Share via

Issue with Trust relationship between 2 forests

Anonymous
2023-12-08T10:19:20+00:00

Hello

I would like to have your support.

I have currently 1 AD DS for a domain local named company.local. I created a new ADDS forest on new DC for companydmz.local to store in the domain, our servers in DMZ. At this step, I have 2 serparate domains. When I add a server on companydmz.local domain, I'm able to connect on it with the domain admin account (administrator@companydmz.local) of companydmz.local. I have no issue.

When I create a trust relation between company.local & companydmz.local (one way) to be able to log on the server in companydmz.local domain with our accounts created on company.local domain, the connexion with the same account (administrator@companydmz.local) is failed with error "The security database on the server does not have a computer account for this workstation trust relationship".

Why I'm not able to connect on server when I create the trust ? Where is my issue?

Regards

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-11T02:23:28+00:00

    Hello JeromeCAR,

    It sounds like you are experiencing an issue with the trust relationship between the two forests. The error message you are receiving indicates that the computer account for the server in the companydmz.local domain is not properly configured in the security database of the company.local domain.

    To resolve this issue, you will need to ensure that the computer account for the server in the companydmz.local domain is properly configured in the security database of the company.local domain. You can do this by performing the following steps:

    1. Open Active Directory Users and Computers on a domain controller in the company.local domain.
    2. Navigate to the Computers container and locate the computer account for the server in the companydmz.local domain.
    3. Right-click on the computer account and select Properties.
    4. Click on the Trust tab and ensure that the trust relationship is properly configured.
    5. If the trust relationship is not properly configured, click on the Edit button and follow the prompts to configure the trust relationship.

    Once the trust relationship is properly configured, you should be able to log on to the server in the companydmz.local domain using your accounts created on the company.local domain. I hope this helps! Let me know if you have any further questions.

    Best regards,

    Qiuyang

    0 comments
  2. Anonymous
    2023-12-11T10:25:51+00:00

    Hello

    My error hos been fixed.

    I have a question :

    I have Windows 2022 server on our dmz register on companydmz.local (new forest/domain dedicated for servers on DMZ).

    I have a forest/domain named company.local to store computers/servers hosted on our LAN. I have a trust (one-way) between companydmz.local & company.local to allow users to connect on server on companydmz.local domain with their credentials of company.local domain. On companydmz.local, I created an GPO to push automatically on local Administrators group of our servers in DMZ, serveral accounts from company.local

    When I try to connect with my account (myaccount@company.local) on servers hosted in DMZ, I have an issue "Incorrect Funtion". In my environnement, is-it mandatory to open traffic between servers in DMZ to our company.local domain controllers or with the trust, the only traffic to be allowed is from servers in DMZ and domain controllers of companydmz.local domain ? And why I'm not able to log in on servers in DMZ with my account of company.local domain ?

    BR

    0 comments
  3. Anonymous
    2023-12-12T03:01:44+00:00

    Hello JeromeCAR,

    Based on the information you provided, it seems that the trust between companydmz.local and company.local is working correctly. However, it is possible that the issue you are experiencing is related to the GPO you created to push accounts from company.local to the local Administrators group on servers in DMZ.

    Regarding your question about opening traffic between servers in DMZ and domain controllers of company.local domain, it is not mandatory to open traffic between servers in DMZ and domain controllers of company.local domain. The trust between companydmz.local and company.local should allow users to connect to servers in DMZ using their credentials from company.local domain.

    To troubleshoot the issue you are experiencing, I would recommend checking the following:

    1. Ensure that the GPO you created to push accounts from company.local to the local Administrators group on servers in DMZ is working correctly.
    2. Check the event logs on the servers in DMZ to see if there are any errors related to the login process.
    3. Verify that the DNS settings on the servers in DMZ are correctly configured to point to the domain controllers of companydmz.local domain.
    4. Check the firewall settings on the servers in DMZ to ensure that the necessary ports are open for the trust between companydmz.local and company.local.

    I hope this helps. Let me know if you have any further questions.

    Best regards,

    Qiuyang

    0 comments
  4. Anonymous
    2024-04-24T16:16:26+00:00

    Hi, I have a similar issue. I'm able to log in through RDP using the credentials of one forest DC to another forest. But I'm not able to perform LDAP query.

    0 comments