troubleshoot domain trust between 2 domains connected via 2 Sonicwall TZ-210 VPN

I have 2 domains connected via 2 sonicwall TZ-210 devices. This is a VPN connection.

I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings. I can ping the domains from each other through the VPN.

The issue I am running into is I am trying to create a trust between the 2 domains and the forest trust option is missing. I was told the forest trust option is what I need to use.

This is between windows server 2008 server 2003.

Any idea?
MaxDes101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaxDes101Author Commented:
Looks like both of the forward lookup zone entries in the DNS portions are set as secondary. Is this correct?
0
brwwigginsIT ManagerCommented:
Do you have any firewalls between the hosts? Generally when you don't see the forest option in the trust wizard it is because that server could not lookup the other domain name or could not contact a domain controller in the other domain.
0
MaxDes101Author Commented:
As mentioned I am connected via VPN between 2 Sonicwall-TZ210 devices.
I can ping the fully qualified host name of each server with no issues.... As well as all devices on the remote network and vice versa.

I.E. -  server01.domain.com
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

brwwigginsIT ManagerCommented:
sorry, i'm not that familiar with Sonicwall devices. Most of the time I see issues it's with TCP 135 or 445 being blocked.

Here are the reference ports that are needed for tusts (http://support.microsoft.com/kb/179442)

If you need to check if ports are open, you can use the Microsoft portqry tool http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8355E537-1EA6-4569-AABB-F248F4BD91D0
0
MaxDes101Author Commented:
In the firewall I have everything set as allowed between the 2 locations. but I will check the ports as well.
0
brwwigginsIT ManagerCommented:
You might double check and make sure there are not host based firewalls either.
0
MaxDes101Author Commented:
This is what I saw (i switched out domain names since this posts on the net:

=============================================

 Starting portqry.exe -n test.test.com -e 135,445 -p TCP ...


Querying target system called:

 test.test.com

Attempting to resolve name to IP address...

Name resolved to 10.1.1.11

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 2f5f6521-cb55-1059-b446-00df0bce31db Unimodem LRPC Endpoint
ncacn_np:test.test.com[\\pipe\\tapsrv]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:test.test.com[1044]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:test.test.com[1044]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:test.test.com[1041]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:test.test.com[1038]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:test.test.com[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:test.test.com[1038]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:test.test.com[\\pipe\\WinsPipe]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:test.test.com[1034]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:test.test.com[1034]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:test.test.com[1034]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:test.test.com[1025]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:test.test.com[1027]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:test.test.com[1027]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:test.test.com[1027]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_http:test.test.com[1027]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:test.test.com[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:test.test.com[\\PIPE\\atsvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncacn_np:test.test.com[\\PIPE\\atsvc]

Total endpoints found: 39



==== End of RPC Endpoint Mapper query response ====

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n test.test.com -e 135,445 -p TCP exits with return code 0x00000000.
0
brwwigginsIT ManagerCommented:
hmm, ok. Two things

(1) What are the functional levels of the domains?

(2) From each side, can you run nltest /dsgetdc:<domain> and see if it resolves?
0
65tdRetiredCommented:
Port information from MS re domains and trusts:
http://support.microsoft.com/kb/179442
0
MaxDes101Author Commented:
Functional level on one was 2000, this has been changed to 2003 and has allowed me to change create the two-way trust on that DC.

The other is 2008 and nltest fails and still will not show a forest trust option.
0
MaxDes101Author Commented:
Fails for error_No_Such_Domain.
0
brwwigginsIT ManagerCommented:
so that points to DNS issues. Back to your original post

"I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings"

Did you create stub zones or conditional forwarders? I typically do conditional forwarders for these cases
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaxDes101Author Commented:
I created secondary zones......
0
MaxDes101Author Commented:
Conditional forwarders worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.