For SCOM monitoring and user permissions I am trying to add the Action Account from HQ.local domain to some other domains like DOMAIN1.local, TEST1.local and TEST2.local. (a trust persists between the domains en HQ.local, and DNS Conditional forwarders are configured to correctly resolve the FQDN DNS names).
Problem is, when adding a user from the HQ.local domain to the Active Directory of the DC's SRVPDC01.DOMAIN1.local or SRVPDC01.TEST1.local domain I get an error:
"The Active Directory Domain Controllers Required to find the selected objects in the following domains are not available:
HQ.local
Ensure the Active Directory Domain Controllers are available, and try to select the objects again."
But when I try to do the same thing, so add user1 from HQ.local to the AD on TESTDC01.TEST2.local…. No error!
The other way around, like adding users from DOMAIN1.local, TEST1.local or TEST2.local to the DC01.HQ.local Active directory… also no error!
To make things even more strange, when I validate the trust with HQ.local… and then try to add user1.HQ.local -> No problem, but only for about 1 minute.. After that it doesn't recognize user1.HQ.local and only displays some CN=S-1-5... ID of the user. Also when trying to add a new user, I receive the error again.
My guess is that the problem has something to do with the same NETBIOS names of the DC's (server 3 and 4). because authenticating users from HQ.local and TEST2.local doesn't give me errors and all other domains which have same DC names are giving errors.
(for testing purposes I set-up TESTDC01.TEST2.local with a different DC servername to see if the error persists, and it didn't).
Overview of the servers and situation:
- All server 3, 4 and 5 are on separate Vlan's and have no connectivity among each other. But they do have connectivity to the internet, the HQ.local domain and its servers
DC01 and DC02.
- same firewall settings for each vlan
- even Server 4 and server 5 are on the same Vlan for testing purposes, just to make sure the firewall is not the problem.
Server no. | DC FQDN name | Domain DNS name |
1 | DC01.HQ.local | HQ.local |
2 | DC02.HQ.local | HQ.local (secondary DNS) |
3 | SRVPDC01.DOMAIN1.local | DOMAIN1.local |
4 | SRVPDC01.TEST1.local | TEST1.local |
5 | TESTDC01.TEST2.local | TEST2.local |
Two-Way Forest Trusts are configured without any problems but here's an overview when the error occurs.
- On SRVPDC01.DOMAIN1.local -> adding user1.HQ.local to the AD =error
- On DC01.HQ.local -> adding user1.DOMAIN1.local to the AD = no problem.
- On SRVPDC01.TEST1.local -> adding user1.HQ.local to the AD =error
- On DC01.HQ.local -> adding user1.TEST1.local to the AD = no problem.
- On TESTDC01.TEST2.local -> adding user1.HQ.local to the AD = no problem.
- On DC01.HQ.local -> adding user1.TEST2.local to the AD = no problem.
What are my options to fix this? There must be more possibilities than renaming the DC names.
And why does the problem only occur when adding users in Foreign domain ->from-> HQ.local and not HQ.local ->from-> Foreign domain. Because that's the only thing I really need: users from HQ.local having permissions in groups of the other domains… :(
Any advise or help would be much appreciated. I've been struggeling with this for a while now and i'm pretty much out of ideas.