Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
[Issue] Two-way trust relationship working only one way
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 89%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hugo
6
Reputation points
Hello everyone,
I have an issue with a two-way trust relationship between two domains.
Summary:
I set up a new DC and domain in a forest, and the trust relationship with the pre-existing domain only works one way.
From my new domain, I can’t access the resources of the pre-existing domain.
When I try to validate the trusts from the new DC, it asks me to use an account with administrative privileges and when I do, it tells me the trusts have been validated.
But I still can’t access the resources on my other domain.
And if I try to validate the trust again, it asks me to authenticate myself again, as if I had not already done it before.
I don’t know what’s wrong, any help is appreciated.
Also, I have “weird” DNS issues, which I’ll mention as well at the bottom of the post in case they may be related to the trust relationship issue.
----------------------------------------------------
Details if necessary:
I set up a new DC for a new domain for the first time.
And I’m running into an issue with the two-way trust relationship between the two tree domains (from the same forest) we now have.
We had a single domain (named IT.xxxxxx.net) on our network, whose DC is named DC02.
I set up a second domain (named SIT.xxxxxx.net): a tree domain, added to our existing forest.
After promoting the new DC (named MSRV-DC1) and a bit of configuration, things looked fine on the new domain (SIT).
However, I quickly realized that from the new domain, I couldn’t access any resources of the IT domain (with a Domain Admin account).
While from the IT domain, I could access everything on the SIT domain.
From my understanding, when setting up a new domain the way I did, a two-way trust relationship is automatically created between the two domains. So it should work both ways from the start.
I did have to set Conditional Forwarders in the DNS Manager on both DC02 and MSRV-DC1 however, but it didn’t fix this issue.
Both DCs are running on Windows Server 2019, by the way.
Now when I go on DC02 in the Active Directory Domains and Trusts console, everything is fine and I can see that for both domains the outgoing and incoming trusts are validated (“The trust has been validated. It is in place and active”).
But when I go on MSRV-DC1 in Domains and Trusts, there are a number of issues.
When I go to:
SIT domain properties > Trusts tab > outgoing OR incoming trust properties for the IT domain
And click Validate, I get this window:
I use an account with administrative privileges and get this seemingly great result:
Except when I click “OK” to close the properties window, if I go back to click “Validate” again, I’m prompted with the exact same AD DS window asking me to validate the trust again by using an account with admin privileges.
Basically same behavior when I go to the properties of the other domain:
IT domain properties > Trusts tab > outgoing OR incoming trust properties for the SIT domain
=> First I get this:
But when I click OK the Properties open anyway.
And when I click Validate:
And when I authenticate myself, exactly the same thing happens.
It tells me the trust has been validated, but if I leave and come back it’s asking me to authenticate myself again.
So it looks like either the trusts are really validated and something else prevents me from accessing the resources on my other domain (and creating various issues), or Windows tells me they are validated while they actually are not.
Either way, the trust is definitely only working one way, currently.
-------------------
DNS issue
Next to this, I have a DNS issue which I'll explain briefly in case it may be linked to the main issue.
From an SIT computer, I can ping everything on IT just fine.
But the other way around, from an IT computer to an SIT computer, there are some issues.
Mainly, I can’t ping the hostname of any of my servers from the SIT domain (except the DC…) when the firewall is enabled (on the servers I’m trying to ping). But I can ping their IP or their FQDN just fine.
If I disable the firewall on the target computer, it will ping the hostname but won’t show the DNS suffix, just the hostname or “hostname.local” sometimes.
I have spent a lot of time searching for solutions for this issue, to no avail.
Any help would be greatly appreciated!
Hugo