Solved

External trust between 2000 domain and 2003 domain requires WINS/LMHOSTS? Why?

Posted on 2007-04-09
15
931 Views
Last Modified: 2012-06-21
We have a trust set up between our domain and our parent companies domain. We are using Windows Server 2003 in 2003 functional level. They are using Windows 2000, in windows 2000 functional level. We are using conditional forwards to resolve addresses in their domain, they have just recently setup a secondary zone in their domain to resolve names in ours. The problem seems to be however, that we are still reliant on LMHosts to maintain the trust for some reason.  Im certain it has something to do with DNS, but i dont quite understand why the trust breaks when I remove the lmhosts entries for their domain. We are not blocking traffic from or to any of the domain controllers. Anybody have any idea where I might be able to look to try and troubleshoot this?
0
Comment
Question by:Halonix666
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 1

Author Comment

by:Halonix666
ID: 18878828
By the way, its a non-transitive (obviously), two way, external trust.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18879516
You are correct in that, if the trust breaks when you remove the LMHosts entries, you are having a DNS name resolution issue between the two domains.  WINS/LMHOSTS can often serve as a "crutch" when DNS isn't perfect; you're seeing what happens when you remove that crutch. To figure out where DNS is falling down will require some process-of-elimination.

Let's call it dc1.domainA.com and dc2.domainB.com.  From dc1.domainA.com, can you:

* ping the IP address of dc2.domainB.com
* ping DC2 (without the training ".domainB.com")
* ping the FQDN (dc2.domainB.com)
* ping just the domain name (domainB.com - should resolve to the IP of dc2.domainB.com)
* ping the GUID of dc2 - you'll find this in the DNS Manager on dc2 under the _msdcs.domainb.com zone as a CName alias for dc2

Now do it all in reverse, from dc2.domainB.com, can you do all of the tests the other way?

Just for kicks, load the Window Support Tools on DCs in both domains and run dcdiag and netdiag as well, to see if any errors come back. Also, if you haven't rebooted either DC in awhile, restart the Netlogon and the DHCP client service on each DC so that the A records and SRV records will re-register themselves.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18879544
Also, I know you mentioned that you're not blocking any traffic on the DCs, but humour me and make sure that the Windows Firewall isn't enabled on the 2003 DC. :-)
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:Halonix666
ID: 18883758
Windows firewall is not enabled :P
Also there are no rules in our firewall blocking traffic TO their network, there may however, be a firewall blocking traffic on their side. Though they have repeatedly stated that there is not. I can not rule this out entirely. I just wanted to have all my ducks in a row before I pointing the finger at the company that just bought us! lol

I am able to ping the IP.
I am NOT able to ping DC1 (on domainB) without the rest of the domain
I am able to ping the FQDN dc1.noamer.domainb.com
I am NOT able to ping the noamer.domainb.com (without the computer name)
I am able to poing the guid

I do not have access from the other end but I will have them test it out and get back you.

Thing is; There is no cname records in _msds.noamer.domainb.com. There are however, records in _msds.domainb.com in their DNS server. noamer.domainb.com is a child domain for domainb.com (obviously).

Do I need to put this other domains in the domain suffix list in order for them to resolve? They should be resolving using our conditional forwards should they not?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18883811
If you don't have domainB listed in your domain suffix search order on your clients, you should add it so that you can resolve single names without using WINS.  You can enable it manually on the client side or via GPO, as described here: http://support.microsoft.com/kb/275553
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18884046
I added the suffix's and I am able to ping all of the aformentioned names, but I am now unable to reset the trust. The error message I am getting is:

1311 0x51f ERROR_NO_LOGON_SERVERS
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18884086
Have you run dcdiag & netdiag against the DCs on both sides yet?  That error (surprise surprise) indicates a DNS issue, usually means that either the DCs aren't pointing to the correct DNS servers for resolution, or there is an issue with the actual DNS records that are hosted on one or both sides.  (And since you haven't been able to verify on both sides, this error is something -else- that could indicate a connectivity issue in one direction or the other.)  Dcdiag and netdiag will run through a series of diagnostic tests that will indicate how well DNS is functioning on both sides, and will point you in the direction of any specific configuration errors that may be happening.

