I was at a costumer who needed to have a bi-directional Trust relationships with diferent forests. One forest 2008 R2 and other 2003.
Every forest had one DC with the same netbios name and I created the Trust relationships fine but when I click on Verify an alert appeared saying that “The secure channel (SC) verification on domain controller \\SRVAAAAA of domain AAAAA.local to domain BBBBB.local failed with error: Access is denied.”
The event viewer show the warning event id 40960 lsasrv
The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was “<error description> (<error code>)”.
The solution for me was to rename one of the Dcs.
Here you can find more info about the problem: