Cannot resolve names across Windows 2003 domains

Damian Gardner
Damian Gardner used Ask the Experts™
on
I have 2 Windows 2003 domains in our network.  One domain is our main network domain called "LACOINC1", while the other is on the other side of a Cisco ASA 5510 firewall, in a DMZ, called "DMZ". I have worked with Cisco technicians to configure the firewall to allow for domain controller communication back and forth on ports 53, 135, 445, 1638, and 389 inbound and outbound.    So far, I've been successful at creating a 2-way Trust between domains, and am also able to logon interactively to the DMZ DC as an internal "LACOINC1" user, with no problem.  I am also able to map to an inside file share and see files and other resources.  Where I am having trouble is with any kind of name resolution of users from the LACOINC1 domain.  for example, I am unable to assign a LACOINC1 domain user to permissions of a DMZ server folder, saying there is "no such user".  Other interfaces that rely on being able to locate users from the inside domain fail also, with similar errors.  What could be causing this?

Thanks for your help
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You could try this, it seems like extra steps but is the Microsoft preferred way of acomplishing what you want.

In the DMZ domain, create a domain local group and give this group permission to the folder on the server
In the LACOINC1 domain add the users who will access the folders into a security group and then add this to a universal group
Back in the DMZ domain, add the LACOINC1 universal group to the domain local group that has access to the folders

Commented:
It's because netbios is not routeable:

It will not propogate across a VPN tunnel, across a VLAN......

You will either need to set up WINS or an LMHOST record between the domain master and other site master.

I will look this information up. In the meantime, you can type Chiefit master browser on an EE search and find your answers.
Damian GardnerIT Admin

Author

Commented:
Ok - let me try both of these suggestions.  thanksd for your replies and standby.

Thanks
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
I can't see port 3268 which is for GC & 88 for Kerberos are opened. Open that too.
GC is used to locate user into domain using srv records & KDC is used for authenticating the users.
You can create the forwarder for domain to contact for name resolution.
also make sure that each respective domain has their dns servers forward requests for the other domain to those repsective dns servers.

so for example, domainA.local and domainB.local have a two-way trust between one another. in domainA.local, forward all dns queries for domainB.local to the IP addresses of the DNS servers in domainB.local. then do the same in domainB.local.

that would explain why you're able to log in to the dc in the dmz with the local credentials as well. but out of curiosity, have you tried to provide credentials from the dmz domain when logging in with a domain based account to see if that works?
Damian GardnerIT Admin

Author

Commented:
Awinish - thank you for your reply and I will open those ports specified. Thank you

John - I will double-check my current DNS forward entries on each side.  I am not sure what you mean on your last question.  Are you asking have I logged ino the DMZ server with DMZ account, or a "LACOINC1" (inside) account?  If I understand that right, yes - I have been able to login to the DMZ machine with both a DMZ domain account, AND a LACOINC1 domain account, with no problems.  It's only once I'm logged in (as either domain account) where I try authenticating or resolving LACOINC1 domain accounts various places (permission windows, policy windows, etc) where it fails to find the users, or even be able to browse the other domain.
you were right on target, that's what i was asking. keep us all posted with your results!
Damian GardnerIT Admin

Author

Commented:
Ok - well I talked to Cisco on the 2 ports we thought might be closed, and they confirmed that all ports are actually open from the DC machine to the inside domain right now (which I'll need to close soon for security reasons), but there is nothing that is blocked at the moment.  On the DNS forwarding, I do have an entry on both sides that I assume are working.  I'm just unclear as to how important the NAMING of the entries is.  For example, the entry on the DMZ side is called "LACOINC1.LOCAL", and is linked to the IP address of the DC on the inside, but the entry on the INSIDE (lacoinc1) side is "DMZ.LACO.COM", which was the name I gave the "forest domain" when I setup the DMZ server as a domain controller.  Also, the primary records are not of the exact same types - one side is designated as "Active Directory Integrated Primary" while the other is just "Standard Primary". the Secondary records are of the same type though.  I just want to make sure it's not the nomenclature of the domains that could be causing problems here.  I've attached screen shots for you to see what I'm saying.  Still no change in behavior however.

Thanks,
Damian


Forwarding-from-DMZ.pdf
Forwarding-from-Lacoinc1.pdf

Commented:
did you create a WINS record or LMHOST record between the two site's master browsers?
Damian GardnerIT Admin

Author

Commented:
I have both a WINS and an LMHOST record between the inside and outside DC machines.
Damian GardnerIT Admin

Author

Commented:
Sorry gentlemen - I forgot to check back on this.  The problem was the firewall was still blocking the TCP side of port 389, and also port 1026 needed to be opened on the ASA.  this was not in the white paper on setting up the Domain Controller ports in a DMZ, so we had to discover it through troubleshooting logs.  Once opened, users were able to be resolved, and the associated services started working.

Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial