Windows 2003 Server Domain Trust / DNS issue.

I'll try to be as complete as possible but as brief as possible. :-)

I just installed a Win 03 Server into an existing Win2K server environment.

Existing network was follows running Win2K Server.
Domain Server name - Dauphin-2000
Domain Name - Dauphin_2000
PDC Address - 192.168.1.2

New Server Win 2003 Server
Domain Server Name - Dauphin2000
Domain Name - Dauphin
Address 192.168.1.200

I removed DNS and DHCP from the original 2K Server and installed on the 03 server. The old server points to .200 for DNS now.

The new server points to itself for DNS - 192.168.1.200 - Old Win2k server points to 192.168.1.200 for DNS.

Now for the problem. When I try to create a trust relationship between the two servers from the 03 side, I get the following message at the end of the Trust Wizard...

The verification of the incoming trust failed with the following errors.

The trust password verification failed with error 5: Access is denied. A secure channel will be attempted.

If I do a NSLOOKUP from the original 2K server I get the following message...

C:\>nslookup
Default Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

> dauphin2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

*** dauphin2000.dauphin.local can't find dauphin2000: Non-existent domain
> dauphin-2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

Name:    dauphin-2000.DAUPHIN_2000
Address:  192.168.1.2

On the new 03 server I get the following...


C:\>nslookup
Default Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

> dauphin2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

Name:    dauphin2000.Dauphin.local
Address:  192.168.1.200

> dauphin-2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

*** dauphin2000.dauphin.local can't find dauphin-2000: Non-existent domain

I'm sure it's in my DNS settings in the new 03 server, but I can't seem to find it! The reverse DNS seems to always show up, but not in the forward zone.

Allow Dynamic Updates is turned on.
Both domains are created in the Forward lookup zone. Dauphin.local and dauphin_2000

I have also tried running DNS on the Win2K server and pointing the Win03 server to it, and still no luck.

I'm missing something and I sure hope someone has an idea. :-)

Thanks!
compcowboyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WeHeCommented:
a DC MUST point to itself for DNS resolution.
You can put the DNS of Dauphin into you forwarders configuration of the W2K Server using a conditional forwarder and vice versa.
Each DC has to use itself for DNS!!
btw, "_" can not be used for DNS names if you use "Strict RFC" for mane checking.
0
compcowboyAuthor Commented:
I did try running DNS on each server and then pointing to itself. I then added each controller to the other DNS as a secondary and still no luck, but I'll try it again and post the results.

R.
0
WeHeCommented:
its wrong to set them as secondary, you must configure the dns to forward querys to the other.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

compcowboyAuthor Commented:
OK. So setup each server with it's own DNS pointing to itself and then add the other's IP into the forwarders?
0
WeHeCommented:
yes, that should work
0
compcowboyAuthor Commented:
I'll give it a whirl! One other question though. Should I add each server into the Name Servers area or just as a forwarder. This whole problem started because the old domain had an underscore and the plan was to eliminate the 2K server, but there is a Provasive database on that server that they claim CANNOT run on 03 yet.

R.
0
WeHeCommented:
no, the primary and secondary DNS server for a client MUST have the same data.
only add the new DNS to the forwarders.
0
compcowboyAuthor Commented:
Perfect. I'll give it a try and see what happens.
0
compcowboyAuthor Commented:
OK. I have each server with it's own DNS setup and eahc one forwarded to the other.

On the 03 server 192.168.1.200 (dauphin2000), I get the following.


C:\>nslookup
Default Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

> dauphin-2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

*** dauphin2000.dauphin.local can't find dauphin-2000: Non-existent domain
> dauphin2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

Name:    dauphin2000.Dauphin.local
Address:  192.168.1.200

On the 2k Server 192.168.1.2 (dauphin-2000) I get the following.

C:\>nslookup
Default Server:  dauphin-2000.dauphin_2000
Address:  192.168.1.2

> dauphin2000
Server:  dauphin-2000.dauphin_2000
Address:  192.168.1.2

*** dauphin-2000.dauphin_2000 can't find dauphin2000: Non-existent domain

R.
0
binary_1001010Commented:
it looks like a password issue, look at your error again :

The trust password verification failed with error 5: Access is denied. A secure channel will be attempted.

I have worked with trust a lot of times, if it can't find the domain, it will say : Unable to find domain(something like that).

During the password verification, you do NOT need to enter your administrator password, this password is just for veriication. You can enter  batman and Windows2003 for the name and password.

The sequence is also very important, for NT you must either work on the trusing domain 1st, then on the trusted domain.
But for Win2k or 2k3, either one will do.



0
compcowboyAuthor Commented:
I have idential admin accounts on each server. I created the trust via the 03 server and requested a 2 way trust. It all seems to work and it even creates the trust on the 2k server, but after I get the verifiaction failed error, I also get the followoing message on the 03 server.

