Link to home
Start Free TrialLog in
Avatar of dweb937
dweb937

asked on

How to set up Forest to Forest Domain Trust through VPN with Windows Server 2003?

Hello,
I've been working on setting up a Forest to Forest Domain Trust between two separate physical locations connected by VPN.  However, the Domains are still not able to see each other and resolve names via DNS.  Following are the steps I've come across in my research and have taken thus far:

1.  Raised the Domain Functional Level from Windows 2000 Mixed to Windows 2000 Native.  The Forest Functional Level is Windows 2000
2.  Added Secondary Zones to both DNS servers
3.  Set to 'allow zone transfers' on both DNS Servers
4.  I've opened the following ports on my CISCO 1841 router - 135,389,636,3268,3269,53, and 445.  There is a range of TCP ports 1024 - 65535 that I have not opened because I do not see how to do this in the GUI Administration Software for the router.  Also, didn't open TCP/UDP 88 because didn't think I needed to since running Windows Server 2003.

What am I missing here?  Any help is appreciated.

Avatar of JasonTracy
JasonTracy
Flag of United States of America image

I see on step 3 that you allowed zone transfers...did you put in the IP addresses of the other servers?  Are they setup to be notified?  Can you see if the intial transfer went through?

Check the event log for DNS errors.
Avatar of dweb937
dweb937

ASKER

Yes and no.  On my server I put in the IP Address of the other server.  On the other server, the Admin had it already set up to allow transfers to any server.  No, I had not set it up to notify the other server.  I just did though.

I did check the log for DNS errors and did not see any errors - a few warnings here and there with Event ID 3000.
So, when you added the secondary zone on server A, you said to make it a secondary to server B and put in Server B's IP.  Then on server B, you set zone transfers to allow all.  You would do the same in reverse for server B to A.

See if the primary zones are set to AD-Integrated.  That may be preventing the replication.  Also, just make sure you can ping the servers from each end.
Avatar of dweb937

ASKER

Yes, If my server is A and the other server is B, I created a new zone that is a secondary zone (for Server B) on Server A under the Forward Lookup Zones and put in Server B's IP Address.   On both server A & B we set allow zone transfers to (in my case server B;s IP Address, and in the other case set to all)  This was done by right clicking on Server A's Forward Lookup Zone  on the Zone Transfers Tab.

Server A's Forward Lookup Zone is AD-Integrated but the Secondary zone for Server B is not.  Should that be changed?

We can ping each other's servers using the IP Addresses but cannot ping using the DNS names of the servers.
Yes, change the primary zones at both ends to "Primary" rather than AD-integrated.  You'll be able to change this back once DNS is working and they're joined to the same forest.
Avatar of dweb937

ASKER

You sure this won't mess anything up on our domains?  What are the next steps after doing this?
If there are other DNS servers on domain A, they will also need to be setup as secondary zones just like what you're doing on B.  If you don't do that, replication will stop within A's domain.

Without doing it myself, I couldn't promise that everything WILL work, since there can be things that neither of us may be aware of in your enviroment.  
ASKER CERTIFIED SOLUTION
Avatar of JasonTracy
JasonTracy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
BTW, in 2003 server, you can foward lookups for certian domains.  I don't know if you can do that in 2000 server or not.  If you can, then that would work and not impact Internet DNS lookups.
Avatar of dweb937

ASKER

JasonTracy,

I'm a little confused about your last post.  Is this another another option?  If so, how do you do this?  Both DNS/DC servers are running Windows server 2003.  We just have the functional levels of the forest and domain set to  2000 and 2000 native, respectively.

Thanks!
OK, great!  Yes, this is a totally different way.  This way, you don't replicate the DNS zones until you have Active Directory integrated between the domains and you don't change from AD-integrated zones.

In 2003, you can do conditional forwarding.  This tells server A "When you get requests for B's domain, go look them up at B's IP address".

Here is a page that explains how to do it: http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Give it a read and let me know if you have any questions.  There should be no risk with this way of doing it.
Avatar of dweb937

ASKER

JasonTracy,

Thanks for the link.  This seems pretty straightforward.  I'm assuming we would need to do this for both servers A & B?  So, if we do this then should we delete the Secondary Zones and uncheck 'allow zone transfers'?

I went to WHO IS and got the Name Server for the other domain.  Then I pinged it and it timed out.  So, I'm wondering how reliable this method is?  It sounds wonderful if we can get it to work.

Thanks for your help
Correct, delete the secondary zones before testing this.  You may also want to clear your cache and reboot your testing computer before you try it.

You would want to do it on both servers.

If you're going to test by ping, make sure to use the FQDN.  Type server1.domainb.net instead of just server1, for example.
Avatar of dweb937

ASKER

I want to also make sure that I'm understanding which IP address I use for conditional forwarding.  It would be the IP address of the Nameserver for Server B's domain, correct?  and vice versa.
Avatar of dweb937

ASKER

The pinging that I was referring to is the one referenced In the link you provided.   I'm trying to ping the IP address of the Nameserver for Server B's domain.  I haven't even gotten to the point of trying to ping Server B's DNS/DC.
So, if server A is 192.168.1.1, and server B is 192.168.2.1, you're trying to ping 192.168.2.1 from computer 192.168.1.1 and that isn't working?

