Event ID 12 — Active Directory Domain Services Trust Configuration
Applies To: Windows Server 2008
.jpg)
Active Directory Domain Services (AD DS) trusts are used to establish trust relationships between different Kerberos realms so that Kerberos clients can access resources.
Event Details
| Product: | Windows Operating System |
| ID: | 12 |
| Source: | Microsoft-Windows-Kerberos-Key-Distribution-Center |
| Version: | 6.0 |
| Symbolic Name: | KDCEVENT_FAILED_TRANSITIVE_TRUST |
| Message: | A request failed from client realm %1 for a ticket in realm %2. This failed because a trust link between the realms is non transitive. |
Resolve
Create a transitive realm trust
Kerberos requires transitive trusts between realms so that ticket requests from Kerberos clients are accepted. You must delete the current realm trust and then create a new transitive realm trust by using Active Directory Domains and Trusts.
Note: The realms are identified in the event log message.
To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
Remove the existing realm trust
To remove the existing one-way realm trust by using Active Directory Domains and Trusts:
- Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
- Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties.
- Click the Trusts tab.
- Click the trust to be removed, and then click Remove.
- Click Yes to remove the trust from both the local domain and the other domain.
- Provide administrative credentials for the reciprocal domain, and then click OK.
Create a new realm trust
To create a new transitive realm trust:
- Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
- Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties.
- Click the Trusts tab, and then click New Trust.
- On the Welcome to the New Trust Wizard page, click Next.
- In the Name box, type the name of the realm for this trust, and then click Next.
- Ensure that Realm trust is selected, and then click Next.
- Click Transitive, and then click Next.
- Click Two-way, and then click Next.
- In the Trust password and Confirm trust password boxes, type a password that complies with your organization's password complexity requirements. This password will be used when creating this trust relationship in the specified domain.
- Click Next.
- Click Next, and then click Finish.
- Repeat steps 1-12 in the other domain, using the same trust password specified in step 9.
Verify
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To verify the trust relationship by using Active Directory Domains and Trusts:
- Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
- Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
- On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
- Click Validate.
- Click Yes, validate the incoming trust, and then click OK.