Solved

How to create a trust between two seperate domains

Posted on 2011-02-24
8
1,160 Views
Last Modified: 2012-05-11
Hi,

I've created a new domain/DC inside our netwerk and I want to create a mutual trust between the two. The first step is to make them see each other using NSLookup, but this does not work. The main DC is a W2003 server with DNS server. The second DC is a W2008 server, also with a DNS server. When I ping DOMAIN1 from the second server it works. However, when I ping DOMAIN2 from the first it fails. What should I do to make this work?

Thanks,
Thomas
0
Comment
Question by:tdnooij
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34977602
Are those domains in separate forests? If so, first of all, you need to check if you can ping DCs by IP address and then configure on each DNS server in each domain "Conditional Forwarding" or "Stub Zone" to be able to ping each domain by DNS names (required, because AD replies on DNS). Then you will be able to create two-way trust relationship using this Miscrosoft article at
http://technet.microsoft.com/en-us/library/cc776940%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 34977794
also if you can't ping the 2008 server checkk your firewall settings.  i think the server drops ICMP packets as standard.  Have a look at the rules and make sure the 'File and Printer Sharing (Echo Request - ICMP4) Domain' is enabled in the inbound and outbound rules. That should let you ping the server, then follow Isek's advice.
0
 

Author Comment

by:tdnooij
ID: 34977836
OK, I'm a step further: First I need to raise the functional level of the W2003 machine. However, I get the : the directory service is busy error. This is probably caused by the replication not being done. I investigated this and I found out that we had another DC in our domain which died. I've deleted it from the Domain Controllers in AD, but when I try to delete the Site in AD SItes and Services it gives me the error that the DC (that I deleted) still has objects and has to be demoted first. Any clues?
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:tdnooij
ID: 34977998
Ok, I found this article to delete my old DC: http://support.microsoft.com/kb/216498
This works.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 34978349
I assume that link refers to performing a metadata cleanup of the failed DC, as also described here: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

One you have the forwarders in place in each domain (to forward DNS requests for the other domain to it's DNS servers) and if any firewalls between the 2 domains are configured correctly, you should be able to create your trust...

I assume you already know which type of trust you want to create? Is your intent to migrate from one to the other, or to have both coexisting?

Pete
0
 

Author Comment

by:tdnooij
ID: 34978428
I want to migrate from 2003SBS to a new W2008 Standard server. But I want a selective migration, so only some users. Now I cannot create the trust between W2003SBS and W2008 because of the SBS. What type of trust do I need?
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 34978531
It's important to note when you're actually referring to SBS, as there's a load of stuff that's different in that case - From what I've just read, you are correct and cannot create a trust when SBS is involved.

I did find a reference to being able to migrate (using the usual ADMT tool from the 2008 Std Server) without the use of a trust at all, which involved ensuring that there were identical administrator account configured in both domains (i.e. exactly the same usernames and passwords!).

Apparently the procedure is documented in this migration guide from MS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=fa187d1e-8218-4501-9729-222bd8ebb64c&displaylang=en

The guide appears to be primarily about migrating from Server Std to SBS, but based on what I read, I'd assume that this particular part would be the same either way around (i.e. getting the security set so that you CAN actually migrate without a trust between the domains).

Have a look and let me know if you need further assistance.

Cheers,

Pete
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question