I just re-read your question.  I don't see where you have ICMP allowed, so pings may not work.  Either open ICMP up, or try doing it without the ping step.

Avatar of dweb937

ASKER

But if I can't ping the forwarding name server, then how will it be able to resolve names?

Also, how you open up ICMP?

If you don't hear back from me today, it's because I'm out of the office and I'll respond tomorrow morning.  Thanks for all your help.
ICMP (your pings) is its own protocol, like TCP or UDP.  It must be allowed for pings to work.

Even if you don't allow it, DNS traffic (TCP and UDP ports 53) can still do through.
Avatar of dweb937

ASKER

But, still don't understand the following:  "But if I can't ping the forwarding name server, then how will it be able to resolve names if set up as a conditional forwarder?"
Your pings are being blocked by the 1841 router, I assume.  You would need to allow ICMP messages in the 1841 to get pings to work.

However, just because the 1841 won't allow ping traffic does not mean it won't allow DNS traffic. You said you opened port 53, so as long as you opened port 53 on UDP and TCP, you should be fine.

I would suggest opening ICMP on the 1841, though.  Are you using the GUI or command line for the access list on that device?  I might be able to help you get that going if you want.
Avatar of dweb937

ASKER

Let me get clarification on this.  Wouldn't it be the the other server (DSN Server) for the domain I'm trying to connect to that's blocking the ping requests not my router?  I don't have a problem pinging outside of my network.  Yes, I opened port 53.  Yes, I'm using the GUI to open the ports.    I just don't know how to open a range of ports that was recommended on http://support.microsoft.com/kb/q179442   that being 1024-65535 for LSA RPC Services.  Not sure if I even need to do this?

How do I open up ICMP?
Honesty, if you trust the other server, you might as well open all ports.  To do that, edit a rule you already have (like for port 53), and instead of allowing TCP/53, just put "ip" (without quotes) in that spot.  

That will allow everything.
Avatar of dweb937

ASKER

But, won't that allow everything from everyone?

Sorry to be repeating myself - but I don't understand this.  I don't have a problem pinging other domains.    What I can't ping is the NameServer of the domain that I want to set the domain trust with.  This is from the directions that I read in the link you provided.  It says to ping the Nameserver to get the IP Address and configure forwarding to that IP address.    It just times out whether I ping by NameServer or IP Address.    Is this assumption correct then, that if I can't ping it then it would not work to set up Conditional Forwarding to that NameServer??

And if I can ping other domains and IP Addresses it sounds like ICMP is already open?

Thanks
Is the server you're pinging running its own firewall?  It may be blocking it as well.  You are saying you can ping other devices on the same network as that nameserver?  Like if that server is 192.168.1.1, you can ping 192.168.1.2 but not 192.168.1.1?  If so, then look into that server and see if it is running its own firewall.
Avatar of dweb937

ASKER

I don't know about what kind of firewall is in place since the Nameserver I'm pinging is a Web Host's IP Address - internetconnection.net.   According to the instructions provided in the link this NameServer for internetconnection.net would be the Authoritative source for name queries.  I doubt that that I can do anything about their firewall ports, etc.  

So, does this mean I can't do conditional forwarding?

You still can.  While they suggest pinging in that link I sent you, it is NOT required.  That is just a basic network test that would normally work, but is not working in this case.  I *think* it isn't working because they're blocking ICMP, but the only way to be sure is to try conditional fowarding and see if it works.  It won't harm anything to try.
Avatar of dweb937

ASKER

Ok, I'll try and have my counterpart do the same on the other server.  I'll let you know.  Thanks,
Avatar of dweb937

ASKER

Sorry, I haven't had much to report back yet from a successful test.  I tried doing as you suggested  (setting up conditional forwarding) and all of our outgoing messages being sent from our location to the other location specified in the domain trust were not being sent.  They were being queued up.  Our initial thought was that because the other location's router was not configured to open the ports associated with the domain trust, this was causing the problem.  My IT counterpart at the other location has been working with a CISCO consultant to reconfigure the router at that location.  However, now they seem to think that it's possibly something with how the T1 line is configured into my router.  I have my doubts although I'm no expert.  We have a T1 line coming into an Adtran 600R which is connecting into our CISCO 1841 router and switch.

Stay tuned.

Now
I would agree that it sounds like you have some sort of access list that is getting in your way.
Avatar of dweb937

ASKER

JasonTracy,

It turns out that the server on the other end did not have it's configuration set up correctly.  It had nothing to do with the router configuration.  

I appreciate your help so I'm going to award you the points because of the time and effort you put into trying to help me resolve my issue.  I'm sure that your contribution will be helpful to someone else.

Thank you