?
Solved

Unable to create trust between 2 domains

Posted on 2004-11-20
13
Medium Priority
?
564 Views
Last Modified: 2012-08-13
Hi I have 2 domains (in differnet forests). Everytime I try to add a trust, it says "cannot find the domain controller."  I'm using the Domain Trust snap in.   Both DCs can ping each other fine. I know it is not a routing issue. What could it be?
thanks
0
Comment
Question by:dissolved
  • 8
  • 5
13 Comments
 
LVL 11

Expert Comment

by:WeHe
ID: 12638741
if you can only ping them by ip address, it's a dns problem.
which domains are this two? (NT, W2k, W2k3)
if they are w2k/w2k3 domains, each one must be able to resolve the domain name and the dc's by DNS.
if there is any NT domain, you need to add the "1C" and "1B" entry to the lmhosts file on the PDC (Emulator).
0
 

Author Comment

by:dissolved
ID: 12638770
They are both running win2k. Each has it's own DNS server.
Looks like this:


Network 1-------------Router-----------Network 2
   |                                                      |
   |                                                      |
   |                                                      |
Domain A                                          Domain B


What is the best practice in this situation?  Looks like you are correct in that one DC cant resolve the others netbios name via DNS.  Should I modify the host file on each DC. Or, is there a better way?
Thanks
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12638787
best way would be a secondary zone on each DNS server, hosting the other zone.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 11

Expert Comment

by:WeHe
ID: 12638788
instead a secondary, you can use a stub zone too.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12638795
and try to setup the trust by using a Full qualified Domain name (domain.com)
0
 

Author Comment

by:dissolved
ID: 12638949
Thanks! Getting a little closer now.  Now when I go to add the trust, it does indeed find the domain. But, I get the error:

"Active Directory cannot verify the trust. The error returned was : The security database on the server does not have a computer account for this workstation trust relationship"

Any ideas? Im using the same password on both DCs, so I know the password cant be the issue
Thanks
0
 
LVL 11

Accepted Solution

by:
WeHe earned 2000 total points
ID: 12639296
wich kind of trust do you want? one or two way?
if this error only appears on the first Domain, when you set up the trust, just ignore it and add the trust on the other domain.
0
 

Author Comment

by:dissolved
ID: 12639337
Thanks. You are right. I went ahead and did the other domain as well. Looks like it worked. Now when I right click on a shared folder in DOMAIN A, I have the option of allowing DomainB access to it. Thanks

One problem. Dont know if this matters or not, but it is still showing: Transitive Trust = no
pic here http://mvpbaseball.cc/look.jpg

Thanks man!
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12639348
thats correct.
to get a transitive trust, you have to built a cross-forest trust.
a transitive trust means, if you trust domain.com, you trust all subdomains too.
this kind of trust is set between domains in a forest, but not avail for external trusts.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12639357
i work too much with w2k3. cross-forest trusts are only avail in W2K3 native domains, not in w2k.
0
 

Author Comment

by:dissolved
ID: 12639365
Thanks! So right now, it isnt transitive trust because it is external. However, I linked the two domains at the forest level. Both DC's I linked, I did at the root level. Does this mean any subdomains still do NOT have transitive trust? I have to explicitly allow transitive trust be doing cross-forest trust?

I'm assuming cross-forest trust is a whole other issue in itself. Is win2k capable of cross-forest trust? Or is this a win2003 thing
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12639415
cross forest trust is a win2003 thing.
with it, you can link forests with transitive trusts.
but i found some nice ms text for you:

When you create a trust between a Windows 2000 domain and a Kerberos realm, that trust is non-transitive. This means that only clients and servers that are in the immediate domain of the trust object can use this trust. Child domains are not able to use the trust.

In order for child domains to use the trust object, you must change the trust object from non-transitive to transitive. You can do this with the Netdom.exe tool found in the Windows 2000 Resource Kit. You can change a specific trust to be transitive by using the "netdom trust" and "transitive:yes" options
0
 

Author Comment

by:dissolved
ID: 12639441
thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Strategic internal linking is often considered an SEO power technique, especially for content marketing. Do you need to hire an SEO agency to optimize you internal linking? No, this article will help you understand the basics of internal linking and…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month14 days, 19 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question