Solved

Establishing a W2K Forest to W2K3 Forest with a twist....DNS

Posted on 2006-11-29
18
420 Views
Last Modified: 2010-03-18
Hello all.  I have a scenario that has me at wits end.  I believe I know the answer but......

So my company has a Windows 2000 Domain.  We have another company that we provide data services for.  One of the devices we use is a snap14000 storage box.  It is a member of the domain.  The other company (I don't get to manage their network) is a Windows 2003 Domain.

Both are running in W2k Native mode and each has it's own DNS configuration.

What I am trying to accomplish is a Forest to Forest Trust such that I can add some of their users to the appropriate domain groups on my side to give them access to the resources.

When attempting to establish the trust, I coordinated with the other business to create the trust.  It works (verify/validate) from their side, but not mine.  When I say it works I mean that it creates the trusts on both sides, but when I try to validate the connection on my side it states that it can't contact the PDC for the domain.  I believe the problem is DNS related,

My domain is xxx.org       Theirs is yyy.local

My understanding is that when they created this server (prior to me) they used the .local internal convention as they have an "external" address that is yyy.org that is serviced by an ISP.

On my DNS server we have a Primary Standard Zone that represents their system, but again it was created before I got here and it was created with a completly  different zzz.org dns address.  

All of these systems were "migrated" from NT 4, back in the day.

Is there a way to get these domains to talk  from my xxx.org to their yyy.local?  We do go through firewalls and all that crap as well.

Any questions/suggestion would be helpful.  My current thought is that I will need them to rename their domain.  (Which can be done in 2003)
0
Comment
Question by:eric_bender
  • 10
  • 8
18 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
Can you ping yyy.local DC by IP? If yes, what happens, when you setup a DNS zone for yyy.local and add the DC there? Can you ping by name?

If they can setup a trust successfully it should not be a problem with the .local domain part.
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
I can ping by IP.  The yyy actually represents the "domain" name... i.e.  "domain.local" and not "machine" name.  Just to clarify.  The IP routing is handled by our router (different Network).  I did try creating a new DNS zone.  And still no luck.  Is there a special type of Zone I would need to create.  My guess is that it has to do with us not being able NSLookup "domain.local".    
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
So as a follow up, how would I set up the "Zone" to faciliate their domain.?
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
I would create AD integrated zone. Just go to the DNS mmc right-click the server and select new zone. Choose yyy.local as the domain name.

Alternatively if you can connect to the DNS on the other side you could set up your DNS to root any DNS requests for yyy.local to their DNS server. This could be done in the DNS server properties in the forwarding tab.
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Ok,
So how does that help if I cant resolve the Domain name with NSlookup.....

   nslookup mydomain.org                 (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name:    mydomain.org
Addresses:  10.1.0.15, 10.1.0.5, 10.15.0.63

(ip & domain changed to protect the innocent)


   nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

*** dc.mydomain.org can't find nsfcu.local: Non-existent domain   (with no zone entry)


  nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)


0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Upgrading point value to 500
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
If you have set up a zone you have to create A record for their DNS server and a NS record that points to that A record.

If you have no zone setup, go to the properties of the DNS server in the forwarding tab and select to forward all requests for domain.local to the IP address of their DNS server. Of course all of that works only if DNS queries are allow through your VPN connection.

If not you have to setup the zone and create all neede A records manually.

If you can hosts on their network by IP you just need a way to translate DNS names to these IPs. Thats what my solution does.
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Ok,

  This brings me back to the original problem..... My domain controller is W2k.
                                                                      Their domain controller is W2k3

Windows 2000 does not allow for setting up domain specific forwardering..... at least as far as I can tell.
We are getting ready to move to 03, but I have to research all of the "Old" applications that this organization has.  Unfortunately I have only been here less than 2 years and finally getting them to let me change..........


Do you know of any way to do the domain specific forwarding on W2k.?????????
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
No, youre right that will not work. You need W2k3. So you should opt for the domain.local zone.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Ok,  so I added the zone.  All machines that exist there are in the zone.  I have added their DC/DNS server to the NS list....   But I created it as a Standard Primary..... Am I going to have a problem with that vs. AD integrated.?  

The reason I ask is that I still get the below listed result of <nslookup theirdomain.local>

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)

I could use the forwarding, but as you are well aware I don't want all of my unresolved name resolutions going to their server.  i.e. the 03 forwarding is so much nicer.......

when I did the forwarder entry for their DNS..... it did in fact show what I would expect.... but again I can't leave it that way......
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Am I going to need to add any SRV records?  Or any other record types...
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
If you do a nslookup theirdomain.local it will not give a result when there is no entry for theirdomain.local.

Try nslookup hostname.theirdomain.local for one of the A records you created. No SRV records needed.
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Ok

I will try one more test here locally... You are correct on the zone to lookup.......

I will add the same record/entry for my test environment (virtual server) and try to establish the trust.... it is configured with 2003 and should function the same.

If this works then I will jet to the other location set the trust from there and be awarding points.... Let's hope....Pray...
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
I go to bed now (its 1:19 am here in central europe) and wish you good luck!
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
Thanx for the help... I am in Alaska.

Unfortunately the trust appears to query the dns domain for the pdc.... there is no where to specify..... DNS is good.... with the Zone as far as identifying a machine but I am not getting the PDC for the domain to respond and therefore it can't "authenticate/validate"

I will continue on... thanks
0
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 500 total points
Comment Utility
I found information that should get it running for you:

http://groups.google.de/group/microsoft.public.win2000.dns/browse_thread/thread/ed2da67de8de8009/f951921e40cad507?lnk=st&q=windows+2000+dns+ns+record&rnum=21&hl=de#f951921e40cad507

Especially for establishing the trust, try to configure your DC's nic to use the other sides DNS server as primary or secondary DNS server. With this configuration at least your DC will ask the right DNS server and thus also should get information on the DCs and such on the other side.
0
 
LVL 2

Author Comment

by:eric_bender
Comment Utility
From my understanding it is not good, when using AD integrated Zones to have a DNS entry other than it's self when the DNS Server resides on the DC?  Maybe I am thinking wrong.  Regardless, this didn't work for me.  The scenario listed above changes for me as their systems will all be in the same "forest".  So the article states.  Mine are different forests completely.

I believe that my only solution is going to be to hold off til I get my DC/DNS switched to 2003.  That project is actually in progress.  I will try to give the users an alternate (slightly cumbersome) way in to the SAN and come back to this when I am up and running on 03.

I am going to award all the points to you for the assistance.  A lot of good information and ideas came out.

Thanx
0
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
Thanks. And good luck with W2k3 then!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now