Troubleshooting Active Directory Domains and Trusts

Applies To: Windows Server 2008

This section describes a few issues that you might encounter when you use Active Directory Domains and Trusts to manage domains and trusts.

What problem are you having?

• Clients are not able to access resources in a domain outside the forest..

• There are trust errors between servers and workstations..

• There are trust errors between Windows NT 4.0 domains and Active Directory domains..

Clients are not able to access resources in a domain outside the forest.

Cause: A failure occurred on the external trust between the domains.

Solution: Reset and verify the trust between the domains. For a trust to be reset successfully, the domain controller that holds the primary domain controller (PDC) emulator operations master role (also known as flexible single master operations or FSMO) must be available.

There are trust errors between servers and workstations.

Cause: There is incorrect time synchronization between domain controllers or workstations, the server might be down, or the trust relationship might be broken.

Solution: Run the command-line tool Netdom to verify, reset, or establish the trust between computers. This command-line tool performs batch management of trusts, verifies trusts, and secures channels between computers. It can also join computers to domains. For more information, see Verify a Trust.

There are trust errors between Windows NT 4.0 domains and Active Directory domains.

Cause: Automatic trust password resets for the trust may not reach the PDC emulator master role holder.

Solution: Run Netdom to verify, reset, or establish trust between computers. This command-line tool performs batch management of trusts, verifies trusts, and secures channels between computers. It can also join computers to domains. If this does not help solve the issue, see article Q317178 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=4441).