Windows Server 2003-based domain controllers in a parent-and-child domain environment may be unable to replicate changes

Applies to: Windows Servers

Symptoms


When Microsoft Windows Server 2003-based domain controllers are in a parent-and-child domain environment, the domain controllers in the parent domain and in the child domain may be unable to replicate changes. Additionally, you may notice the following symptoms:

  • The net view /domain:DomainName command returns an error. You expect this command to list the domain controllers from the child domain.
  • When you run the repadmin /showrepl command on the root domain controller of the parent domain, the command returns output that resembles the following:
    DomainName\ServerName via RPC
    objectGuid: Server_GUID
    Last attempt @ 2004-08-19 09:05.02 failed, result 5: Access is denied.
    You expect this command to list the replication partners.
  • An event that resembles the following may appear in the Directory Service logs of the domain controllers in the parent domain:

    Event ID: 1925
  • The following events may appear in the System log of the root domain controller in the parent domain:

    Event ID: 40960Event ID: 40961
  • The following Kerberos events may appear in the System log of the domain controllers in the parent domain and in the child domain:

    Event ID: 3Event ID: 594

Resolution


To resolve this problem, follow these steps:

  1. Run the following command on the root domain controllers of the parent domain and of the child domain. This command resets the trust relationship between the parent and child domain.

    Netdom trust trusting_domain_name /Domain:trusted_domain_name /UserD:user /PasswordD:* /UserO:user /PasswordO:* /reset

    Notes
    • The trusting_domain_name placeholder represents the name of the trusting domain.
    • The trusted_domain_name placeholder represents the name of the trusted domain.
    • The user placeholder in the /UserD:user parameter represents the user account that connects to the trusted domain.
    • The user placeholder in the /UserO:user parameter represents the user account that connects to the trusting domain.
  2. Exchange the designated domains in the trusting_domain_name and trusted_domain_name parameters from step 1, and then run the Netdom trust command again.

    Note Steps 1 and 2 reset both directions of the trust.
  3. Let the parent and child domain controllers replicate the changes.
  4. Restart the root domain controllers of the parent domain and of the child domain. Restarting these domain controllers removes the Kerberos tickets.

    Note You can also use the Kerbtray tool to remove the Kerberos tickets. The Kerbtray tool is included in the Windows Server 2003 Resource Kit Tools package.

More Information


For more information about how to use the Kerbtray tool, click the following article number to view the article in the Microsoft Knowledge Base:

319723 How to use Kerberos authentication in SQL Server

For more information about how to download the Windows Server 2003 Resource Kit Tools package, visit the following Microsoft Web site: