Solved

How to create a trust between two seperate domains

Posted on 2011-02-24
8
1,151 Views
Last Modified: 2012-05-11
Hi,

I've created a new domain/DC inside our netwerk and I want to create a mutual trust between the two. The first step is to make them see each other using NSLookup, but this does not work. The main DC is a W2003 server with DNS server. The second DC is a W2008 server, also with a DNS server. When I ping DOMAIN1 from the second server it works. However, when I ping DOMAIN2 from the first it fails. What should I do to make this work?

Thanks,
Thomas
0
Comment
Question by:tdnooij
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34977602
Are those domains in separate forests? If so, first of all, you need to check if you can ping DCs by IP address and then configure on each DNS server in each domain "Conditional Forwarding" or "Stub Zone" to be able to ping each domain by DNS names (required, because AD replies on DNS). Then you will be able to create two-way trust relationship using this Miscrosoft article at
http://technet.microsoft.com/en-us/library/cc776940%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 34977794
also if you can't ping the 2008 server checkk your firewall settings.  i think the server drops ICMP packets as standard.  Have a look at the rules and make sure the 'File and Printer Sharing (Echo Request - ICMP4) Domain' is enabled in the inbound and outbound rules. That should let you ping the server, then follow Isek's advice.
0
 

Author Comment

by:tdnooij
ID: 34977836
OK, I'm a step further: First I need to raise the functional level of the W2003 machine. However, I get the : the directory service is busy error. This is probably caused by the replication not being done. I investigated this and I found out that we had another DC in our domain which died. I've deleted it from the Domain Controllers in AD, but when I try to delete the Site in AD SItes and Services it gives me the error that the DC (that I deleted) still has objects and has to be demoted first. Any clues?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:tdnooij
ID: 34977998
Ok, I found this article to delete my old DC: http://support.microsoft.com/kb/216498
This works.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 34978349
I assume that link refers to performing a metadata cleanup of the failed DC, as also described here: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

One you have the forwarders in place in each domain (to forward DNS requests for the other domain to it's DNS servers) and if any firewalls between the 2 domains are configured correctly, you should be able to create your trust...

I assume you already know which type of trust you want to create? Is your intent to migrate from one to the other, or to have both coexisting?

Pete
0
 

Author Comment

by:tdnooij
ID: 34978428
I want to migrate from 2003SBS to a new W2008 Standard server. But I want a selective migration, so only some users. Now I cannot create the trust between W2003SBS and W2008 because of the SBS. What type of trust do I need?
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 34978531
It's important to note when you're actually referring to SBS, as there's a load of stuff that's different in that case - From what I've just read, you are correct and cannot create a trust when SBS is involved.

I did find a reference to being able to migrate (using the usual ADMT tool from the 2008 Std Server) without the use of a trust at all, which involved ensuring that there were identical administrator account configured in both domains (i.e. exactly the same usernames and passwords!).

Apparently the procedure is documented in this migration guide from MS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=fa187d1e-8218-4501-9729-222bd8ebb64c&displaylang=en

The guide appears to be primarily about migrating from Server Std to SBS, but based on what I read, I'd assume that this particular part would be the same either way around (i.e. getting the security set so that you CAN actually migrate without a trust between the domains).

Have a look and let me know if you need further assistance.

Cheers,

Pete
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question