Unable to create trust between 2 domains

Hi I have 2 domains (in differnet forests). Everytime I try to add a trust, it says "cannot find the domain controller."  I'm using the Domain Trust snap in.   Both DCs can ping each other fine. I know it is not a routing issue. What could it be?
thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WeHeCommented:
if you can only ping them by ip address, it's a dns problem.
which domains are this two? (NT, W2k, W2k3)
if they are w2k/w2k3 domains, each one must be able to resolve the domain name and the dc's by DNS.
if there is any NT domain, you need to add the "1C" and "1B" entry to the lmhosts file on the PDC (Emulator).
0
dissolvedAuthor Commented:
They are both running win2k. Each has it's own DNS server.
Looks like this:


Network 1-------------Router-----------Network 2
   |                                                      |
   |                                                      |
   |                                                      |
Domain A                                          Domain B


What is the best practice in this situation?  Looks like you are correct in that one DC cant resolve the others netbios name via DNS.  Should I modify the host file on each DC. Or, is there a better way?
Thanks
0
WeHeCommented:
best way would be a secondary zone on each DNS server, hosting the other zone.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

WeHeCommented:
instead a secondary, you can use a stub zone too.
0
WeHeCommented:
and try to setup the trust by using a Full qualified Domain name (domain.com)
0
dissolvedAuthor Commented:
Thanks! Getting a little closer now.  Now when I go to add the trust, it does indeed find the domain. But, I get the error:

"Active Directory cannot verify the trust. The error returned was : The security database on the server does not have a computer account for this workstation trust relationship"

Any ideas? Im using the same password on both DCs, so I know the password cant be the issue
Thanks
0
WeHeCommented:
wich kind of trust do you want? one or two way?
if this error only appears on the first Domain, when you set up the trust, just ignore it and add the trust on the other domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
Thanks. You are right. I went ahead and did the other domain as well. Looks like it worked. Now when I right click on a shared folder in DOMAIN A, I have the option of allowing DomainB access to it. Thanks

One problem. Dont know if this matters or not, but it is still showing: Transitive Trust = no
pic here http://mvpbaseball.cc/look.jpg

Thanks man!
0
WeHeCommented:
thats correct.
to get a transitive trust, you have to built a cross-forest trust.
a transitive trust means, if you trust domain.com, you trust all subdomains too.
this kind of trust is set between domains in a forest, but not avail for external trusts.
0
WeHeCommented:
i work too much with w2k3. cross-forest trusts are only avail in W2K3 native domains, not in w2k.
0
dissolvedAuthor Commented:
Thanks! So right now, it isnt transitive trust because it is external. However, I linked the two domains at the forest level. Both DC's I linked, I did at the root level. Does this mean any subdomains still do NOT have transitive trust? I have to explicitly allow transitive trust be doing cross-forest trust?

I'm assuming cross-forest trust is a whole other issue in itself. Is win2k capable of cross-forest trust? Or is this a win2003 thing
0
WeHeCommented:
cross forest trust is a win2003 thing.
with it, you can link forests with transitive trusts.
but i found some nice ms text for you:

When you create a trust between a Windows 2000 domain and a Kerberos realm, that trust is non-transitive. This means that only clients and servers that are in the immediate domain of the trust object can use this trust. Child domains are not able to use the trust.

In order for child domains to use the trust object, you must change the trust object from non-transitive to transitive. You can do this with the Netdom.exe tool found in the Windows 2000 Resource Kit. You can change a specific trust to be transitive by using the "netdom trust" and "transitive:yes" options
0
dissolvedAuthor Commented:
thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.