To improve the security of this external trust, security identifier (SID) filtering is enabled... The only way I have been able to even get it to remotely work is to run

I am still concerned that I cannot nslookup back and forth, since if I try and verify the trust from the 2K server to the 03 server, I get an error about no login servers available and access is denied.

This REALLY has me stumped and I know I'm missing some basic thing, but I ahve gone over and over the settings until my eyes get blurry! The customer is approx 8 hours away, but I have a VPN in for remote access (good thing!) :-)

R.
0
binary_1001010Commented:
ok, do u have support tools install? if yes, do a :

netdom query trust

or

netdom trust /query

post your result.
0
compcowboyAuthor Commented:
Yes, I have netdom installed. FYI, I have one trust to an older NT4 server without a hitch.

Otherwise, right now netdom query trust shows the following on the 03 server.


C:\Documents and Settings\Administrator\Desktop>netdom query trust
Direction Trusted\Trusting domain                         Trust type
========= =======================                         ==========

 ->       DAUPHIN_NT
Direct

The command completed successfully.


Then, once I create the trusts, it shows...


Direction Trusted\Trusting domain                         Trust type
========= =======================                         ==========

 ->       DAUPHIN_NT
Direct

<->       DAUPHIN_2000
Direct

The command completed successfully.

On the W2K server, it shows...

C:\>netdom query trust
Direction Trusted\Trusting domain                         Trust ty
========= =======================                         ========

<->       DAUPHIN_NT
Direct

<->       Dauphin.local
Direct
 Not found

The command completed successfully.

R.
0
compcowboyAuthor Commented:
I've tried everything I can think of, and it still seems to point to a DNS issue.

I can, however, create a one way trust without a problem on the 03 side.


C:\>netdom query trust
Direction Trusted\Trusting domain                         Trust type
========= =======================                         ==========

 ->       DAUPHIN_NT
Direct

 ->       DAUPHIN_2000
Direct

The command completed successfully.

Any ideas? For now, I have put it back to the one way trust otherwise they will be down tomorrow.:-(

R.
0
binary_1001010Commented:
on your win2k server, did you add in the suffix in networking>dns setting?
0
Chris DentPowerShell DeveloperCommented:
To get name resolution to work it might be worth creating slave zones.

On the Windows 2003 DNS, add a Slave zone and use the Windows 2000 Server as the Master for the zone. Alternatively on the Windows 2003 DNS you can create a Stub Zone and point that to the Windows 2000 Server (a Stub zone is basically conditional forwarding).

On the Windows 2000 DNS, add a Slave zone and use the Windows 2003 Server as the Master for the zone. Windows 2000 DNS doesn't support Stub zones, so those can't be used in this instance.

Check NSLookup gives you the right results, then try creating the trust again.
0
compcowboyAuthor Commented:
OK. I have DNS running on each server and a secondary running on each server pointing to the other server.

Here are the results of the nslookup.

Win03 server (192.168.1.200)


C:\>nslookup
Default Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

> dauphin2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

Name:    dauphin2000.Dauphin.local
Address:  192.168.1.200

> dauphin-2000
Server:  dauphin2000.dauphin.local
Address:  192.168.1.200

*** dauphin2000.dauphin.local can't find dauphin-2000: Non-existent domain

NSLOOKUP on the Win2K server (192.168.1.2)


C:\>nslookup
Default Server:  dauphin-2000.dauphin_2000
Address:  192.168.1.2

> dauphin2000
Server:  dauphin-2000.dauphin_2000
Address:  192.168.1.2

*** dauphin-2000.dauphin_2000 can't find dauphin2000: Non-existent domain

R.
0
Chris DentPowerShell DeveloperCommented:

A couple of things...

When you query daupin_2000 try doing it with a period on the end:

nslookup daupin_2000.

It might also need a domain search list adding, you can test that with nslookup as well with the following command:

set srchlist=daupin.local/daupin_2000

Again, you might have to include a period on the end of the domain name for the single label version.

I take it you changed the strict option mentioned above so it'll allow domain names with _ included?

Also, it could well be the domain name itself, single label names aren't completely supported in DNS.

http://support.microsoft.com/kb/300684

And the first of the points:

DNS might not be used to locate domain controllers in domains with single-label DNS names.

I'm not sure whether any of the details listed will help you fix it, but that might be the cause.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compcowboyAuthor Commented:
OK - I found the problem with the trusts. It was a simple matter of removing the SID for the Dauphin-2000 server from the 03 server. Once removed, the Trust worked wihout a hitch.

Your set srchlist did seem to help with the nslookup - thanks!

Russ
0
Network_PadawanCommented:
hi compcowboy, I am having the EXACT same issue. However, I do not understand your solution. How do you remove the SID for the server?
0
compcowboyAuthor Commented:
That was a long time ago but reading back, it seems to me the old server was not properly demoted off of the new server, so I would have manually removed the old server information from the new server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.