none
The trust relationship between the primary domain and the trusted domain failed RRS feed

  • Question

  • Hi Team,

    Sharepoint farm have following configuration

    2 WFE external domain(Secured domain)

    2 WFE internal(internal domain)

    2 APP Server(internal Domain)

    SQL internal Domain

    While trying to add external server to the sharepoint farm we are getting below error

    "The trust relationship between the primary domain and the trusted domain failed"

    We have an IPSec Tunnel created between both the domain and have one way trust setup between both the domains.

    We also get the same error while deploying WSP   where WSP gets pushed intermittently on external server. Mostly it hangs with staus as "Deployment scheduled at ....time" until we stops.

    SPLOG

    ..., String displayName, SPIdentifierType identifierType, Byte[] identifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
    04/25/2014 10:15:54.33  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Topology                       8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
    04/25/2014 10:15:54.33  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[] identifier, T grantRightsMask, T denyRightsMask)     at Microsof... 
    04/25/2014 10:15:54.33* OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable ...t.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64 currentVersionOverride, List`1& newObjects, List`1& deletedObjects, ... 
    04/25/2014 10:15:54.33* OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable ...Int64& newestObjectVersion)     at Microsoft.SharePoint.Administration.SPTimerStore.InitializeTimer(Int64& cacheVersion, Object& jobDefinitions, Int32& timerMode, Guid& serverId, Boolean& isServerBusy)     at Microsoft.SharePoint.Administration.SPNativeConfigurationProvider.InitializeTimer(Int64& cacheVersion, Object& jobDefinitions, Int32& timerMode, Guid& serverId, Boolean& isServerBusy) 
    04/25/2014 10:15:54.33  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          7v43 Medium   An error occured while initializing the timer. 
    04/25/2014 10:15:54.33  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          5utx Unexpected The timer service could not initialize its configuration, please check the configuration database.  Will retry later. 
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Topology                       75dz High     The SPPersistedObject with Name Search Service Application, Id 32f3c04a-80fb-46b7-b219-b8e35483db51, Parent 239e4dd0-5509-4aee-978c-b6a55152b397 failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName... 
    04/25/2014 10:17:13.50* OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Topology                       75dz High     ..., String displayName, SPIdentifierType identifierType, Byte[] identifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Topology                       8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[] identifier, T grantRightsMask, T denyRightsMask)     at Microsof... 
    04/25/2014 10:17:13.50* OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable ...t.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64 currentVersionOverride, List`1& newObjects, List`1& deletedObjects, ... 
    04/25/2014 10:17:13.50* OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          2n2p Monitorable ...Int64& newestObjectVersion)     at Microsoft.SharePoint.Administration.SPTimerStore.InitializeTimer(Int64& cacheVersion, Object& jobDefinitions, Int32& timerMode, Guid& serverId, Boolean& isServerBusy)     at Microsoft.SharePoint.Administration.SPNativeConfigurationProvider.InitializeTimer(Int64& cacheVersion, Object& jobDefinitions, Int32& timerMode, Guid& serverId, Boolean& isServerBusy) 
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          7v43 Medium   An error occured while initializing the timer. 
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          5utx Unexpected The timer service could not initialize its configuration, please check the configuration database.  Will retry later. 
    04/25/2014 10:17:13.50  OWSTIMER.EXE (0x1708)                    0x014C SharePoint Foundation          Timer                          g1ms Unexpected Exiting the process because the timer could not be


    Thanks Ba$va

    Friday, April 25, 2014 6:09 PM

Answers

  • That looks like an issue between the server and the domain it belongs to.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Lindali Friday, May 2, 2014 7:30 AM
    Friday, April 25, 2014 7:51 PM
    Moderator

All replies

  • While you can span domains, I wouldn't recommend it. Instead, use a reverse proxy.

    That said, what way is the one-way trust? The external domain must trust the internal domain in order to use the service accounts on the external domain WFEs.

    Also, the external WFEs will need direct port access to the internal Domain Controllers for people picker lookups, and of course access to the SharePoint SQL Servers.


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 25, 2014 6:25 PM
    Moderator
  • Hi Trevor,

    We have a reverse proxy setup.

    External server domain is trusting Internal server domain. It(Both deployment and adding server into the farm) is working intermittently. I have seen scenariors  where it works after restarting all servers in the farm.

    We have opened ports as required for SQL Server and internal App server

    Ports

    22233-22236 for DC

    1433 for SQL

    32843-32845 for SP farm communication

    16500-16519 for search

    The same error is occuring across all environment wherever we have external server.


    Thanks Ba$va

    Friday, April 25, 2014 6:35 PM
  • You also need the following ports open from the external WFEs to the internal DCs:

    http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx

    It sounds like you have a domain trust issue, perhaps take a look at the DC logs on both the external and internal, as well as revalidate the trust?


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 25, 2014 6:36 PM
    Moderator
  • I just missed the people picked port in my previous reply and our AD team confirmed that they dont see any error on DC.

    Thanks Ba$va

    Friday, April 25, 2014 6:54 PM
  • Does the Security Event Log indicate any failure audits/logons for any of the internal domain accounts on the external domain SharePoint servers?

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 25, 2014 6:58 PM
    Moderator
  • Hi Trevor,

    yes there are few.

    One or more errors occured while processing security policy in the group policy objects.

    Error Code: 5

    GPO List:

    ------------------------------------------------------------------------

    A privileged service was called.

    Subject:

    Security ID: SYSTEM

    Account Name:  ServerName$

    Account Domain:  DomainName

    Logon ID: 0x3e7

    Service:

    Server: Security Account Manager

    Service Name: Security Account Manager

    Process:

    Process ID: 0x23c

    Process Name: C:\Windows\System32\lsass.exe

    Service Request Information:

    Privileges: SeTcbPrivilege


    Thanks Ba$va

    Friday, April 25, 2014 7:14 PM
  • That looks like an issue between the server and the domain it belongs to.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Lindali Friday, May 2, 2014 7:30 AM
    Friday, April 25, 2014 7:51 PM
    Moderator