They do use DNS servers from only their own domain, with each server having a
secondary, non-AD-replicated instance of the opposite zone. So, the
production DNS servers have a secondary for the corporate zone, and
vice-versa.
To complicate matters, our DCs are also our DNS servers, and the DNS
services wouldn't start because...it couldn't authenticate!!! Something of
an endless feedback loop there, I know, but it wasn't problematic before we
added the trust.
"Meinolf Weber" wrote:
> Hello accudave,
>
> Even if the trust is not up and running, it should be possible to work/authenticate
> in the own forest. So all machines in the forest use only DNS servers from
> there own forest?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > We have two forests, production and corporate. Production trusts
> > corporate via a tree-root trust. These domains are in two separate
> > sites, connected by a VPN. There are no "foreign" DCs in either site,
> > e.g. no corporate DCs in the production site.
> >
> > We had a power failure which caused all the production equipment to go
> > offline, and caused problems with the production VPN endpoint such
> > that the tunnel was down after all the servers came back up.
> >
> > The production DCs failed to authenticate anything, even accounts in
> > their own domain, until the VPN was back up and it could contact a
> > corporate DC.
> >
> > We got multiple 40960 errors from LSASRV:
> >
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40960
> > Date: 6/20/2008
> > Time: 3:18:18 PM
> > User: N/A
> > Computer: **********
> > Description:
> > The Security System detected an authentication error for the server
> > ldap/**********. The failure code from authentication protocol
> > Kerberos was
> > "There are currently no logon servers available to service the logon
> > request.
> > (0xc000005e)".
> > Also multiple 5719 errors from NETLOGON:
> >
> > Event Type: Error
> > Event Source: NETLOGON
> > Event Category: None
> > Event ID: 5719
> > Date: 6/20/2008
> > Time: 3:18:18 PM
> > User: N/A
> > Computer: **********
> > Description:
> > This computer was not able to set up a secure session with a domain
> > controller in domain CORPORATE due to the following:
> > There are currently no logon servers available to service the logon
> > request.
> > This may lead to authentication problems. Make sure that this computer
> > is
> > connected to the network. If the problem persists, please contact your
> > domain
> > administrator.
> > I can understand corporate accounts not being able to authenticate,
> > but production couldn't either. All the services with production
> > domain accounts failed on startup because the DCs weren't
> > authenticating until the VPN came back up.
> >
> > Is it normal for DCs in a trusting forest to fail completely when
> > there are
> > no DCs from the trusted forest available? If not, what settings
> > govern this?
> > If it is normal, short of putting a corporate DC in the production
> > datacenter, is there any way around this? I have a paid support case
> > open
> > with Microsoft, but that is proving as productive as beating myself
> > with a cast iron skillet.
> >
>
>
>
Similar Threads
Linear Mode
