Set up a trust between two 2003 domains

Posted on 2006-07-18
Medium Priority
Last Modified: 2010-04-18
I am trying to set up a trust between two Sever 2003 domains. I have full control over both, and each server is sitting here with me. I have DNS up and running on both, (maybe improperly configured), and I can ping each from the other by name and IP. Here's my problem: When setting up the trust, I get to the point where you are prompted to enter the domain name. I enter, a couple seconds go bu, and the next screen comes up saying "The name you specified is not a valid Windows domain name". What gives?

Some helpful info for answers:

1.) I can reload one, or both machines, if necessary.
2.) I can uninstall AD, or DNS, or do whatever else might be needed to get this working.
3.) Step-by-step instructions would be nice. I have two MS guides that I have followed, but keep getting stuck at the same point. I also look over this site before posting, but didn't find anything that helped me.
Question by:cogentlogik
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 85

Expert Comment

ID: 17131216
Make sure the machines in both domains are using *only* their own DCs/DNS servers as DNS servers in TCP/IP (no ISP DNS, no DNS of the other domain!).
In domain A, create a secondary zone for domain B, allow zone transfers to domain A's DNS in domain B.
In domain B, create a secondary zone for domain A, allow zone transfers to domain B's DNS in domain A.
Let the zones replicate, create the trust using the FQDN names of the domains (not the NetBIOS names).

Author Comment

ID: 17131517
Both domains are using the server's IP for DNS.
I tried to create the secondary zones, but get the error message: "Zone not loaded by DNS server" and a red x appears when I click on the new zone.
Is there a chance my initial DNS settings are not correct, and *that* is what causing the issues? I remember this being relatively simple the last time I did it....
LVL 85

Expert Comment

ID: 17131582
If the zone can't be loaded, it's likely that zone transfers for the zones aren't allowed. Check that in the properties of the zones, zone transfers to the secondary DNS server are allowed.
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Author Comment

ID: 17131898
Zone transfers are allowed on both domains, in all zones
LVL 85

Expert Comment

ID: 17131989
Anything in the event logs? A firewall between the two domains?

Author Comment

ID: 17132085
Nothing concrete in the event logs. Just reiterations of the errors I'm getting.
One domain is behind a Linksys RV082, with ports opened for VPN, RDP, and ICMP
The other is behind a Netgear FVS328, with only the most basic modifications from default settings.
Does that help?
LVL 85

Expert Comment

ID: 17132162
I'm assuming you have a VPN between domain A and domain B? Any ports blocked there (especially 53 for DNS)?
In domain A, can you run
nslookup fqdn.of.some.machine.in.domain.b IP.of.DNS.B
(for example "nsloookup dcb.domainb.local")
Do the same for domain B.
If that works, you can try it with conditional forwarding for each domain (in the forwarders tab).

Author Comment

ID: 17138839
Okay, I set up the VPN's and followed your further instructions. I am still getting the same error on both machines. Maybe I should start over. Only one of the domains  has been functioning, they other one is new. However, I could uninstall DNS on each, if that's where the problem lies. I can even reload one DC, or both, if need be. Can you explain to me how this should be set up, from the beginning?
LVL 85

Accepted Solution

oBdA earned 1000 total points
ID: 17140869
Unless you have serious problems (check the event logs), there should be no need to reinstall those domains. DNS usually can be fixed without reinstalling.
Here are some general links on how to configure DNS in an AD domain:

10 DNS Errors That Will Kill Your Network

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

How to Verify the Creation of SRV Records for a Domain Controller

SRV Resource Records May Not Be Created on Domain Controller

How Domain Controllers Are Located in Windows XP

What you need to create a trust is a two-sided full name resolution for the two domains. This can either happen with a replicated secondary zone (a bit faster) or conditional forwarding. Either requires allowing connection to port 53 in the other domain.
The first thing to get to work is a manual lookup of dns names in the other domain using nslookup as described above.

Author Comment

ID: 17193670
I got sidetracked with another project. I will get back to this today, and let you know how it turns out. Thanks for your help so far.

Author Comment

ID: 17420962
I used mny of the links you submitted and came up with a solution. Thanks for your help!!

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question