Working on an issue with setting up a trust between two domains with several firewalls in between, and a pinhole routing between two servers in them.
newdc.newdomain.com is a 2012 server in a brand new domain.
admt.olddomain.local is a 2008R2 server in an existing domain, with two existing domain controllers dc1.olddomain.local and dc2.olddomain.local This server will be used for, as you might have guessed, Active Directory Migration Tool (ADMT)
There are firewall rules in place to allow newdc.newdomain.com to talk Active Directory only to admt.olddomain.local both ways. All DNS tests are fine, as are DCDIAGs on both sides.
When creating the trust on admt.olddomain.local I got the following error
The incoming trust has been verified. It is in place and active.
The verification of the outgoing trust failed with the following error(s):
The trust password verification test was inconclusive.
A secure channel reset will be attempted.
The secure channel reset failed with error 1311: There are currently no logon servers available to service the logon request.
The trusts were however created, incoming and outgoing, in both domains. Validating the trust (both ways) on newdc.newdomain.com comes back as verified successfully. However when I attempt to validate the trust from server admt.olddomain.local I get the following error:
The secure channel (SC) reset on Active Directory Domain Controller \dc1.olddomain.local of domain olddomain.local to domain newdomain.com failed with error: There are currently no logon servers available to service the logon request.
The incoming trust was successfully validated.
I can see the issue here, even though I'm performing the validation from admt.olddomain.local it actually attempts to check the secure channel from dc1.olddomain.local which can not communicate with the server newdc.newdomain.com, but is it really an issue? Is there any way to force the validation to take place from admt.olddomain.local? Will we be able to use ADMT with this setup? (we're going to try a test copy using it soon, just to see what happens in the current setup)
Eventually we're going to rebuild this admt.olddomain.local server into a Read Only domain controller for newdomain.com using the same network address and firewall config/network routing, and it will be the only machine able to communicate with dc01.olddomain.local and dc02.olddomain.local, but will we have the same issue since newdc.newdomain.com can't directly route to either dc01/dc02 to verify trust?
Thanks for any input on this!
Best Answer
OK so here is what we ended up doing, rebuilding the AD structure so the newdomain.com had an ADMT/DC server on the same network as olddomain.com AD servers, then transfering FSMO roles to the new domain server so that the two domains could talk dircetly between the FSMO Masters without all the intervening firewalls messing things up. If you've got everything worked out for DNS, firewalls, etc, and are still getting errors, start looking at if the FSMO role masters can talk to each other directly!