I've got an old AD that I am attempting to transition off of. I am attempting to establish a two-way transitive trust between the new (Windows 2012) forest running on Windows Server 2012, and the old (Windows 2000) forest running on Windows Server 2003 R2.
Both DCs are running their own DNS servers. Both DCs can ping each other, can nslookup the other domain.
The 2012 DC was able to establish the trust on its side without issue. When I attempt to create the trust on the 2003 R2 side, after providing the NETBIOS name for the new domain, it gives me the following error:
"The Local Security Authority is unable to obtain an RPC connection to the domain controller BMUSJAXDC01. Please check that the name can be resolved and that the server is available."
C:\>ping bmusjaxdc01
Pinging bmusjaxdc01 [192.168.1.9] with 32 bytes of data:
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.9:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>nslookup us
*** Can't find server name for address 192.168.1.8: Non-existent domain
Server: UnKnown
Address: 192.168.1.8
Name: us.mydomain.com
Address: 192.168.1.9
In the event log, I am seeing this error over and over:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:52:51.0000 1/18/2013 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.MYOLDDOMAIN.COM
Server Name: cifs/BMUSJAXDC01
Target Name: cifs/BMUSJAXDC01@CORP.MYOLDDOMAIN.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
For more information, see Help and Support Center at
I then try to create the cifs record with SETSPN...
C:\Program Files\Windows Resource Kits\Tools>setspn -a cifs/us.mydomain.com us\bmusjaxdc01
Failed to bind to DC of domain US, error 0x5/5 -> Access is denied.
I then tried a PORTQRY to see if UDP connecitivy was working...
C:\Program Files\Windows Resource Kits\Tools>portqry -n 192.168.1.9 -e 389 -p UDP
Querying target system called:
192.168.1.9
Attempting to resolve IP address to a name...
IP address resolved to BMUSJAXDC01
UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...
LDAP query response:
currentdate: 01/18/2013 22:28:13 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=us,DC=mydomain,D
C=com
dsServiceName: CN=NTDS Settings,CN=BMUSJAXDC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=us,DC=mydomain,DC=com
namingContexts: DC=us,DC=mydomain,DC=com
defaultNamingContext: DC=us,DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=us,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=us,DC=mydomain,DC=com
rootDomainNamingContext: DC=us,DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 14841
supportedSASLMechanisms: GSSAPI
dnsHostName: BMUSJAXDC01.us.mydomain.com
ldapServiceName: us.mydomain.com:bmusjaxdc01$@US.MYDOMAIN.COM
serverName: CN=BMUSJAXDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=us,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 5
forestFunctionality: 5
domainControllerFunctionality: 5
======== End of LDAP query response ========
UDP port 389 is LISTENING
Both DCs are running their own DNS servers. Both DCs can ping each other, can nslookup the other domain.
The 2012 DC was able to establish the trust on its side without issue. When I attempt to create the trust on the 2003 R2 side, after providing the NETBIOS name for the new domain, it gives me the following error:
"The Local Security Authority is unable to obtain an RPC connection to the domain controller BMUSJAXDC01. Please check that the name can be resolved and that the server is available."
C:\>ping bmusjaxdc01
Pinging bmusjaxdc01 [192.168.1.9] with 32 bytes of data:
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Reply from 192.168.1.9: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.9:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>nslookup us
*** Can't find server name for address 192.168.1.8: Non-existent domain
Server: UnKnown
Address: 192.168.1.8
Name: us.mydomain.com
Address: 192.168.1.9
In the event log, I am seeing this error over and over:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:52:51.0000 1/18/2013 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: CORP.MYOLDDOMAIN.COM
Server Name: cifs/BMUSJAXDC01
Target Name: cifs/BMUSJAXDC01@CORP.MYOLDDOMAIN.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.
For more information, see Help and Support Center at
I then try to create the cifs record with SETSPN...
C:\Program Files\Windows Resource Kits\Tools>setspn -a cifs/us.mydomain.com us\bmusjaxdc01
Failed to bind to DC of domain US, error 0x5/5 -> Access is denied.
I then tried a PORTQRY to see if UDP connecitivy was working...
C:\Program Files\Windows Resource Kits\Tools>portqry -n 192.168.1.9 -e 389 -p UDP
Querying target system called:
192.168.1.9
Attempting to resolve IP address to a name...
IP address resolved to BMUSJAXDC01
UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...
LDAP query response:
currentdate: 01/18/2013 22:28:13 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=us,DC=mydomain,D
C=com
dsServiceName: CN=NTDS Settings,CN=BMUSJAXDC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=us,DC=mydomain,DC=com
namingContexts: DC=us,DC=mydomain,DC=com
defaultNamingContext: DC=us,DC=mydomain,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=us,DC=mydomain,DC=com
configurationNamingContext: CN=Configuration,DC=us,DC=mydomain,DC=com
rootDomainNamingContext: DC=us,DC=mydomain,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 14841
supportedSASLMechanisms: GSSAPI
dnsHostName: BMUSJAXDC01.us.mydomain.com
ldapServiceName: us.mydomain.com:bmusjaxdc01$@US.MYDOMAIN.COM
serverName: CN=BMUSJAXDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=us,DC=mydomain,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 5
forestFunctionality: 5
domainControllerFunctionality: 5
======== End of LDAP query response ========
UDP port 389 is LISTENING
After spending all day reading umpteenth threads on RPC connectivity issues, I'm kind of running out of ideas. It seems like the old DC can make the RPC connection to the new DC, but a variety of things just kick back what essentially equates to "Access Denied". When I attempt to access the network share from the old DC to the new DC, all I get is:
bmusjaxdc01 is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
The network name cannot be found.
I've disabled all the firewalls on the 2012 Server (domain, private and public), but it seems like something (group policy?) on the new DC is preventing specific connections, hence the variety of errors. Any ideas would be appreciated.