I have 2 forests – domainA.com and domainB.net. There are two-way trust set up on each. When I try search objects located on domainB.net from domainA.com it gives me following error:
The system cannot contact a domain controller to service the
authentication request.
If I try search vice versa (on domainA.com from domainB.net) everything works.
Here are some tests I've made at the moment:
C:\Windows\system32>nltest /sc_verify:domainB.net
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\DCNAME.domainB.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\Windows\system32> Get-ADTrust -filter {name -eq "domainB.net"}
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=domainB.net,CN=System,DC=domainA,DC=com
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : domainB.net
ObjectClass : trustedDomain
ObjectGUID : 4cfb2e5b-6c89-05a0-bb33-64fec64344e4
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=domainA,DC=com
Target : domainB.net
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
There are also 3 different forests with same settings as domainB.net and same error.
I'm new to forest trust relationship, so any help is appreciated.
Best Answer
I've found the root of the issue. In forest A there are couple of domains, so account from which I've tried to list forest B resources belong to a C domain included in A forest, though account was in enterprise admin group. Problem solved by creating account in forest A root domain. Thanks for help.