Solved

How to set up Forest to Forest Domain Trust through VPN with Windows Server 2003?

Posted on 2008-10-14
30
875 Views
Last Modified: 2009-01-08
Hello,
I've been working on setting up a Forest to Forest Domain Trust between two separate physical locations connected by VPN.  However, the Domains are still not able to see each other and resolve names via DNS.  Following are the steps I've come across in my research and have taken thus far:

1.  Raised the Domain Functional Level from Windows 2000 Mixed to Windows 2000 Native.  The Forest Functional Level is Windows 2000
2.  Added Secondary Zones to both DNS servers
3.  Set to 'allow zone transfers' on both DNS Servers
4.  I've opened the following ports on my CISCO 1841 router - 135,389,636,3268,3269,53, and 445.  There is a range of TCP ports 1024 - 65535 that I have not opened because I do not see how to do this in the GUI Administration Software for the router.  Also, didn't open TCP/UDP 88 because didn't think I needed to since running Windows Server 2003.

What am I missing here?  Any help is appreciated.

0
Comment
Question by:dweb937
  • 15
  • 15
30 Comments
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22711603
I see on step 3 that you allowed zone transfers...did you put in the IP addresses of the other servers?  Are they setup to be notified?  Can you see if the intial transfer went through?

Check the event log for DNS errors.
0
 

Author Comment

by:dweb937
ID: 22711675
Yes and no.  On my server I put in the IP Address of the other server.  On the other server, the Admin had it already set up to allow transfers to any server.  No, I had not set it up to notify the other server.  I just did though.

I did check the log for DNS errors and did not see any errors - a few warnings here and there with Event ID 3000.
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22711745
So, when you added the secondary zone on server A, you said to make it a secondary to server B and put in Server B's IP.  Then on server B, you set zone transfers to allow all.  You would do the same in reverse for server B to A.

See if the primary zones are set to AD-Integrated.  That may be preventing the replication.  Also, just make sure you can ping the servers from each end.
0
 

Author Comment

by:dweb937
ID: 22711852
Yes, If my server is A and the other server is B, I created a new zone that is a secondary zone (for Server B) on Server A under the Forward Lookup Zones and put in Server B's IP Address.   On both server A & B we set allow zone transfers to (in my case server B;s IP Address, and in the other case set to all)  This was done by right clicking on Server A's Forward Lookup Zone  on the Zone Transfers Tab.

Server A's Forward Lookup Zone is AD-Integrated but the Secondary zone for Server B is not.  Should that be changed?

We can ping each other's servers using the IP Addresses but cannot ping using the DNS names of the servers.
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22712105
Yes, change the primary zones at both ends to "Primary" rather than AD-integrated.  You'll be able to change this back once DNS is working and they're joined to the same forest.
0
 

Author Comment

by:dweb937
ID: 22712173
You sure this won't mess anything up on our domains?  What are the next steps after doing this?
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22712521
If there are other DNS servers on domain A, they will also need to be setup as secondary zones just like what you're doing on B.  If you don't do that, replication will stop within A's domain.

Without doing it myself, I couldn't promise that everything WILL work, since there can be things that neither of us may be aware of in your enviroment.  
0
 
LVL 3

Accepted Solution

by:
JasonTracy earned 500 total points
ID: 22712569
Another way I just thought of would be to setup fowarders.  This may be much simpler than what you're trying to do with replicating domains.

From http://support.microsoft.com/kb/300202

1. In DNS Manager, right-click the DNS Server object, and then click Properties.
2. Click the Forwarders tab.
3. Click to select the Enable Forwarders check box.
4. In the IP address box, type the first DNS server to which you want to forward, and then click Add.

The problem is that if you do this on both domains, internet access will NOT work.  Try this during a downtime window.  If both domains can see each other, join the domains into the same forest, then make sure AD-integrated zones are set to replicate to all DNS servers in the forest.  Then you can undo the fowarders and Intenet DNS should work again.
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22712582
BTW, in 2003 server, you can foward lookups for certian domains.  I don't know if you can do that in 2000 server or not.  If you can, then that would work and not impact Internet DNS lookups.
0
 

Author Comment

by:dweb937
ID: 22712995
JasonTracy,

I'm a little confused about your last post.  Is this another another option?  If so, how do you do this?  Both DNS/DC servers are running Windows server 2003.  We just have the functional levels of the forest and domain set to  2000 and 2000 native, respectively.

Thanks!
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22713028
OK, great!  Yes, this is a totally different way.  This way, you don't replicate the DNS zones until you have Active Directory integrated between the domains and you don't change from AD-integrated zones.

In 2003, you can do conditional forwarding.  This tells server A "When you get requests for B's domain, go look them up at B's IP address".

Here is a page that explains how to do it: http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Give it a read and let me know if you have any questions.  There should be no risk with this way of doing it.
0
 

Author Comment

by:dweb937
ID: 22713292
JasonTracy,

Thanks for the link.  This seems pretty straightforward.  I'm assuming we would need to do this for both servers A & B?  So, if we do this then should we delete the Secondary Zones and uncheck 'allow zone transfers'?

I went to WHO IS and got the Name Server for the other domain.  Then I pinged it and it timed out.  So, I'm wondering how reliable this method is?  It sounds wonderful if we can get it to work.

Thanks for your help
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22713612
Correct, delete the secondary zones before testing this.  You may also want to clear your cache and reboot your testing computer before you try it.

You would want to do it on both servers.

