[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

creating a forest trust between 2 domains on 2 different subnets

Posted on 2007-07-19
19
Medium Priority
?
1,808 Views
Last Modified: 2009-03-17
Hi, i am in the process of creating a forest trust between 2 domains on 2 different subnets,ie. 192.168.17.0/24 and 192.168.9.0, I have 2vwindows 2003 server DC on different subnets pointing to themselves to relsolve DNS
I can ping between them and relsolve a dns name via nslookup
when i try creating a forest trust between the 2 domains i get an error message saying that i can;t create a forest trust, i can create a realm trust but that is not what i need? Not sure what i am missing??
there is a vlan between the 2 networks now and all ports should be open on the pix firewall to allow communication between networks
i just can't get one server to recognize the other when i do a search for a computer on the servers, the server will find a computer via the ip address that i enter, but i get an unknown folder? when i try to authenticate with an admin password it doesn't work and i assume this is because i am unable to get this forest trust set up, i think if i can set up the trust it will take care of these issues? The forest functional level is set to server 2003!
any suggestions would be greatly appreciated
thanks
0
Comment
Question by:cdubbcisco
  • 8
  • 6
  • 3
  • +2
19 Comments
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19527834
Are you creating the "Forest Trust" between the root domains? If not then you'll need to create a "Domain Trust" instead.

In either case you'll need to configure secondary DNS zone for the opposite domain http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html

Also, once the trust is created, you'll need to configure access permissions for the resources you want to share.
0
 

Author Comment

by:cdubbcisco
ID: 19528015
how do i create a secondary zone?                                                                                               Still on SERVERA, create a SECONDARY zone called 123.com.
Indicate that the Master server for the 123.com zone it Server1.
On Server1, create a zone called ABC.com.
Indicate that the Master server for the ABC.com zone is SERVERA.
Check that the Zones are correctly populated by accepting your changes and then double-clicking on the new zone.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19528060
You don't necessarily need a secondary zone for each domain on the other.

Since both appear to be 2003 DNS, then use conditional forwarding - but when accessing the other domain use the FQDN to get there.  Conditional forwarding is done on the Forwarder tab.  Add the opposite domain and provide the SOA server IP.

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 11

Expert Comment

by:kamalgopi
ID: 19528655
you can also opt for a stub zone which makes more sense in your scenario. as we experts here give you different solutions it is up to you to choose which one suits your need the most.

Hope this helps
Cheers:)
Kamal
0
 
LVL 8

Expert Comment

by:Bird Dog
ID: 19530792
When you are creating your trusts you are making sure that you are using the complete domain name for both sides. ie 123.on.ca and mysite.on.ca not 123 and mysite.
0
 

Author Comment

by:cdubbcisco
ID: 19532254
I am  using conditional forwarding with the selected domains forwarder ip address in the list pointing to the address of the domain it is trying to communicate with, for  example in server 192.168.9.8 i am pointing to ip address 192.168.17.2 in the forwarders list I am able to ping each way via FQDN and i.p.
also when doing an nslookup cmd it is able to solve that as well each way
0
 
LVL 8

Expert Comment

by:Bird Dog
ID: 19532340
what happens when you try the trust by domain name instead of ip. I myself haven't had very much luck by ip but never had problem by domain name.
0
 

Author Comment

by:cdubbcisco
ID: 19532855
I have been trying to create it with a FQDN, i can create a Realm trust but not a trust to a windows domain,
i get a cannot continue message because the specified domain cannot be contacted.
either the domain does not exit, or network or other problems are preventing connetion.
I am not sure what to try next, considering i can ping via hostname.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19533007
You are attempting to create this between both Forest Root DCs - correct?
0
 

Author Comment

by:cdubbcisco
ID: 19533251
yep
0
 

Author Comment

by:cdubbcisco
ID: 19534058
i currently have the forwarders on each DC set up to point to the other Domain Controllers ip, there are forward and reverse lookup zones created with each domains ip address in the reverse lookup zone
under properties for these connections .......zone transfers is not set up......... but forwarding is............ SOA is set up as well with the FQDN..... Do i need the primary server name to be the same as that of the address that is associated with that server under reverse lookup zones\192.168.9.X\Properties or do i use the other server or better word for it Domain Controllers name here instead?
I am thinking i am not getting some info right in DNS setup?



0
 
LVL 8

Expert Comment

by:Bird Dog
ID: 19534160
When I set up my trusts between forests I didn't even have the reverse lookup zones set up. So under Forward lookup zones you have your two domain names listed there. Then under those domains you created new records what are the records that you created?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19536730
You are creating a lookup loop by putting forwarders to each other.  Setup conditional forwarding where each domain has the other domain listed specifically by domain name and leave the entry fro All other domains set to forward to the ISP.

