A while back I came across an issue while trying to create a two-way trasitive trust between two forests.  While attempting to create the trust, one direction of it would validate successfully while one direction would always fail, and I received this type of error from both sides.  Also, it didn’t appear that trust functionality either direction would work correctly even though validation would succeed one direction.  The error message that I received is below,

The Trust cannot be validated for the following reasons: The outgoing trust
was successfully validated. Secure channel (SC) reset on Domain Controller
\x.companyBdomain.com of domain companyB.com to domain companyA.com failed
with error. There are currently no logon servers available to service the
logon request.

After quite a bit of searching, I found an answer to the issue.  In one domain SMB Signing was enabled on the Default Domain Controller Policy, and in the other it was not.  To fix this issue there are a few registry keys that can be set on the domain controllers, the values of enablesecuritysignature in below key need to match in order for the trust to be successfully created.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters

To enable SMB Signing, set enablesecuritysignature = 1.

The same effect can also be attained by setting the Microsoft network server: Digitally sign communications (always) in the Default Domain Controller Policy under Local Policies and Security Options.

For more information on disabling SMB Signing, follow the below link.

http://support.microsoft.com/kb/839499

0.00 avg. rating (0% score) - 0 votes