Solved

Connecting 2 separate AD DC

Posted on 2004-09-11
3
475 Views
Last Modified: 2010-04-19
Setup:

       Network 'A' running Windows 2000 Server on network 192.168.0.x with domain name space "Pittsburgh.com"

       Network 'B' running Windows 2003 Server on network 192.168.10.x with domain name space "Cleveland.com"

Both Domains are up and running in the same server room.  Both are setup with Active Directory.

I would like to create a Forest with both domains being able to have restricted access between each other.

I have tried to setup trusts but the DC's can not see each other.  Also with the routers from both networks connected, my older machines(Win98) and thin clients on network 'A' automatically tried to connect to the DC on network 'B'

Any and all Help will be much appreciated.

Thanks,
Jim
0
Comment
Question by:fellercm
3 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 12037262
Well, to start with, you already have 2 separate Forests now.

What subnet mask are you using for networks A & B?  Whatever it is, make sure that they are on separate networks - if your subnet is too large both segments will be on the same network.  Depending on what you want the clients to do, this may not be desirable.

You may need to do one of two things to have the DCs locate each other.

1)  Add a static route to the servers so each network can route to the other.
2)  Add entries in either the HOSTS file or DNS that point to each other.

Advise.
0
 
LVL 12

Expert Comment

by:BNettles73
ID: 12037291

Deployment Guide states -

"The first domain that you create in your Active Directory
Active Directory
The Windows-based directory service. Active Directory stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.forest forest
One or more Active Directory domains that share the same class and attribute definitions (schema), site and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.is automatically designated as the forest root domain forest root domain
The first domain created in a new forest. The forest-wide administrative groups, Enterprise Admins and Schema Admins, are located in this domain. As a best practice, new domains are created as children of the forest root domain.. The forest root domain provides the foundation for your Active Directory forest infrastructure. You must create the forest root domain before you create regional domains or upgrade other Microsoft® Windows NT® 4.0 domains in order to join them to an existing forest. In addition, services that are running on forest root domain controllers, such as the Kerberos version 5 authentication protocol, must be highly available to ensure that users maintain access to resources throughout the forest."


Check out this link ... multiple forest trusts - http://www.winnetmag.com/Articles/ArticleID/38280/pg/2/2.html ... it may help you with your current solution ...

Regarding the windows 98 and thin client issue - check out this article How Windows 98 Active Directory Client Extension uses Active Directory site information http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q249/8/41.ASP&NoWebContent=1
0
 
LVL 12

Accepted Solution

by:
ColinRoyds earned 500 total points
ID: 12039874
There are two ways to do this
1.
Use a host file for name resolution
Use a lmhosts file for DC resolution, so the remote DC for the remote domain can be found.

2 In DNS of domain A on your forward lookup zone allow for unsecure communications
In the DNS for domain B, add a secondary forward lookup zone for domain A, specify domain A' DNS server address
In the DNS of domain A on the forward lookup zone allow for zone transfers (this can alos be restricted to domain B only if you want)
Then in the DNS of domain B in the new secondary zone expand the zone then right click and click transfer from master.
You should now have name resolution for domain A from domain B, do the same in revers for domain B - A.
check dns resolution using nslookup in both directions

Now setup your trust using AD D+T, and verify them

Trust done, if you used step 1 to do this you might want to now do step 2 for proper dns resolution.

The reason you cannot do 2 immediately is that DNS by default will only alow for secure comm's so if you are not on the domain you can not do a look up. Therefor as stade in step 2, if this is done before the trust is in place you MUST change the forward lookup zone to unsecure.

hope this helps

Colin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now