?
Solved

active directory forest trust setup problem?

Posted on 2007-07-24
6
Medium Priority
?
1,158 Views
Last Modified: 2012-08-13
I've setup 2 forests, within virtual server. Only one top level domain in each forest. This has been setup for exam purposes, but I'm having a problem with setting up the trust relationship.
Forest one- UK.com server name- London
IP address 10.0.0.1
DNS server 10.0.0.01

Forest two, USA.com, server name- newyork
IP adress 128.0.0.1
DNS server 128.0.0.1

When I go to create the trust, and I enter trusted Forest's name usa.com,  I recieve "the name you specified is not a valid windows domain name" ?
I need some advise on setting up DNS. Do I include a seconadry dns zone on each dns server which reflects the other dns server? (i want a two way forest trust) I did setup a seconadry dns zone on the london server which reflected the ip details of the usa server, but it fails to pull donwn the zone dbase, it has a red cross over the seconadry zone name? Curios though as I can ping the usa server name, and run an nbtstat to it (nslookup fails). This indicates that the shared virtual network is functioning correctly.

Also, I've deliberatley setup each domain's ip details to be on different subnets so that i can play around with trusts etc. Do I need to include an IP subnet within 'sites and services' to reflect the alternate subnets? Can someone briefly explain what these subnet entries mean?
Thanks you
0
Comment
Question by:Jason Thomas
6 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 300 total points
ID: 19556303
Hi JasonHels,

You need to allow zone transfers from one server to another if you want secondary zones to work. It's easier if you create stub zone or use conditional forwarding.
Do not use nbtstat, you have to use nslookup because data that your server is looking for is in DNS (SRV records). Remember to use "ipconfig /flushdns" often, if you are making DNS changes.
Subnet object "helps" clients to find domain controllers on same subnet. If subnet objects are not created and linked to sites it's possible that clients will authenticate on domain controllers in other sites.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:ocon827679
ocon827679 earned 300 total points
ID: 19556326
Are your forests in 2003 mode?  If so, set up "conditional forwarding" so that your first domain can find the other and vice versa.  Since you seem to be studying for an exam - look up conditional forwarding, how it works, when to use, and how to configure.  Its quite easy!
0
 
LVL 9

Assisted Solution

by:iCoreKC
iCoreKC earned 600 total points
ID: 19556377
As far as DNS is concerned they have to resolve each others forest names so I would use selective forwarding to forward to your DNS servers in each forest.  You shouldn't have to setup a secondary zones if you do this.

Sites only need to be set up so DC's know how to replicate with each other and so that multiple segments have an order for login purposes.  You shouldn't have to set up Sites as the Default First Site is fine.
No alternate subnets are needed.

If you get your DNS going, you Trusts should rock.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 9

Assisted Solution

by:iCoreKC
iCoreKC earned 600 total points
ID: 19556529
Here is how to set up Selective / Conditional forwarding.  They are one and the same.

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
0
 
LVL 9

Assisted Solution

by:dooleydog
dooleydog earned 300 total points
ID: 19556690
regardless, domain A needs to be able to resolve the name of domain B, which means an entry in domain A's DNS for domain B, and Vice Versa.

Conditional forwarding is the solution.

Once you have name resolution working, then a trust should be a piece of cake.

Good Luck,

0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 19581656
Thanks everyone. I haven't toched DNS since NT4 days and so I had a lot to learn. I got some really useful stuff from http://www.computerperformance.co.uk/w2k3/services/DNS_Home.htm
I now have my forests talking to eachother.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question