Solved

Establishing a W2K Forest to W2K3 Forest with a twist....DNS

Posted on 2006-11-29
18
424 Views
Last Modified: 2010-03-18
Hello all.  I have a scenario that has me at wits end.  I believe I know the answer but......

So my company has a Windows 2000 Domain.  We have another company that we provide data services for.  One of the devices we use is a snap14000 storage box.  It is a member of the domain.  The other company (I don't get to manage their network) is a Windows 2003 Domain.

Both are running in W2k Native mode and each has it's own DNS configuration.

What I am trying to accomplish is a Forest to Forest Trust such that I can add some of their users to the appropriate domain groups on my side to give them access to the resources.

When attempting to establish the trust, I coordinated with the other business to create the trust.  It works (verify/validate) from their side, but not mine.  When I say it works I mean that it creates the trusts on both sides, but when I try to validate the connection on my side it states that it can't contact the PDC for the domain.  I believe the problem is DNS related,

My domain is xxx.org       Theirs is yyy.local

My understanding is that when they created this server (prior to me) they used the .local internal convention as they have an "external" address that is yyy.org that is serviced by an ISP.

On my DNS server we have a Primary Standard Zone that represents their system, but again it was created before I got here and it was created with a completly  different zzz.org dns address.  

All of these systems were "migrated" from NT 4, back in the day.

Is there a way to get these domains to talk  from my xxx.org to their yyy.local?  We do go through firewalls and all that crap as well.

Any questions/suggestion would be helpful.  My current thought is that I will need them to rename their domain.  (Which can be done in 2003)
0
Comment
Question by:eric_bender
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
18 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18040555
Can you ping yyy.local DC by IP? If yes, what happens, when you setup a DNS zone for yyy.local and add the DC there? Can you ping by name?

If they can setup a trust successfully it should not be a problem with the .local domain part.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041199
I can ping by IP.  The yyy actually represents the "domain" name... i.e.  "domain.local" and not "machine" name.  Just to clarify.  The IP routing is handled by our router (different Network).  I did try creating a new DNS zone.  And still no luck.  Is there a special type of Zone I would need to create.  My guess is that it has to do with us not being able NSLookup "domain.local".    
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041206
So as a follow up, how would I set up the "Zone" to faciliate their domain.?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18041372
I would create AD integrated zone. Just go to the DNS mmc right-click the server and select new zone. Choose yyy.local as the domain name.

Alternatively if you can connect to the DNS on the other side you could set up your DNS to root any DNS requests for yyy.local to their DNS server. This could be done in the DNS server properties in the forwarding tab.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041457
Ok,
So how does that help if I cant resolve the Domain name with NSlookup.....

   nslookup mydomain.org                 (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name:    mydomain.org
Addresses:  10.1.0.15, 10.1.0.5, 10.15.0.63

(ip & domain changed to protect the innocent)


   nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

*** dc.mydomain.org can't find nsfcu.local: Non-existent domain   (with no zone entry)


  nslookup theirdomain.local              (returns)

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)


0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041464
Upgrading point value to 500
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18041525
If you have set up a zone you have to create A record for their DNS server and a NS record that points to that A record.

If you have no zone setup, go to the properties of the DNS server in the forwarding tab and select to forward all requests for domain.local to the IP address of their DNS server. Of course all of that works only if DNS queries are allow through your VPN connection.

If not you have to setup the zone and create all neede A records manually.

If you can hosts on their network by IP you just need a way to translate DNS names to these IPs. Thats what my solution does.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041561
Ok,

  This brings me back to the original problem..... My domain controller is W2k.
                                                                      Their domain controller is W2k3

Windows 2000 does not allow for setting up domain specific forwardering..... at least as far as I can tell.
We are getting ready to move to 03, but I have to research all of the "Old" applications that this organization has.  Unfortunately I have only been here less than 2 years and finally getting them to let me change..........


Do you know of any way to do the domain specific forwarding on W2k.?????????
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18041602
No, youre right that will not work. You need W2k3. So you should opt for the domain.local zone.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041718
Ok,  so I added the zone.  All machines that exist there are in the zone.  I have added their DC/DNS server to the NS list....   But I created it as a Standard Primary..... Am I going to have a problem with that vs. AD integrated.?  

The reason I ask is that I still get the below listed result of <nslookup theirdomain.local>

Server:  dc.mydomain.org
Address:  10.1.0.15

Name: theirdomain.local      (with Zone entry)

I could use the forwarding, but as you are well aware I don't want all of my unresolved name resolutions going to their server.  i.e. the 03 forwarding is so much nicer.......

when I did the forwarder entry for their DNS..... it did in fact show what I would expect.... but again I can't leave it that way......
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041736
Am I going to need to add any SRV records?  Or any other record types...
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18041804
If you do a nslookup theirdomain.local it will not give a result when there is no entry for theirdomain.local.

Try nslookup hostname.theirdomain.local for one of the A records you created. No SRV records needed.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041819
Ok

I will try one more test here locally... You are correct on the zone to lookup.......

I will add the same record/entry for my test environment (virtual server) and try to establish the trust.... it is configured with 2003 and should function the same.

If this works then I will jet to the other location set the trust from there and be awarding points.... Let's hope....Pray...
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18041869
I go to bed now (its 1:19 am here in central europe) and wish you good luck!
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18041886
Thanx for the help... I am in Alaska.

Unfortunately the trust appears to query the dns domain for the pdc.... there is no where to specify..... DNS is good.... with the Zone as far as identifying a machine but I am not getting the PDC for the domain to respond and therefore it can't "authenticate/validate"

I will continue on... thanks
0
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 500 total points
ID: 18043626
I found information that should get it running for you:

http://groups.google.de/group/microsoft.public.win2000.dns/browse_thread/thread/ed2da67de8de8009/f951921e40cad507?lnk=st&q=windows+2000+dns+ns+record&rnum=21&hl=de#f951921e40cad507

Especially for establishing the trust, try to configure your DC's nic to use the other sides DNS server as primary or secondary DNS server. With this configuration at least your DC will ask the right DNS server and thus also should get information on the DCs and such on the other side.
0
 
LVL 2

Author Comment

by:eric_bender
ID: 18047500
From my understanding it is not good, when using AD integrated Zones to have a DNS entry other than it's self when the DNS Server resides on the DC?  Maybe I am thinking wrong.  Regardless, this didn't work for me.  The scenario listed above changes for me as their systems will all be in the same "forest".  So the article states.  Mine are different forests completely.

I believe that my only solution is going to be to hold off til I get my DC/DNS switched to 2003.  That project is actually in progress.  I will try to give the users an alternate (slightly cumbersome) way in to the SAN and come back to this when I am up and running on 03.

I am going to award all the points to you for the assistance.  A lot of good information and ideas came out.

Thanx
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18052048
Thanks. And good luck with W2k3 then!
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question