Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to create a trust between two seperate domains

Posted on 2011-02-24
8
Medium Priority
?
1,169 Views
Last Modified: 2012-05-11
Hi,

I've created a new domain/DC inside our netwerk and I want to create a mutual trust between the two. The first step is to make them see each other using NSLookup, but this does not work. The main DC is a W2003 server with DNS server. The second DC is a W2008 server, also with a DNS server. When I ping DOMAIN1 from the second server it works. However, when I ping DOMAIN2 from the first it fails. What should I do to make this work?

Thanks,
Thomas
0
Comment
Question by:tdnooij
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34977602
Are those domains in separate forests? If so, first of all, you need to check if you can ping DCs by IP address and then configure on each DNS server in each domain "Conditional Forwarding" or "Stub Zone" to be able to ping each domain by DNS names (required, because AD replies on DNS). Then you will be able to create two-way trust relationship using this Miscrosoft article at
http://technet.microsoft.com/en-us/library/cc776940%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 34977794
also if you can't ping the 2008 server checkk your firewall settings.  i think the server drops ICMP packets as standard.  Have a look at the rules and make sure the 'File and Printer Sharing (Echo Request - ICMP4) Domain' is enabled in the inbound and outbound rules. That should let you ping the server, then follow Isek's advice.
0
 

Author Comment

by:tdnooij
ID: 34977836
OK, I'm a step further: First I need to raise the functional level of the W2003 machine. However, I get the : the directory service is busy error. This is probably caused by the replication not being done. I investigated this and I found out that we had another DC in our domain which died. I've deleted it from the Domain Controllers in AD, but when I try to delete the Site in AD SItes and Services it gives me the error that the DC (that I deleted) still has objects and has to be demoted first. Any clues?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:tdnooij
ID: 34977998
Ok, I found this article to delete my old DC: http://support.microsoft.com/kb/216498
This works.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 34978349
I assume that link refers to performing a metadata cleanup of the failed DC, as also described here: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

One you have the forwarders in place in each domain (to forward DNS requests for the other domain to it's DNS servers) and if any firewalls between the 2 domains are configured correctly, you should be able to create your trust...

I assume you already know which type of trust you want to create? Is your intent to migrate from one to the other, or to have both coexisting?

Pete
0
 

Author Comment

by:tdnooij
ID: 34978428
I want to migrate from 2003SBS to a new W2008 Standard server. But I want a selective migration, so only some users. Now I cannot create the trust between W2003SBS and W2008 because of the SBS. What type of trust do I need?
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 2000 total points
ID: 34978531
It's important to note when you're actually referring to SBS, as there's a load of stuff that's different in that case - From what I've just read, you are correct and cannot create a trust when SBS is involved.

I did find a reference to being able to migrate (using the usual ADMT tool from the 2008 Std Server) without the use of a trust at all, which involved ensuring that there were identical administrator account configured in both domains (i.e. exactly the same usernames and passwords!).

Apparently the procedure is documented in this migration guide from MS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=fa187d1e-8218-4501-9729-222bd8ebb64c&displaylang=en

The guide appears to be primarily about migrating from Server Std to SBS, but based on what I read, I'd assume that this particular part would be the same either way around (i.e. getting the security set so that you CAN actually migrate without a trust between the domains).

Have a look and let me know if you need further assistance.

Cheers,

Pete
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question