External Domain Trust validation fails after creation.Domain not found?

Question

I am trying to set up a 1-way trust in my lab. LAB.local is the trusted domain while RED.local is the trusting domain. Conditional forwarding is set up on both pointing to each other. DC01.LAB.local [10.32.1.1] resolves and replies from DC01.RED.local [10.35.1.1] and vice versa.

The DC's are running Server 2019 on different seperate ESXi 6.5 hosts, each with their own pfSense router with firewall rules set to allow everything on IPv4. OS Firewall is currently disabled and network location is Domain.

The trust is created by GUI without any problems:

When I try to add my LAB.local Global Group into a RED.local Local Group from the ADUC running on DC01.RED.local, the LAB.local domain is visible but credentials are required when browsing. Once added and the group properties window is closed and back opened I only see the SID with the message: Some of the object names cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object's name.

When I try to Validate my trust relation from the ADDT window I get the error: The secure channel (SC) reset on Active Directory Domain Controller \DC01.RED.local of domain RED.local to domain LAB.local failed with error: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

Running a few NLTEST commands:

C:\Users\REDAdmin>nltest /trusted_domains
List of domain trusts:
    0: LAB LAB.local (NT 5) (Direct Outbound) ( Attr: quarantined )
    1: RED RED.local (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully

C:\Users\REDAdmin>nltest /dclist:red.local
Get list of DCs in domain 'red.local' from '\\DC01.RED.local'.
    DC01.RED.local [PDC]  [DS] Site: REDCorpBelgiumHQ
The command completed successfully

C:\Users\REDAdmin>nltest /dclist:lab.local
Get list of DCs in domain 'lab.local' from '\\DC01.LAB.local'.
You don't have access to DsBind to lab.local (\\DC01.LAB.local) (Trying NetServerEnum).
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND

C:\Users\REDAdmin>nltest /server:dc01 /sc_query:lab.local
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

Can anyone tell me what I am doing wrong please?

Answer 1

It seems that I have found the reason why this was not working.

In my lab, I had used the same naming policy of my members. This resulted in DC01 for every first domain controller in each environment. So in their fully qualified name, these are all unique.

Active Directory however seems to be using Netbios on multiple occasions and when both domain controllers have the same NETBIOS name, this results in these problems.

To fix this issue, I have demoted my RED.local domain controller, renamed DC01 to RED-DC01, promoted to domain controller, re-created my lab AD objects, added the conditional dns forwarders and created the trust. BAM, validation works.

I do find it peculiar that this is a requirement for the trust to work. DC01 seems to be a frequently used name for the primary domain controller. When 2 companies fuse together this must form a very big issue.