Solved

External trust between 2000 domain and 2003 domain requires WINS/LMHOSTS? Why?

Posted on 2007-04-09
15
923 Views
Last Modified: 2012-06-21
We have a trust set up between our domain and our parent companies domain. We are using Windows Server 2003 in 2003 functional level. They are using Windows 2000, in windows 2000 functional level. We are using conditional forwards to resolve addresses in their domain, they have just recently setup a secondary zone in their domain to resolve names in ours. The problem seems to be however, that we are still reliant on LMHosts to maintain the trust for some reason.  Im certain it has something to do with DNS, but i dont quite understand why the trust breaks when I remove the lmhosts entries for their domain. We are not blocking traffic from or to any of the domain controllers. Anybody have any idea where I might be able to look to try and troubleshoot this?
0
Comment
Question by:Halonix666
  • 9
  • 6
15 Comments
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
By the way, its a non-transitive (obviously), two way, external trust.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
You are correct in that, if the trust breaks when you remove the LMHosts entries, you are having a DNS name resolution issue between the two domains.  WINS/LMHOSTS can often serve as a "crutch" when DNS isn't perfect; you're seeing what happens when you remove that crutch. To figure out where DNS is falling down will require some process-of-elimination.

Let's call it dc1.domainA.com and dc2.domainB.com.  From dc1.domainA.com, can you:

* ping the IP address of dc2.domainB.com
* ping DC2 (without the training ".domainB.com")
* ping the FQDN (dc2.domainB.com)
* ping just the domain name (domainB.com - should resolve to the IP of dc2.domainB.com)
* ping the GUID of dc2 - you'll find this in the DNS Manager on dc2 under the _msdcs.domainb.com zone as a CName alias for dc2

Now do it all in reverse, from dc2.domainB.com, can you do all of the tests the other way?

Just for kicks, load the Window Support Tools on DCs in both domains and run dcdiag and netdiag as well, to see if any errors come back. Also, if you haven't rebooted either DC in awhile, restart the Netlogon and the DHCP client service on each DC so that the A records and SRV records will re-register themselves.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Also, I know you mentioned that you're not blocking any traffic on the DCs, but humour me and make sure that the Windows Firewall isn't enabled on the 2003 DC. :-)
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
Windows firewall is not enabled :P
Also there are no rules in our firewall blocking traffic TO their network, there may however, be a firewall blocking traffic on their side. Though they have repeatedly stated that there is not. I can not rule this out entirely. I just wanted to have all my ducks in a row before I pointing the finger at the company that just bought us! lol

I am able to ping the IP.
I am NOT able to ping DC1 (on domainB) without the rest of the domain
I am able to ping the FQDN dc1.noamer.domainb.com
I am NOT able to ping the noamer.domainb.com (without the computer name)
I am able to poing the guid

I do not have access from the other end but I will have them test it out and get back you.

Thing is; There is no cname records in _msds.noamer.domainb.com. There are however, records in _msds.domainb.com in their DNS server. noamer.domainb.com is a child domain for domainb.com (obviously).

Do I need to put this other domains in the domain suffix list in order for them to resolve? They should be resolving using our conditional forwards should they not?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
If you don't have domainB listed in your domain suffix search order on your clients, you should add it so that you can resolve single names without using WINS.  You can enable it manually on the client side or via GPO, as described here: http://support.microsoft.com/kb/275553
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
I added the suffix's and I am able to ping all of the aformentioned names, but I am now unable to reset the trust. The error message I am getting is:

1311 0x51f ERROR_NO_LOGON_SERVERS
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Have you run dcdiag & netdiag against the DCs on both sides yet?  That error (surprise surprise) indicates a DNS issue, usually means that either the DCs aren't pointing to the correct DNS servers for resolution, or there is an issue with the actual DNS records that are hosted on one or both sides.  (And since you haven't been able to verify on both sides, this error is something -else- that could indicate a connectivity issue in one direction or the other.)  Dcdiag and netdiag will run through a series of diagnostic tests that will indicate how well DNS is functioning on both sides, and will point you in the direction of any specific configuration errors that may be happening.

