Trouble Shooting the creation of a cross forest trust between DSFW and AD

  • 7004608
  • 06-Oct-2009
  • 30-Oct-2013

Environment

Novell Open Enterprise Server 11 SP1 (OES 11SP1) Linux
Novell Open Enterprise Server 2 SP3 (OES 2SP3) Linux
Domain Services for Windows
DSFW

Situation

What should I do to prepare for and trouble shooting the creation of a cross forest trust?
Troubleshooting the creation of a cross forest trust.

Resolution

  1. Follow the steps in the DSFW documentation in section15.2 Cross-Forest Trust Relationships.
    OES11.x Documentation

  2. Verify that DNS is configured properly using nslookup. Use nslook up to return the AD domain from the DSfW DC, then for the DSfW domain from the AD DC and reverse lookup the DSfW DC from the AD DC.
    Example:
    AD domain is ad.domain and DSFW domain is dsfw.domain in this example.

    nslookup ad.domain – from DSfW server
    nslookup -query=any _ldap._tcp.dc_msdcs.ad.domain - from the DSfW server
    nslookup dsfw.domain - from AD server
    nslookup 10.1.0.5 – from AD server
    nslookup -query=any _ldap._tcp.dc._msdcs.dsfw.domain - from the AD server

  3. Turn on remote registry access in AD if it is disabled.

  4. Verify the guest account in DSfW is enabled. It should be enabled by default. The guest account will be disabled in AD and that is fine. It is only the guest account in DSFW that we are concerned about. The guest account in DSFW has to remain enabled to continue accessing AD.

  5. If a domain was created and then removed a trustedDomain object might exist in the system container. Using adsi edit check the system container in the AD domain for a dsfw domain trustedDomain object. If it exists delete it. Do the same in DSFW using iManager or Console One.

  6. Run a LAN trace and ndstrace with +debug on the DSFW server for further trouble shooting, look up errors seen in the traces.

  7. If a trust is removed and then re-established, before creating the trust again be sure that the trust object in cn=users container is removed.  The object will look like a user object with the name of the AD Domain with a $ at the end of the object.