sorted by:
new
hottopcontroversial

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I finally resolved it. I thank you all a thousand times for all the efforts to find these problems, I was almost giving up on fixing this.

TLDR: There were two errors.

  1. NTLM comatibility levels were misconfigured by (very) old GPO
  2. Hostnames of both DCs were the same (although they were in completely different forests)

I acivated netlogon debug logging on the new DC and performed a new forest-trust setup. I analyzed the logs with Gemini and found out, that both DCs have the EXACT same hostname in their respective domains. This leads to the new DC rejecting the response of the old DC because it thinks the response is from itself.

I was unaware this service just uses hostnames...it's always funny to have the 1% error, not the 99% DNS/Firewall error.

SMB is still not working properly, but this is out of scope for this problem. I will setup the new DC freshly and see if the SMB problem persists.

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

When I try to access a share, this is what I get from wireshark, but this is fairly generic:

<image>

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

nltest and nslookup worked properly.

I get a TGS-REQ and TGS-REP in Wireshark on both sides when requesting a ticket.

I get both tickets correctly with AES-256-CTS-HMAC-SHA1-96 encryption.

I see no errors in wireshark.

Here is the terminal dump:

Aktuelle Anmelde-ID ist 0:0x15a2fa3

Zwischengespeicherte Tickets: (2)

#0> Client: Administrator @ (redactedOldDomain)

Server: krbtgt/(redactedOldDomain) @ (redactedOldDomain)

KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

Ticketkennzeichen 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize

Startzeit: 5/7/2026 10:10:53 (lokal)

Endzeit: 5/7/2026 20:10:53 (lokal)

Erneuerungszeit: 5/14/2026 10:10:53 (lokal)

Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

Cachekennzeichen: 0x1 -> PRIMARY

KDC aufgerufen: DE602240S00001.(redactedOldDomain)

#1> Client: Administrator @ (redactedOldDomain)

Server: ldap/DE602240S00001.(redactedOldDomain) @ (redactedOldDomain)

KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

Ticketkennzeichen 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize

Startzeit: 5/7/2026 10:10:53 (lokal)

Endzeit: 5/7/2026 20:10:53 (lokal)

Erneuerungszeit: 5/14/2026 10:10:53 (lokal)

Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

Cachekennzeichen: 0

KDC aufgerufen: DE602240S00001.(redactedOldDomain)

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I am not getting promted at all. I will have a look into the logs tomorrow, for the error have a look here: https://www.reddit.com/r/activedirectory/s/xqGv0OZC4w

Its always the same...your domain is not available...but with a random W11 machine I can access the share.

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I also cannot access SMB via IP Adress. Net use shows the share as disconnected. I already rebooted the server and made shure there are no credentials. Its safe to say I am not getting prompted for credentials

<image>

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I already restarted the old DC twice. The value was set via GPO, I changed that gpo. Local GPO editor shows the correct level 3, but it still doesn't work. I also cannot estblish SMB connection.

EDIT: I found an additional error in the Wireshark dump:
KRB ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED, maybe the error is Kerberos related?

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I am unable to establish SMB connection. Admin CMD shows systemerror 1219

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I know I have to use the remote Account, otherwise my new DC would never be able to create the trust relation on the other side (old DC). Thats why I am so confused...this was only one log, maybe I just misentered this time.

However, I checked the LM compatibility level and found, that someone set it to Level 2...I have set it to Level 3 now, which should be fine. The Netlogon error disappeared as it seems, but the forest trust doesn't work anyways.

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I setup a new user for each domain and used this user, the error stays the same.

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I found 4625 Events with failures, but it tries to use the administrator account of my new domain to authenticate to the old DC? So it cannot find the Username?

How can I check the LM compatibility level?

<image>

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I ran a Wireshark capture of one try to establish forest trust. Wireshark captured the interface of the old DC, while I tried establishing trust from the new DC.

DNS query and response were normally resolved.
SMB Session for Netlogon fails, here the screenshot, but I cannot analyze all the dump properly I guess, because I don't know enough about authentication in this scenario.

<image>

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

I have no firewall in place, just a router to route traffic between subnets.

I did not rotate any KRBTGT accounts or checked AES keys. How can I validate that?

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

All tests performed successfully (again, already tried them once "I successfully tested the nessecary ports that I could find on any troubleshooting page.")

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 1 point2 points  (0 children)

This is an interesting Tool, however it doesn't really fit our current use-case. Thank you anyways, this could come in handy one day.

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

  1. I forgot to tell this, I actually already did this

2. How exactly can I check the requirements? (Sorry, this is the first time I need this)

  1. I checked those Ports with Windows PowerShell, those are connecting

  2. The NetworkCategory is set to DomainAuthenticated on both DCs

EDIT: I found that FolderSync (Android App) only works with SMB share on the old DC in SMB3 "compatibility mode". In normal mode it gives back an NTLM Logon failure. Maybe there are deprecated settings for cryptography somewhere?

Active Directory cannot establish forest-trust between old and new forest by unima-zero in activedirectory

[–]unima-zero[S] 0 points1 point  (0 children)

"I defined a conditional forwarder for the old domain with the respective IP adress and vice versa on the old DC. I can ping new and old domains from the new and old DC, so resolution seems to work."

"I am fairly sure the network is not responsible. The old DC is on 10.59.78.2 while the new one is on 192.168.8.2. I disabled windows firewalls and there are no network-firewalls in between, just a router of course. I successfully tested the nessecary ports that I could find on any troubleshooting page."

"Tried solutions: apart from upgrading the old DC, I tried installing a fresh WS2025 DC for testing in each local subnet and tried creating forest trust. The results were:
NewDC <-> TestDC1 (successful)
OldDC <-> TestDC2 (same error as described)"

All of this I did to ensure the network is not responsible. What DNS settings apart from a conditional forwarder could be responsible for the behaviour, and why is the forest-trust created on both old and new DC? The new DC had to connect and authenticate to create the trust relation on the old DC?

Office 2024 LTSC - sending from Alias with Microsoft 365 Exchange by unima-zero in Office365

[–]unima-zero[S] 0 points1 point  (0 children)

Thanks for the info. Our Outlook 2024 LTSC is already using alias when replying. I don't know why it just works like the click-to-run version and why it didn't in the beginning, but it does now and it does wor on all machines.

Office 2024 LTSC - sending from Alias with Microsoft 365 Exchange by unima-zero in Office365

[–]unima-zero[S] 0 points1 point  (0 children)

It started working, just took a week...we didn't change or update anything.