Share via

Active Directory Forest Trust is established between on-prem AD and Entra ID Domain Services (Domain Controller PaaS) but is not functional.

Gareth Johnson 0 Reputation points
2025-03-03T12:30:49.78+00:00

Active Directory Forest Trust is established between on-prem AD and Entra ID Domain Services (Domain Controller PaaS) but is not functional.

The statement in bold relates to use and I believe it is related to:

https://learn.microsoft.com/en-us/answers/questions/92016/domain-controller-allow-vulnerable-netlogon-secure?page=1#answers

The session setup from computer 'XMIPZGK5ES3LZ32' failed because the security database does not contain a trust account 'testdomain.cloud.' referenced by the specified computer. 

 

USER ACTION 

If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'testdomain.cloud.' is a legitimate machine account for the computer 'XMIPZGK5ES3LZ32' then 'XMIPZGK5ES3LZ32' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem: 

 

If 'testdomain.cloud.' is a legitimate machine account for the computer 'XMIPZGK5ES3LZ32', then 'XMIPZGK5ES3LZ32' should be rejoined to the domain. 

 

If 'testdomain.cloud.' is a legitimate interdomain trust account, then the trust should be recreated. 

 

Otherwise, assuming that 'closebrothers.cloud.' is not a legitimate account, the following action should be taken on 'XMIPZGK5ES3LZ32': 

 

If 'XMIPZGK5ES3LZ32' is a Domain Controller, then the trust associated with 'closebrothers.cloud.' should be deleted. 

 

If 'XMIPZGK5ES3LZ32' is not a Domain Controller, it should be disjoined from the domain.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,640 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 38,555 Reputation points MVP
    2025-03-03T12:48:48.6266667+00:00

    Verify that the requirements for the trust are in place. Start with https://docs.azure.cn/en-us/entra/identity/domain-services/concepts-forest-trust#forest-trust-requirements

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

  2. Raja Pothuraju 16,580 Reputation points Microsoft External Staff
    2025-03-03T13:32:32.28+00:00

    Hello @Gareth Johnson,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems that the trust relationship between your on-premises Active Directory and Entra ID Domain Services is not properly established. The error message indicates that the session setup from a specific computer failed because the security database does not contain a trust account referenced by that computer.

    To troubleshoot this, please refer to the following document for guidance on creating and verifying trust relationships between on-premises Active Directory and Entra ID Domain Services: Create and Verify Forest Trust.

    Additionally, could you please share the configuration steps you followed and the values you entered in the configuration options? This will help us analyze any potential misconfigurations.

    Also, ensure that your managed domain is using at least the Enterprise SKU, as it is required for establishing trust relationships. If needed, change the SKU for a managed domain.

    If you prefer not to share your configuration publicly, you can also send it via a private message. This will help us troubleshoot the issue while maintaining confidentiality.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

  3. Raja Pothuraju 16,580 Reputation points Microsoft External Staff
    2025-03-13T14:31:14.03+00:00

    Hello @Gareth Johnson,

    After conducting research on your issue and consulting with our Product Group team, it appears that your on-premises domain controllers are logging the following events in the Event Viewer:

    The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.

    Account Type: Trust

    Trust Name: Contoso.com

    Trust Target: Contoso.net

    Client IP Address:

    ================================================================

    The session setup from computer 'XMIPZGK5ES3LZ32' failed because the security database does not contain a trust account 'testdomain.cloud.' referenced by the specified computer.

    Root cause:

    If your Microsoft Entra Domain Name is Domain.com and your AD DS Domain Name is Domain.net, the issue occurs because both domains share the same NetBIOS name ("Domain"). A trust cannot be established between two domains with identical NetBIOS names.

    Either we change the domain name in local directory, or we change the Microsoft Entra Domain Service domain name.

    Tutorial - Create a Microsoft Entra Domain Services managed domain 

    TipMEDSCustomDomainName.png

    To resolve this, ensure that NetBIOS, Legacy Domain, or DNS Domain names are not duplicated across environments.

    The recommend approach is to Recreate your Microsoft Entra Domain Services (Entra DS) following the official documentation to avoid naming conflicts.

    Tutorial - Create a Microsoft Entra Domain Services managed domain 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.