• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

Establishing a W2K Forest to W2K3 Forest with a twist....DNS

Hello all.  I have a scenario that has me at wits end.  I believe I know the answer but......

So my company has a Windows 2000 Domain.  We have another company that we provide data services for.  One of the devices we use is a snap14000 storage box.  It is a member of the domain.  The other company (I don't get to manage their network) is a Windows 2003 Domain.

Both are running in W2k Native mode and each has it's own DNS configuration.

What I am trying to accomplish is a Forest to Forest Trust such that I can add some of their users to the appropriate domain groups on my side to give them access to the resources.

When attempting to establish the trust, I coordinated with the other business to create the trust.  It works (verify/validate) from their side, but not mine.  When I say it works I mean that it creates the trusts on both sides, but when I try to validate the connection on my side it states that it can't contact the PDC for the domain.  I believe the problem is DNS related,

My domain is xxx.org       Theirs is yyy.local

My understanding is that when they created this server (prior to me) they used the .local internal convention as they have an "external" address that is yyy.org that is serviced by an ISP.

On my DNS server we have a Primary Standard Zone that represents their system, but again it was created before I got here and it was created with a completly  different zzz.org dns address.  

All of these systems were "migrated" from NT 4, back in the day.

Is there a way to get these domains to talk  from my xxx.org to their yyy.local?  We do go through firewalls and all that crap as well.

Any questions/suggestion would be helpful.  My current thought is that I will need them to rename their domain.  (Which can be done in 2003)
0
eric_bender
Asked:
eric_bender
  • 10
  • 8
1 Solution
 
The_KirschiCommented:
Can you ping yyy.local DC by IP? If yes, what happens, when you setup a DNS zone for yyy.local and add the DC there? Can you ping by name?

If they can setup a trust successfully it should not be a problem with the .local domain part.
0
 
eric_benderAuthor Commented:
I can ping by IP.  The yyy actually represents the "domain" name... i.e.  "domain.local" and not "machine" name.  Just to clarify.  The IP routing is handled by our router (different Network).  I did try creating a new DNS zone.  And still no luck.  Is there a special type of Zone I would need to create.  My guess is that it has to do with us not being able NSLookup "domain.local".    
0
 
eric_benderAuthor Commented:
So as a follow up, how would I set up the "Zone" to faciliate their domain.?
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
The_KirschiCommented:
I would create AD integrated zone. Just go to the DNS mmc right-click the server and select new zone. Choose yyy.local as the domain name.

Alternatively if you can connect to the DNS on the other side you could set up your DNS to root any DNS requests for yyy.local to their DNS server. This could be done in the DNS server properties in the forwarding tab.
0
 
eric_benderAuthor Commented:
Ok,
So how does that help if I cant resolve the Domain name with NSlookup.....

   nslookup mydomain.org                 (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name:    mydomain.org
Addresses:  10.1.0.15, 10.1.0.5, 10.15.0.63

(ip & domain changed to protect the innocent)


   nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

*** dc.mydomain.org can't find nsfcu.local: Non-existent domain   (with no zone entry)


  nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)


0
 
eric_benderAuthor Commented:
Upgrading point value to 500
0
 
The_KirschiCommented:
If you have set up a zone you have to create A record for their DNS server and a NS record that points to that A record.

If you have no zone setup, go to the properties of the DNS server in the forwarding tab and select to forward all requests for domain.local to the IP address of their DNS server. Of course all of that works only if DNS queries are allow through your VPN connection.

If not you have to setup the zone and create all neede A records manually.

If you can hosts on their network by IP you just need a way to translate DNS names to these IPs. Thats what my solution does.
0
 
eric_benderAuthor Commented:
Ok,

  This brings me back to the original problem..... My domain controller is W2k.
                                                                      Their domain controller is W2k3

Windows 2000 does not allow for setting up domain specific forwardering..... at least as far as I can tell.
We are getting ready to move to 03, but I have to research all of the "Old" applications that this organization has.  Unfortunately I have only been here less than 2 years and finally getting them to let me change..........


Do you know of any way to do the domain specific forwarding on W2k.?????????
0
 
The_KirschiCommented:
No, youre right that will not work. You need W2k3. So you should opt for the domain.local zone.
0
 
eric_benderAuthor Commented:
Ok,  so I added the zone.  All machines that exist there are in the zone.  I have added their DC/DNS server to the NS list....   But I created it as a Standard Primary..... Am I going to have a problem with that vs. AD integrated.?  

The reason I ask is that I still get the below listed result of <nslookup theirdomain.local>

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)

I could use the forwarding, but as you are well aware I don't want all of my unresolved name resolutions going to their server.  i.e. the 03 forwarding is so much nicer.......

when I did the forwarder entry for their DNS..... it did in fact show what I would expect.... but again I can't leave it that way......
0
 
eric_benderAuthor Commented:
Am I going to need to add any SRV records?  Or any other record types...
0
 
The_KirschiCommented:
If you do a nslookup theirdomain.local it will not give a result when there is no entry for theirdomain.local.

Try nslookup hostname.theirdomain.local for one of the A records you created. No SRV records needed.
0
 
eric_benderAuthor Commented:
Ok

I will try one more test here locally... You are correct on the zone to lookup.......

I will add the same record/entry for my test environment (virtual server) and try to establish the trust.... it is configured with 2003 and should function the same.

If this works then I will jet to the other location set the trust from there and be awarding points.... Let's hope....Pray...
0
 
The_KirschiCommented:
I go to bed now (its 1:19 am here in central europe) and wish you good luck!
0
 
eric_benderAuthor Commented:
Thanx for the help... I am in Alaska.

Unfortunately the trust appears to query the dns domain for the pdc.... there is no where to specify..... DNS is good.... with the Zone as far as identifying a machine but I am not getting the PDC for the domain to respond and therefore it can't "authenticate/validate"

I will continue on... thanks
0
 
The_KirschiCommented:
I found information that should get it running for you:

http://groups.google.de/group/microsoft.public.win2000.dns/browse_thread/thread/ed2da67de8de8009/f951921e40cad507?lnk=st&q=windows+2000+dns+ns+record&rnum=21&hl=de#f951921e40cad507

Especially for establishing the trust, try to configure your DC's nic to use the other sides DNS server as primary or secondary DNS server. With this configuration at least your DC will ask the right DNS server and thus also should get information on the DCs and such on the other side.
0
 
eric_benderAuthor Commented:
From my understanding it is not good, when using AD integrated Zones to have a DNS entry other than it's self when the DNS Server resides on the DC?  Maybe I am thinking wrong.  Regardless, this didn't work for me.  The scenario listed above changes for me as their systems will all be in the same "forest".  So the article states.  Mine are different forests completely.

I believe that my only solution is going to be to hold off til I get my DC/DNS switched to 2003.  That project is actually in progress.  I will try to give the users an alternate (slightly cumbersome) way in to the SAN and come back to this when I am up and running on 03.

I am going to award all the points to you for the assistance.  A lot of good information and ideas came out.

Thanx
0
 
The_KirschiCommented:
Thanks. And good luck with W2k3 then!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now