If you ping the other domain by its NetBIOS name what return to you get?  Do you see your own DNS suffix appended to the ping or does it return the opposite FQDN properly - with an IP.
0
 

Author Comment

by:cdubbcisco
ID: 19537257
when you say NETBIOS, that would be the same as the Fully Qualified Domain Name...correct? when i ping to the remote server via FQDN i get a reply with the I.P. address of the server that i am pinging, nslookup resolves the hostname as well.how would I Setup conditional forwarding where each domain has the other domain listed specifically by domain name and leave the entry for All other domains set to forward to the ISP?
As far as the forward lookup zones go i didn't set those up, but there are 3 domains listed one is titled _msdcs.ABC.local...........not sure what this is for????
and then the 2 domains that i have been working with are the

ABC.local
and FMTC.local
WINS AND ZONE TRANSFERS ARE NOT ENABLED ON EITHER ONE
The SOA FOR THE FMTC.local domain is set to itself
The SOA for the ABC.local domain is set to the FMTC.local domain name
The Name Servers Properties tab is set to the FQDN of THE FMTC.local domain on each
Domain name in the Forward Lookup Zone on THE FMTC.local Domain Controller
set up for forward lookup zones looks the same on the ABC.local Domain Controller
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19541292
No, NetBIOS name is the single-label computer (or domain) name.

Ok, here is what you do.

1) The _msdcs zone is the Service Locator zone for the AD - don't delete this.  You should have 2 of them (one for each Forest if they are different Forests), unless the domains are both in the same forest, then you'll see both zones (_msdcs.abc.local and _msdcs.fmtc.local) on each DNS server in this forest.
2)  It isn't necessary to host the forward lookup zone for the opposite domain - the accuracy of this zone depends on replication between primary and secondary zones.
3)  I would remove the zone for the opposite domain and make sure any zone transfer settings were cleaned up and removed.
4) On the forwarder tab in the properties of each dns server is where you setup conditional forwarding - also where you set the ISP address.

As it looks now, it appears the SOA for ABC is set to FMTC - which is likely causing the failures.

0
 

Author Comment

by:cdubbcisco
ID: 19547452
Netman66,

So what you are saying is that for example under each forward lookup zone for each server ....
say i am looking at server ABC.local, i don't need the fmtc.local domain under the forward lookup zone and then under the FMTC.local domain controller in the forward lookup zone i don't need and should delete the ABC.local domain in that forward lookup zone and under the forwarders tab under properties for each Server/Domain Controller i should have the IP address of the other server listed in the forwarders list
example: for Server ABC.local which say as an ip address of 192.168.17.2,....... under the forwarders tab i should have an ip address in the list that points to the other server: FMTC.local with its IP address and the same way with the other server?  Do i need anything under the reverse lookup zones?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 19547909
Partially correct.

I think the problem is because you are hosting zones for the opposite domain and (perhaps) they aren't current and/or you can't resolve the _msdcs zones properly for the opposite domains.

You want to first go into DNS and expand each Forward zone.
Right click the opposite domain's zone and select Properties, then select the Zone Transfer tab.  Uncheck Allow Zone transfers to make sure the other domain's DNS server isn't trying to send stuff when the zones are gone.

Next, delete the opposite domain's zones (CAREFUL - don't delete the wrong zones).

Next, right click the server name in DNS and select Properties.
On the Forwarders tab under DNS Domains, highlight the "All other DNS domains" entry and make sure the ISP DNS address is set in the "Selected domains forwarder IP_address list".

Next, in the DNS Domains list click the New button.
Add the FQDN of the opposite domain.  Click OK.
With the new entry selected Add the IP address of the other domain's DNS server.

Repeat this on the opposite domain.

Try pinging the opposite domain name and a few other nodes in the opposite domain to see if you get resolution working.
0
 

Author Comment

by:cdubbcisco
ID: 19549227
that last comment seemed to do it, Thanks, i was able to set up a forest trust!!
however there is still 1 issue....from the fmtc.local domain controller i was able to search for and find the ABC.local Domain controller with no issues from my network places, but from the ABC.local domain controller i could find the fmtc.local D.C. but under the title  lN Folder.........=Unknown
SO it prompts me for a user name a password.....of which i enter the administrator user name and password with no success...sooo i can find the server from 1 direction but not the other now that i have the forest trust established?
thanks Netman66
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19549240
You need to create a two-way trust.  Both incoming and outgoing to make this happen.

0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question