Forest Trust relationship access denied

I have resource forest ( set up for Exchange 2013 with a trust relationship to another forest (domain2.local) where users are set up. This has been running for a couple months without issue until today. The users have not been logging on to domain2.local with the exception of authentication for their mailboxes which are linked accounts.

This has been been a phased migration which got held up due to external factors, the users are currently logging in to a completely separate domain (otherdomain.local which is an SBS2008 setup with) and just using outlook to connect with the credentials from domain2.local.

Today I started the process to move the users over to the domain2.local. As the next step in that process I added another DC to the domain, and this is where things broke. I got a call saying all users were getting a popup requesting credentials for the Outlooks. Entering valid credentials made no difference and the box kept popping up and not allowing connection, however users could log in with OWA. On investigation I realised I had named the new DC in in domain2 the same as a DC in domain1, albeit with a different domain name, this is what seems to have broken things, that is according to some posts on various forums.

In an attempt to resolve this I have removed the trust between the 2 domains and tried to recreate it, but get an access denied error, the trust does create on both sides but wont validate. Also when i look at the routed suffixes on each side, the suffix is listed in the doamin2.local properties, but the domain2.local suffixes are not listed in the properties.

I am struggling with this, the customer is only partially working so this is quite urgent, your help is much appreciated.


Well after leaving the issue for a couple of hours i went back to it and was able to recreate the trust without issue, and after that all email issues were resolved. I haven’t seen any evidence but i’m suspecting after demoting and renaming the DC that the changes hadn’t fully committed and it just needed to catchup with itself. I did however discover a netlogon event that stated the it couldn’t reach the dc that got demoted, but that was a few hours after i demoted it, not sure if that event would have helped had i ssen it sooner though.

Source : Link , Question Author : Iain , Answer Author : Iain

Leave a Comment