共用方式為


Event ID 12 — Active Directory Domain Services Trust Configuration

Applies To: Windows Server 2008

Active Directory Domain Services (AD DS) trusts are used to establish trust relationships between different Kerberos realms so that Kerberos clients can access resources.

Event Details

Product: Windows Operating System
ID: 12
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Symbolic Name: KDCEVENT_FAILED_TRANSITIVE_TRUST
Message: A request failed from client realm %1 for a ticket in realm %2. This failed because a trust link between the realms is non transitive.

Resolve

Create a transitive realm trust

Kerberos requires transitive trusts between realms so that ticket requests from Kerberos clients are accepted. You must delete the current realm trust and then create a new transitive realm trust by using Active Directory Domains and Trusts.

Note: The realms are identified in the event log message.

To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

Remove the existing realm trust

To remove the existing one-way realm trust by using Active Directory Domains and Trusts:

  1. Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
  2. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties.
  4. Click the Trusts tab.
  5. Click the trust to be removed, and then click Remove.
  6. Click Yes to remove the trust from both the local domain and the other domain.
  7. Provide administrative credentials for the reciprocal domain, and then click OK.

Create a new realm trust

To create a new transitive realm trust:

  1. Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
  2. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties.
  4. Click the Trusts tab, and then click New Trust.
  5. On the Welcome to the New Trust Wizard page, click Next.
  6. In the Name box, type the name of the realm for this trust, and then click Next.
  7. Ensure that Realm trust is selected, and then click Next.
  8. Click Transitive, and then click Next.
  9. Click Two-way, and then click Next.
  10. In the Trust password and Confirm trust password boxes, type a password that complies with your organization's password complexity requirements. This password will be used when creating this trust relationship in the specified domain.
  11. Click Next.
  12. Click Next, and then click Finish.
  13. Repeat steps 1-12 in the other domain, using the same trust password specified in step 9.

Verify

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To verify the trust relationship by using Active Directory Domains and Trusts:

  1. Log on to a computer that has Active Directory Domains and Trusts installed. It is installed by default on a domain controller.
  2. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
  4. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
  5. Click Validate.
  6. Click Yes, validate the incoming trust, and then click OK.

Active Directory Domain Services Trust Configuration

Core Security