"GetForest" error while adding the new forest to AD Connect

Brass Contributor

We are getting this error while trying to add a directory in out multi-forest setup. The Yellow DC is advertising correctly and all ports connectivity is established with the remote forest. Please help.

Proceeding to validate that at least one of the domains associated to the obtained Forest FQDN are reachable
by attempting to retrieve DomainGuid and DomainDistinguishedName
Obtaining ForestFQDN
Attempting to retrieve ForestFQDN...
Exception calling "GetForest" with "1" argument(s): "The specified forest does not exist or cannot be contacted."

There are 0 reachable domain(s) and 0 unreachable domain(s)
There are no reachable domains.

7 Replies

Hi @Ajay_Joshi,

Based on the information you have provided, the most likely cause of the "GetForest" error is a network connectivity issue between the AD Connect server and the remote forest.

To resolve this issue, you can try the following:

  1. Make sure that the AD Connect server can resolve the DNS name of the remote forest. You can do this by running the following command on the AD Connect server:

 

nslookup <remote forest FQDN>​

 

If the command returns the IP address of the remote forest, then the DNS resolution is working correctly. If the command fails, then you need to troubleshoot the DNS issue.

  1. Make sure that the AD Connect server can ping the remote forest. You can do this by running the following command on the AD Connect server:

 

ping <remote forest FQDN>​

 

If the command returns a reply from the remote forest, then the network connectivity is working correctly. If the command fails, then you need to troubleshoot the network connectivity issue.

  1. Make sure that there is no firewall blocking communication between the AD Connect server and the remote forest. You can check this by disabling the firewall on the AD Connect server and then trying to add the remote forest to AD Connect. If you are able to add the remote forest to AD Connect with the firewall disabled, then you need to configure the firewall to allow communication between the AD Connect server and the remote forest.

  2. If you are using a VPN to connect to the remote forest, make sure that the VPN connection is working properly. You can check this by trying to connect to other resources on the remote network over the VPN. If you are unable to connect to other resources on the remote network, then you need to troubleshoot the VPN connection.

If you have tried all of the above and you are still unable to resolve the error, then you can try the following:

  • Run the ADConnectivityTool.ps1 PowerShell script on the AD Connect server. This script will test the connectivity between the AD Connect server and the remote forest and provide you with more information about the error.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic thanks for responding.

 

All connectivity tests on test-NetConnection, NSLookup and Ping are OK.

 

The Confirm-ValidDomains &  Confirm-FunctionalLeve are failing.

Check if the SysvolReady flag in the Registry Editor settings with a value to 1. Maybe your AD is not visible to others
if you run netshare on your DC it shows you the SYSVOL and netlogon ?
how to run that? please share some articles, much appreciated.