Overlapping Forest Names cause problems once Forest Trusts are established


You have multiple forests and you have trusts between these forests. You have two forests that have overlapping DNS names like:



Now when you have a third forest forest3.com that has forest trusts with the two other forests, you can't work with accounts from forest2 in this forest. For example, when you want to add accounts from forest2 to a DACL in forest3, you will encounter this error:

C:\temp>Icacls c:\temp\test1 /grant forest2.forest1.com\admins:r

forest2.forest1.com\admins: No mapping between account names and security IDs was done.

Successfully processed 0 files; Failed processing 1 files


When you print the trusts information regarding suffix routing, you see that the suffix is reported as conflicting:

C:\>netdom trust forest3.com /namesuffixes:forest1.com

   Name, Type, Status, Notes

1. *.forest1.com, Name Suffix, Enabled

C:\>netdom trust forest3.com /namesuffixes:forest2.forest1.com

   Name, Type, Status, Notes

1. *.forest2.forest1.com, Name Suffix, Conflicting, With forest1.com


In a network trace, you can see a Kerberos Ticket request from a user in forest2.forest1.com for a resource in forest3.com fails against a DC in forest3:

231 lsass.exe (708) <client> <dc forest3> KerberosV5 KerberosV5:TGS Request Realm: forest3.com Sname: cifs/fileserver.forest3.com233 Idle (0) <dc forest3> <client> KerberosV5 KerberosV5:KRB_ERROR  - KDC_ERR_POLICY (12)
In a KDC ETL you will see something like:

DEB_ERROR,dll,pac_cxx3792,KdcFilterSids(),"Failed to filter SIDS (LsaIFilterSids): 0xc000019b".


Kerberos requires exact suffix mapping. LSA uses one set of functions for routing domain searches and the Kerberos rules are used there for forest trusts.


When you replace the forest trust between forest3.com and forest2.forest1.com with an external trust, the problem does not happen as there is only an exact mapping of domain names, and no suffix mapping as required by Kerberos.

Another approach avoiding this error is to exclude the suffix of forest2.forest1.com in the forest trust between forest3.com and forest1.com. As the suffix for the "child" forest is in conflict, you need to re-activate this suffix on the "child forest" trust.


Article ID: 2744558 - Last Review: May 20, 2016 - Revision: 1