creating a forest trust between 2 domains on 2 different subnets

Hi, i am in the process of creating a forest trust between 2 domains on 2 different subnets,ie. and, I have 2vwindows 2003 server DC on different subnets pointing to themselves to relsolve DNS
I can ping between them and relsolve a dns name via nslookup
when i try creating a forest trust between the 2 domains i get an error message saying that i can;t create a forest trust, i can create a realm trust but that is not what i need? Not sure what i am missing??
there is a vlan between the 2 networks now and all ports should be open on the pix firewall to allow communication between networks
i just can't get one server to recognize the other when i do a search for a computer on the servers, the server will find a computer via the ip address that i enter, but i get an unknown folder? when i try to authenticate with an admin password it doesn't work and i assume this is because i am unable to get this forest trust set up, i think if i can set up the trust it will take care of these issues? The forest functional level is set to server 2003!
any suggestions would be greatly appreciated
Who is Participating?
Netman66Connect With a Mentor Commented:
Partially correct.

I think the problem is because you are hosting zones for the opposite domain and (perhaps) they aren't current and/or you can't resolve the _msdcs zones properly for the opposite domains.

You want to first go into DNS and expand each Forward zone.
Right click the opposite domain's zone and select Properties, then select the Zone Transfer tab.  Uncheck Allow Zone transfers to make sure the other domain's DNS server isn't trying to send stuff when the zones are gone.

Next, delete the opposite domain's zones (CAREFUL - don't delete the wrong zones).

Next, right click the server name in DNS and select Properties.
On the Forwarders tab under DNS Domains, highlight the "All other DNS domains" entry and make sure the ISP DNS address is set in the "Selected domains forwarder IP_address list".

Next, in the DNS Domains list click the New button.
Add the FQDN of the opposite domain.  Click OK.
With the new entry selected Add the IP address of the other domain's DNS server.

Repeat this on the opposite domain.

Try pinging the opposite domain name and a few other nodes in the opposite domain to see if you get resolution working.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Are you creating the "Forest Trust" between the root domains? If not then you'll need to create a "Domain Trust" instead.

In either case you'll need to configure secondary DNS zone for the opposite domain,295199,sid63_gci1104911,00.html

Also, once the trust is created, you'll need to configure access permissions for the resources you want to share.
cdubbciscoAuthor Commented:
how do i create a secondary zone?                                                                                               Still on SERVERA, create a SECONDARY zone called
Indicate that the Master server for the zone it Server1.
On Server1, create a zone called
Indicate that the Master server for the zone is SERVERA.
Check that the Zones are correctly populated by accepting your changes and then double-clicking on the new zone.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

You don't necessarily need a secondary zone for each domain on the other.

Since both appear to be 2003 DNS, then use conditional forwarding - but when accessing the other domain use the FQDN to get there.  Conditional forwarding is done on the Forwarder tab.  Add the opposite domain and provide the SOA server IP.

you can also opt for a stub zone which makes more sense in your scenario. as we experts here give you different solutions it is up to you to choose which one suits your need the most.

Hope this helps
Bird DogCommented:
When you are creating your trusts you are making sure that you are using the complete domain name for both sides. ie and not 123 and mysite.
cdubbciscoAuthor Commented:
I am  using conditional forwarding with the selected domains forwarder ip address in the list pointing to the address of the domain it is trying to communicate with, for  example in server i am pointing to ip address in the forwarders list I am able to ping each way via FQDN and i.p.
also when doing an nslookup cmd it is able to solve that as well each way
Bird DogCommented:
what happens when you try the trust by domain name instead of ip. I myself haven't had very much luck by ip but never had problem by domain name.
cdubbciscoAuthor Commented:
I have been trying to create it with a FQDN, i can create a Realm trust but not a trust to a windows domain,
i get a cannot continue message because the specified domain cannot be contacted.
either the domain does not exit, or network or other problems are preventing connetion.
I am not sure what to try next, considering i can ping via hostname.
You are attempting to create this between both Forest Root DCs - correct?
cdubbciscoAuthor Commented:
cdubbciscoAuthor Commented:
i currently have the forwarders on each DC set up to point to the other Domain Controllers ip, there are forward and reverse lookup zones created with each domains ip address in the reverse lookup zone
under properties for these connections transfers is not set up......... but forwarding is............ SOA is set up as well with the FQDN..... Do i need the primary server name to be the same as that of the address that is associated with that server under reverse lookup zones\192.168.9.X\Properties or do i use the other server or better word for it Domain Controllers name here instead?
I am thinking i am not getting some info right in DNS setup?

