After the usual mergers, acquisitions and divestments the AD environment of my client is as follows:
- 3 AD Forests with a single domain in each (Domain1, Domain2, Domain3)
- Trusts between all domains (two way transitive trusts)
From Domain1:
- AD Users and Computers can open Domain2 and Domain3
- Groups from Domain2 and Domain3 can be added to .local groups in Domain1
From Domain3:
- AD Users and Computers can open Domain2 but cannot open Domain1. The error in the DSA console is "a local error has occurred"
- Groups from Domain1 cannot be added to .local groups in Domain3 . The error is "The system cannot contact a domain controller to service the authentication request".
DNS conditional forwarders are configured in both Domain1 and Domain3, and tested using NSLOOKUP and PING from both sides with success.
The trusts have been validated from both ends of the trust with success.
WAN connectivity has been validated with success.
There is nothing obvious in the event logs on the domain controllers except for"Event 40960 (LSASrv): The security system detected an authentication error for the server [DC in Domain1]. The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain"
Currently this situation is preventing users in Domain3 from accessing resources in Domain1.