I hate to sound like a broken record by just saying "It's DNS", but without more detailed information it's hard to pin it down to the exact cause.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:Halonix666
Comment Utility
I agree, Im farily certain its a DNS issue as well. The fact that LMHosts works fine, and the trust only breaks when those entries are removed points difinitavely to DNS in my opinion. Just trying to figure out whos side its on and what exactly needs to be done about it. DCDiag passes all tests on our side, though again I do not have access to their side to do that.

One thing I did notice however was that the LMHosts entry was pointing to their forest root domain, the trust on the other hand is to the noamer.domainb.com domain.
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
Ok I have found somethin odd that I would like to run by you...

They have a noamer.domainb.com zone in their DNS server. They also have a domainb.com zone. The _msdcs.noamer.domainb.com zone contains NO guid records. However the _msdcs.domainb.com zone contains all of the guid.noamer.domainb.com records.

I am able to ping the guid._msdcs.domainb.com record for dc1.noamer.domainb.com. however I am unable to ping dc1 at guid._msdcs.noamer.domainb.com.

Logically I would assume that you should be able to resolve guids  in the _msdcs zone in the domain in which the DC's actually exist. Is that correct?

I hope this is making sense...
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Actually what you're seeing is by design - if I mis-spoke in an earlier post I apologize for the confusion.  Every DC in a forest should be accessible using an FQDN of <GUID>._msdcs.<ForestName>; these GUIDs will only exist at the forest root.  If you can ping <GUID1>._msdcs.<ForestName> from DC2 and vice versa, these DCs are accessible via GUIds.
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
Ok that looks ok, further troubleshooting has uncovered some other random name resolution issues.

For example; Their noamer.domainb.com domain has over 40 domain controllers. A ping to noamer.domainb.com sometimes returns something that is open in the firewall and sometimes something that isn't. I was thinking about setting up a stub zone that would force noamer.teletech.com to resolve to the same machine every time. Is this a bad thing?

Im not really sure whats going on here, or why sometimes noamer.domainb.com resolves to the correct IP and sometimes it doesn't.
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
Another thing I want to add... I added noamer.domainb.com to my hosts file, pointing it at one domain controller on their side. This allowed me to remove ALL of the lmhosts without breaking the trust. Obviously its a DNS issue, but the namer.domainb.com zone has all the entries it needs to have, I dont understand why it will just randomly pick an IP to respond.
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
I realize this behavior is by design. The domain name should be able to resolve to any one of the domain controllers in a domain. But I guess the question is, is there any way to force only a few to resolve? They dont want to open up their firewall to all 40 of their domain controllers, and I suppose they shouldn't have to, but there has to be a way to deal with this. I cant imagine that other people don't have similar issues.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
Comment Utility
Sorry, am just now catching up on your comments from earlier.

You are correct that this behaviour is by design - pinging the domain name will return one of that domain's DCs in a round-robin fashion. This is because AD (and therefore DNS) treats all DCs the same way, and therefore expects all DCs to be equally accessible; if there's a firewall in front of 3 DCs but not the other 37, you're going to see the behaviour that you're describing.  

The only way that I'm aware of to fix this on your end, you've already done using LMHOSTS or HOSTS files. The "right" answer is for the admins of the other domain to

[a] Remove whatever "one-off" configurations they have in place, because it's going to cause issues like the one you're seeing, or

[b] at the very least modify their DNS records so that the "inaccessible" DCs do not publish generic SRV records into DNS (http://support.microsoft.com/kb/306602), or modify the weight/priority of those SRV records so that the SRV records of "accessible" DCs are chosen more frequently by DNS. (http://technet2.microsoft.com/WindowsServer/en/library/df86810b-9fc5-49b8-a704-d01c042cf4601033.mspx)

The "good" news here is that, based on your description of both the technical and political environment, it sounds as though you're dealing with name resolution issues that are not of your own creation, but you've at least found a way to work around it on your own end until you can open a sufficient dialogue with the remote domain admins to see what's what.
0
 
LVL 1

Author Comment

by:Halonix666
Comment Utility
Im going to go ahead and accept that as the solution, as I think that pretty much gives me enough ammo and a solution to start getting on them about it. I think your suggestion of changing SRV record weight and priority should suffice as an acceptable solution to this issue. Thank you for answering all of my questions :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now