I hate to sound like a broken record by just saying "It's DNS", but without more detailed information it's hard to pin it down to the exact cause.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18884123
I agree, Im farily certain its a DNS issue as well. The fact that LMHosts works fine, and the trust only breaks when those entries are removed points difinitavely to DNS in my opinion. Just trying to figure out whos side its on and what exactly needs to be done about it. DCDiag passes all tests on our side, though again I do not have access to their side to do that.

One thing I did notice however was that the LMHosts entry was pointing to their forest root domain, the trust on the other hand is to the noamer.domainb.com domain.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18893266
Ok I have found somethin odd that I would like to run by you...

They have a noamer.domainb.com zone in their DNS server. They also have a domainb.com zone. The _msdcs.noamer.domainb.com zone contains NO guid records. However the _msdcs.domainb.com zone contains all of the guid.noamer.domainb.com records.

I am able to ping the guid._msdcs.domainb.com record for dc1.noamer.domainb.com. however I am unable to ping dc1 at guid._msdcs.noamer.domainb.com.

Logically I would assume that you should be able to resolve guids  in the _msdcs zone in the domain in which the DC's actually exist. Is that correct?

I hope this is making sense...
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18898154
Actually what you're seeing is by design - if I mis-spoke in an earlier post I apologize for the confusion.  Every DC in a forest should be accessible using an FQDN of <GUID>._msdcs.<ForestName>; these GUIDs will only exist at the forest root.  If you can ping <GUID1>._msdcs.<ForestName> from DC2 and vice versa, these DCs are accessible via GUIds.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18926756
Ok that looks ok, further troubleshooting has uncovered some other random name resolution issues.

For example; Their noamer.domainb.com domain has over 40 domain controllers. A ping to noamer.domainb.com sometimes returns something that is open in the firewall and sometimes something that isn't. I was thinking about setting up a stub zone that would force noamer.teletech.com to resolve to the same machine every time. Is this a bad thing?

Im not really sure whats going on here, or why sometimes noamer.domainb.com resolves to the correct IP and sometimes it doesn't.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18926811
Another thing I want to add... I added noamer.domainb.com to my hosts file, pointing it at one domain controller on their side. This allowed me to remove ALL of the lmhosts without breaking the trust. Obviously its a DNS issue, but the namer.domainb.com zone has all the entries it needs to have, I dont understand why it will just randomly pick an IP to respond.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18927801
I realize this behavior is by design. The domain name should be able to resolve to any one of the domain controllers in a domain. But I guess the question is, is there any way to force only a few to resolve? They dont want to open up their firewall to all 40 of their domain controllers, and I suppose they shouldn't have to, but there has to be a way to deal with this. I cant imagine that other people don't have similar issues.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18928632
Sorry, am just now catching up on your comments from earlier.

You are correct that this behaviour is by design - pinging the domain name will return one of that domain's DCs in a round-robin fashion. This is because AD (and therefore DNS) treats all DCs the same way, and therefore expects all DCs to be equally accessible; if there's a firewall in front of 3 DCs but not the other 37, you're going to see the behaviour that you're describing.  

The only way that I'm aware of to fix this on your end, you've already done using LMHOSTS or HOSTS files. The "right" answer is for the admins of the other domain to

[a] Remove whatever "one-off" configurations they have in place, because it's going to cause issues like the one you're seeing, or

[b] at the very least modify their DNS records so that the "inaccessible" DCs do not publish generic SRV records into DNS (http://support.microsoft.com/kb/306602), or modify the weight/priority of those SRV records so that the SRV records of "accessible" DCs are chosen more frequently by DNS. (http://technet2.microsoft.com/WindowsServer/en/library/df86810b-9fc5-49b8-a704-d01c042cf4601033.mspx)

The "good" news here is that, based on your description of both the technical and political environment, it sounds as though you're dealing with name resolution issues that are not of your own creation, but you've at least found a way to work around it on your own end until you can open a sufficient dialogue with the remote domain admins to see what's what.
0
 
LVL 1

Author Comment

by:Halonix666
ID: 18928746
Im going to go ahead and accept that as the solution, as I think that pretty much gives me enough ammo and a solution to start getting on them about it. I think your suggestion of changing SRV record weight and priority should suffice as an acceptable solution to this issue. Thank you for answering all of my questions :)
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question