Share via

Domain trust setup fails instantly

Craig Tompkins 26 Reputation points
2025-04-10T16:00:25.4833333+00:00

We have 4 Active Directory Domain Controllers running on 2019 with 2016 functional level. Our sister company has 40+ Domain controllers. Each company has single forest, single domain. We have a site to site VPN between primary data centers. The sister company can route to all of our DCs, but we can only route to 4 of their DCs across that VPN due to IP conflicts and not wanting to do NAT for subnets we don't need access to. The firewall rules across this VPN is "allow all" in both directions for testing - we would lock it down as needed after things are running as expected.

DNS has been setup as a secondary zone and is working as expected.

When we do the New Trust Wizard it fails instantly saying "Cannot Continue The New Trust Wizard cannot continue because the specified domain cannot be contacted." There is no delay like a time out. I tried using a fake domain instead of the sister company's real domain and get the exact same result.

I have run wireshark during the process and I don't see any packets trying to leave our domain controller to any IP address on their side. I have turned off the windows firewall during testing with the same result. As such I don't think the wizard is actually trying to reach out - I'd expect a time out delay and unidirectional packets if it were.

NSLOOKUP and then domain.com shows their domain controllers as expected.

\domain.com prompts for user/pass as expected.

Trying to create the trust from our sister company to us has the exact same experience, including the same wireshark results.

We deleted the DNS zone, re-added it as a primary zone with only the Domain Controllers we can actually route to in the list and have the same result. We also created sites based on IP so that source IPs would be forced to those same routable DCs, but again same results.

I'm at a loss of what my next troubleshooting steps would be.

Windows for business | Windows Server | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 75 Reputation points Independent Advisor
    2025-08-11T10:59:41.9866667+00:00

    Dear Craig Tompkins,

    My name is Hoang Phan, and I understand that you are having some query concern related to domain trust set-up.

    From what you’ve described, DNS appears to be working correctly. Given this, the issue may be related to port connectivity.

    Please run the following commands to confirm and share the output:

    • nslookup <domain name>
    • ping <domain name>
    • nltest /dsgetdc:<domain name> /force

    Next, use PowerShell to verify port connectivity between domains:

    • Test-NetConnection -ComputerName <domain name> -Port <port number>

    Make sure all required ports for domain trusts are open between the two domains before establishing the trust.

    Another possible cause is that LDAP SRV records for the PDC are missing from the _ldap._tcp.pdc._msdcs.<domain> DNS zone. Please check and confirm that each domain can successfully query this record for the other domain.

    Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/error-specified-domain-not-exist-cannot-contacted

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.