Bird DogCommented:
When I set up my trusts between forests I didn't even have the reverse lookup zones set up. So under Forward lookup zones you have your two domain names listed there. Then under those domains you created new records what are the records that you created?
You are creating a lookup loop by putting forwarders to each other.  Setup conditional forwarding where each domain has the other domain listed specifically by domain name and leave the entry fro All other domains set to forward to the ISP.

If you ping the other domain by its NetBIOS name what return to you get?  Do you see your own DNS suffix appended to the ping or does it return the opposite FQDN properly - with an IP.
cdubbciscoAuthor Commented:
when you say NETBIOS, that would be the same as the Fully Qualified Domain Name...correct? when i ping to the remote server via FQDN i get a reply with the I.P. address of the server that i am pinging, nslookup resolves the hostname as would I Setup conditional forwarding where each domain has the other domain listed specifically by domain name and leave the entry for All other domains set to forward to the ISP?
As far as the forward lookup zones go i didn't set those up, but there are 3 domains listed one is titled _msdcs.ABC.local...........not sure what this is for????
and then the 2 domains that i have been working with are the

and FMTC.local
The SOA FOR THE FMTC.local domain is set to itself
The SOA for the ABC.local domain is set to the FMTC.local domain name
The Name Servers Properties tab is set to the FQDN of THE FMTC.local domain on each
Domain name in the Forward Lookup Zone on THE FMTC.local Domain Controller
set up for forward lookup zones looks the same on the ABC.local Domain Controller
No, NetBIOS name is the single-label computer (or domain) name.

Ok, here is what you do.

1) The _msdcs zone is the Service Locator zone for the AD - don't delete this.  You should have 2 of them (one for each Forest if they are different Forests), unless the domains are both in the same forest, then you'll see both zones ( and _msdcs.fmtc.local) on each DNS server in this forest.
2)  It isn't necessary to host the forward lookup zone for the opposite domain - the accuracy of this zone depends on replication between primary and secondary zones.
3)  I would remove the zone for the opposite domain and make sure any zone transfer settings were cleaned up and removed.
4) On the forwarder tab in the properties of each dns server is where you setup conditional forwarding - also where you set the ISP address.

As it looks now, it appears the SOA for ABC is set to FMTC - which is likely causing the failures.

cdubbciscoAuthor Commented:

So what you are saying is that for example under each forward lookup zone for each server ....
say i am looking at server ABC.local, i don't need the fmtc.local domain under the forward lookup zone and then under the FMTC.local domain controller in the forward lookup zone i don't need and should delete the ABC.local domain in that forward lookup zone and under the forwarders tab under properties for each Server/Domain Controller i should have the IP address of the other server listed in the forwarders list
example: for Server ABC.local which say as an ip address of,....... under the forwarders tab i should have an ip address in the list that points to the other server: FMTC.local with its IP address and the same way with the other server?  Do i need anything under the reverse lookup zones?
cdubbciscoAuthor Commented:
that last comment seemed to do it, Thanks, i was able to set up a forest trust!!
however there is still 1 issue....from the fmtc.local domain controller i was able to search for and find the ABC.local Domain controller with no issues from my network places, but from the ABC.local domain controller i could find the fmtc.local D.C. but under the title  lN Folder.........=Unknown
SO it prompts me for a user name a password.....of which i enter the administrator user name and password with no success...sooo i can find the server from 1 direction but not the other now that i have the forest trust established?
thanks Netman66
You need to create a two-way trust.  Both incoming and outgoing to make this happen.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.