Trust Relationships Fail with Large Number of Trusted Domains

CAUSE

This occurs because the full list of trusted domains is not replicated to Backup Domain Controllers. Since the Backup Domain Controllers do not have a complete list of trusted domains, they do not setup a secure channel with Domain Controllers that exist in Domain accounts that did not replicate. This results in access denied errors on clients from trusted domains because there is no way for pass-through validation to occur.

The complete list of trusted domains does not replicate to Backup Domain Controllers because Netlogon does not indicate all the trusted domain accounts to replicate. Replication fails when Netlogon calls the LSA to get the complete list of domain accounts to replicate during a synchronization. Netlogon fails because it replicates domain names when it receives STATUS_SUCCESS back from the LSA, however with a large number of trusted domain names the LSA may return STATUS_MORE_ENTRIES instead of STATUS_SUCCESS. The LSA returns STATUS_MORE_ENTRIES if the default buffer supplied by Netlogon (1k in size) is too small to hold the complete list of domain names. As a result, if there are too many domains to fit in the 1k buffer, Netlogon ignores all but the last group of domain names returned by the LSA when STATUS_SUCCESS is received.