not login. 


    + Domain Controllers have different NETBIOS names 
    + Both side functional levels are Windows Server 2008 R2 
    + Domain controllers are same OS (2008R2)
    + There're no replication problem with between each in Forest Domain Controllers 
    + There're no time sync error between DC
    + Domain Controllers are up-to-date





    P.S.
    To achieve the goals, i tried different way like this; i set up an one-way trust as shown below:

    [ForestA] One Way Incoming Trust <------------------< One Way Outgoing Trust [ForestB]

    I created one-way trust like this, when i checked a login test for both forest users, they logged in successfully! But "Library_Clients_GPO" didn't work with ForestA users. It has just worked with ForestA users. It doesn't work with cross-forest users. Because 'Allow Cross-Forest User Policy and Roaming User Profiles' options required "Two way forest trust".



    Any bright ideas?


    Thanks in advance.

    Regards
    Hakan Orcan

    • Edited by Hakan Orcan Monday, February 20, 2017 6:56 PM
    Monday, February 20, 2017 6:48 PM

Answers

  • Hi Stu, 

    I think i missed something at this point. :) as you mention it, DNS can be key solution here because i didn't check or configure any DNS configurations on DCs.

    I'll check them tomorrow. 

    Thank you.

    Hakan


    • Edited by Hakan Orcan Monday, February 20, 2017 8:56 PM
    • Marked as answer by Hakan Orcan Tuesday, February 21, 2017 9:51 AM
    Monday, February 20, 2017 8:55 PM

All replies

  • Hi Hakan,

    In each root domain, do the DCs have the other forest DNS servers configured as additional DNS?  Also, there is no firewall traffic being blocked between the two forests is there?

    Cheers,

    Stu

    Monday, February 20, 2017 8:02 PM
  • Hi Stu, 

    I think i missed something at this point. :) as you mention it, DNS can be key solution here because i didn't check or configure any DNS configurations on DCs.

    I'll check them tomorrow. 

    Thank you.

    Hakan


    • Edited by Hakan Orcan Monday, February 20, 2017 8:56 PM
    • Marked as answer by Hakan Orcan Tuesday, February 21, 2017 9:51 AM
    Monday, February 20, 2017 8:55 PM