Active Directory Replication and Knowledge Consistency Checker Fail without Trusted Domain Object
From the source "NTDS Replication", Event ID 1645:
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
NOTE: This procedure should only be performed if the TDO for the remote domain is not present in the System container.
- From the domain that is generating the error messages listed earlier in this article, open the Active Directory Domains and Trusts administrative tool on the domain controller that holds the PDC Flexible Single Master Operations (FSMO) role for the domain. Right-click the object that represents the domain, and then click Properties.
- Click the Trusts tab, and then click Add to create both sides of the trust relationship to the remote domain. Because this would normally be a Kerberos trust, creating both sides of the trust is required. Creating the trusted side first generates the following error message:Active Directory cannot verify the trust. Access is denied.Click OK. Note that Active Directory Domains and Trusts displays the trust as type "Shortcut" and that it is transitive. Adding the trusting side generates the following message:To verify the new trust, you must have permissions to administer trusts for the domain XXX. Do you want to verify the new trust?Click Yes, and then supply the administrator credentials for the remote domain. Whenever you are prompted for credentials, be sure to specify the domain name as well as the user name, for example, NetBIOSDomainName\Administrator. The following error message is generated:Active Directory cannot verify the trust. Access is denied.Click OK. Again, note that Active Directory Domains and Trusts displays the trust as type "Shortcut" and that it is transitive.
- After both sides of the trust relationship have been created, run the following command.
NOTE: The NETDOM utility is included with the Windows 2000 Support Tools included in the \Support\Tools folder of your Windows 2000 Server or Professional CD-ROM.
NETDOM TRUST local_domain /Domain:remote_domain /UserD:administrator /PasswordD:* /UserO:administrator /PasswordO:* /Reset /TwoWaywhere "local_domain" is the domain on which the trust is being created and "remote_domain" is the parent, child, or tree root domain being trusted. In either case, the fully qualified domain name (FQDN) should be used. For example, "MyDomain.com". This should result in the following message:
Type the password associated with the domain user: (This is UserD)Type the password associated with the object user: (This is UserO)Resetting the trust passwords between local_domain.com and remote_domain.comThe trust between local_domain.com and remote_domain.comhas been successfully reset and verifiedThe command completed successfully.
- Reboot the PDC where these changes were made.
- After rebooting, allow time for the Active Directory to establish a secure channel and the Knowledge Consistency Checker to attempt to re-establish replication links to the domain controllers in the remote domain. During this period, test that logons across the trust relationship are successful and that the event log errors have ceased.
Article ID: 257844 - Last Review: 12/05/2015 19:15:32 - Revision: 2.2
- kbnosurvey kbarchive kbprb KB257844