Solved

How to create a trust between two seperate domains

Posted on 2011-02-24
8
1,134 Views
Last Modified: 2012-05-11
Hi,

I've created a new domain/DC inside our netwerk and I want to create a mutual trust between the two. The first step is to make them see each other using NSLookup, but this does not work. The main DC is a W2003 server with DNS server. The second DC is a W2008 server, also with a DNS server. When I ping DOMAIN1 from the second server it works. However, when I ping DOMAIN2 from the first it fails. What should I do to make this work?

Thanks,
Thomas
0
Comment
Question by:tdnooij
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34977602
Are those domains in separate forests? If so, first of all, you need to check if you can ping DCs by IP address and then configure on each DNS server in each domain "Conditional Forwarding" or "Stub Zone" to be able to ping each domain by DNS names (required, because AD replies on DNS). Then you will be able to create two-way trust relationship using this Miscrosoft article at
http://technet.microsoft.com/en-us/library/cc776940%28WS.10%29.aspx

Regards,
Krzysztof
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 34977794
also if you can't ping the 2008 server checkk your firewall settings.  i think the server drops ICMP packets as standard.  Have a look at the rules and make sure the 'File and Printer Sharing (Echo Request - ICMP4) Domain' is enabled in the inbound and outbound rules. That should let you ping the server, then follow Isek's advice.
0
 

Author Comment

by:tdnooij
ID: 34977836
OK, I'm a step further: First I need to raise the functional level of the W2003 machine. However, I get the : the directory service is busy error. This is probably caused by the replication not being done. I investigated this and I found out that we had another DC in our domain which died. I've deleted it from the Domain Controllers in AD, but when I try to delete the Site in AD SItes and Services it gives me the error that the DC (that I deleted) still has objects and has to be demoted first. Any clues?
0
 

Author Comment

by:tdnooij
ID: 34977998
Ok, I found this article to delete my old DC: http://support.microsoft.com/kb/216498
This works.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 34978349
I assume that link refers to performing a metadata cleanup of the failed DC, as also described here: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

One you have the forwarders in place in each domain (to forward DNS requests for the other domain to it's DNS servers) and if any firewalls between the 2 domains are configured correctly, you should be able to create your trust...

I assume you already know which type of trust you want to create? Is your intent to migrate from one to the other, or to have both coexisting?

Pete
0
 

Author Comment

by:tdnooij
ID: 34978428
I want to migrate from 2003SBS to a new W2008 Standard server. But I want a selective migration, so only some users. Now I cannot create the trust between W2003SBS and W2008 because of the SBS. What type of trust do I need?
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 34978531
It's important to note when you're actually referring to SBS, as there's a load of stuff that's different in that case - From what I've just read, you are correct and cannot create a trust when SBS is involved.

I did find a reference to being able to migrate (using the usual ADMT tool from the 2008 Std Server) without the use of a trust at all, which involved ensuring that there were identical administrator account configured in both domains (i.e. exactly the same usernames and passwords!).

Apparently the procedure is documented in this migration guide from MS: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=fa187d1e-8218-4501-9729-222bd8ebb64c&displaylang=en

The guide appears to be primarily about migrating from Server Std to SBS, but based on what I read, I'd assume that this particular part would be the same either way around (i.e. getting the security set so that you CAN actually migrate without a trust between the domains).

Have a look and let me know if you need further assistance.

Cheers,

Pete
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now