If you're going to test by ping, make sure to use the FQDN.  Type server1.domainb.net instead of just server1, for example.
0
 

Author Comment

by:dweb937
ID: 22713617
I want to also make sure that I'm understanding which IP address I use for conditional forwarding.  It would be the IP address of the Nameserver for Server B's domain, correct?  and vice versa.
0
 

Author Comment

by:dweb937
ID: 22713642
The pinging that I was referring to is the one referenced In the link you provided.   I'm trying to ping the IP address of the Nameserver for Server B's domain.  I haven't even gotten to the point of trying to ping Server B's DNS/DC.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 3

Expert Comment

by:JasonTracy
ID: 22713690
So, if server A is 192.168.1.1, and server B is 192.168.2.1, you're trying to ping 192.168.2.1 from computer 192.168.1.1 and that isn't working?

I just re-read your question.  I don't see where you have ICMP allowed, so pings may not work.  Either open ICMP up, or try doing it without the ping step.

0
 

Author Comment

by:dweb937
ID: 22713725
But if I can't ping the forwarding name server, then how will it be able to resolve names?

Also, how you open up ICMP?

If you don't hear back from me today, it's because I'm out of the office and I'll respond tomorrow morning.  Thanks for all your help.
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22713772
ICMP (your pings) is its own protocol, like TCP or UDP.  It must be allowed for pings to work.

Even if you don't allow it, DNS traffic (TCP and UDP ports 53) can still do through.
0
 

Author Comment

by:dweb937
ID: 22719795
But, still don't understand the following:  "But if I can't ping the forwarding name server, then how will it be able to resolve names if set up as a conditional forwarder?"
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22720020
Your pings are being blocked by the 1841 router, I assume.  You would need to allow ICMP messages in the 1841 to get pings to work.

However, just because the 1841 won't allow ping traffic does not mean it won't allow DNS traffic. You said you opened port 53, so as long as you opened port 53 on UDP and TCP, you should be fine.

I would suggest opening ICMP on the 1841, though.  Are you using the GUI or command line for the access list on that device?  I might be able to help you get that going if you want.
0
 

Author Comment

by:dweb937
ID: 22720209
Let me get clarification on this.  Wouldn't it be the the other server (DSN Server) for the domain I'm trying to connect to that's blocking the ping requests not my router?  I don't have a problem pinging outside of my network.  Yes, I opened port 53.  Yes, I'm using the GUI to open the ports.    I just don't know how to open a range of ports that was recommended on http://support.microsoft.com/kb/q179442   that being 1024-65535 for LSA RPC Services.  Not sure if I even need to do this?

How do I open up ICMP?
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22720272
Honesty, if you trust the other server, you might as well open all ports.  To do that, edit a rule you already have (like for port 53), and instead of allowing TCP/53, just put "ip" (without quotes) in that spot.  

That will allow everything.
0
 

Author Comment

by:dweb937
ID: 22720370
But, won't that allow everything from everyone?

Sorry to be repeating myself - but I don't understand this.  I don't have a problem pinging other domains.    What I can't ping is the NameServer of the domain that I want to set the domain trust with.  This is from the directions that I read in the link you provided.  It says to ping the Nameserver to get the IP Address and configure forwarding to that IP address.    It just times out whether I ping by NameServer or IP Address.    Is this assumption correct then, that if I can't ping it then it would not work to set up Conditional Forwarding to that NameServer??

And if I can ping other domains and IP Addresses it sounds like ICMP is already open?

Thanks
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22720399
Is the server you're pinging running its own firewall?  It may be blocking it as well.  You are saying you can ping other devices on the same network as that nameserver?  Like if that server is 192.168.1.1, you can ping 192.168.1.2 but not 192.168.1.1?  If so, then look into that server and see if it is running its own firewall.
0
 

Author Comment

by:dweb937
ID: 22720453
I don't know about what kind of firewall is in place since the Nameserver I'm pinging is a Web Host's IP Address - internetconnection.net.   According to the instructions provided in the link this NameServer for internetconnection.net would be the Authoritative source for name queries.  I doubt that that I can do anything about their firewall ports, etc.  

So, does this mean I can't do conditional forwarding?

0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22720486
You still can.  While they suggest pinging in that link I sent you, it is NOT required.  That is just a basic network test that would normally work, but is not working in this case.  I *think* it isn't working because they're blocking ICMP, but the only way to be sure is to try conditional fowarding and see if it works.  It won't harm anything to try.
0
 

Author Comment

by:dweb937
ID: 22721211
Ok, I'll try and have my counterpart do the same on the other server.  I'll let you know.  Thanks,
0
 

Author Comment

by:dweb937
ID: 22829950
Sorry, I haven't had much to report back yet from a successful test.  I tried doing as you suggested  (setting up conditional forwarding) and all of our outgoing messages being sent from our location to the other location specified in the domain trust were not being sent.  They were being queued up.  Our initial thought was that because the other location's router was not configured to open the ports associated with the domain trust, this was causing the problem.  My IT counterpart at the other location has been working with a CISCO consultant to reconfigure the router at that location.  However, now they seem to think that it's possibly something with how the T1 line is configured into my router.  I have my doubts although I'm no expert.  We have a T1 line coming into an Adtran 600R which is connecting into our CISCO 1841 router and switch.

Stay tuned.

Now
0
 
LVL 3

Expert Comment

by:JasonTracy
ID: 22830274
I would agree that it sounds like you have some sort of access list that is getting in your way.
0
 

Author Comment

by:dweb937
ID: 23325528
JasonTracy,

It turns out that the server on the other end did not have it's configuration set up correctly.  It had nothing to do with the router configuration.  

I appreciate your help so I'm going to award you the points because of the time and effort you put into trying to help me resolve my issue.  I'm sure that your contribution will be helpful to someone else.

Thank you


0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now