active directory forest trust setup problem?

Posted on 2007-07-24
Last Modified: 2012-08-13
I've setup 2 forests, within virtual server. Only one top level domain in each forest. This has been setup for exam purposes, but I'm having a problem with setting up the trust relationship.
Forest one- server name- London
IP address
DNS server

Forest two,, server name- newyork
IP adress
DNS server

When I go to create the trust, and I enter trusted Forest's name,  I recieve "the name you specified is not a valid windows domain name" ?
I need some advise on setting up DNS. Do I include a seconadry dns zone on each dns server which reflects the other dns server? (i want a two way forest trust) I did setup a seconadry dns zone on the london server which reflected the ip details of the usa server, but it fails to pull donwn the zone dbase, it has a red cross over the seconadry zone name? Curios though as I can ping the usa server name, and run an nbtstat to it (nslookup fails). This indicates that the shared virtual network is functioning correctly.

Also, I've deliberatley setup each domain's ip details to be on different subnets so that i can play around with trusts etc. Do I need to include an IP subnet within 'sites and services' to reflect the alternate subnets? Can someone briefly explain what these subnet entries mean?
Thanks you
Question by:Jason Thomas
    LVL 31

    Accepted Solution

    Hi JasonHels,

    You need to allow zone transfers from one server to another if you want secondary zones to work. It's easier if you create stub zone or use conditional forwarding.
    Do not use nbtstat, you have to use nslookup because data that your server is looking for is in DNS (SRV records). Remember to use "ipconfig /flushdns" often, if you are making DNS changes.
    Subnet object "helps" clients to find domain controllers on same subnet. If subnet objects are not created and linked to sites it's possible that clients will authenticate on domain controllers in other sites.


    LVL 13

    Assisted Solution

    Are your forests in 2003 mode?  If so, set up "conditional forwarding" so that your first domain can find the other and vice versa.  Since you seem to be studying for an exam - look up conditional forwarding, how it works, when to use, and how to configure.  Its quite easy!
    LVL 9

    Assisted Solution

    As far as DNS is concerned they have to resolve each others forest names so I would use selective forwarding to forward to your DNS servers in each forest.  You shouldn't have to setup a secondary zones if you do this.

    Sites only need to be set up so DC's know how to replicate with each other and so that multiple segments have an order for login purposes.  You shouldn't have to set up Sites as the Default First Site is fine.
    No alternate subnets are needed.

    If you get your DNS going, you Trusts should rock.
    LVL 9

    Assisted Solution

    Here is how to set up Selective / Conditional forwarding.  They are one and the same.
    LVL 9

    Assisted Solution

    regardless, domain A needs to be able to resolve the name of domain B, which means an entry in domain A's DNS for domain B, and Vice Versa.

    Conditional forwarding is the solution.

    Once you have name resolution working, then a trust should be a piece of cake.

    Good Luck,

    LVL 1

    Author Comment

    by:Jason Thomas
    Thanks everyone. I haven't toched DNS since NT4 days and so I had a lot to learn. I got some really useful stuff from
    I now have my forests talking to eachother.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    Title # Comments Views Activity
    question related to SHA-1 2 28
    RODC and LDAP 3 26
    Setting blogger custom domain error 3 13
    Creating a correct SPF record 4 37
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now