MaxDes101
asked on
troubleshoot domain trust between 2 domains connected via 2 Sonicwall TZ-210 VPN
I have 2 domains connected via 2 sonicwall TZ-210 devices. This is a VPN connection.
I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings. I can ping the domains from each other through the VPN.
The issue I am running into is I am trying to create a trust between the 2 domains and the forest trust option is missing. I was told the forest trust option is what I need to use.
This is between windows server 2008 server 2003.
Any idea?
I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings. I can ping the domains from each other through the VPN.
The issue I am running into is I am trying to create a trust between the 2 domains and the forest trust option is missing. I was told the forest trust option is what I need to use.
This is between windows server 2008 server 2003.
Any idea?
Do you have any firewalls between the hosts? Generally when you don't see the forest option in the trust wizard it is because that server could not lookup the other domain name or could not contact a domain controller in the other domain.
ASKER
As mentioned I am connected via VPN between 2 Sonicwall-TZ210 devices.
I can ping the fully qualified host name of each server with no issues.... As well as all devices on the remote network and vice versa.
I.E. - server01.domain.com
I can ping the fully qualified host name of each server with no issues.... As well as all devices on the remote network and vice versa.
I.E. - server01.domain.com
sorry, i'm not that familiar with Sonicwall devices. Most of the time I see issues it's with TCP 135 or 445 being blocked.
Here are the reference ports that are needed for tusts (http://support.microsoft.com/kb/179442)
If you need to check if ports are open, you can use the Microsoft portqry tool http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8355E537-1EA6-4569-AABB-F248F4BD91D0
Here are the reference ports that are needed for tusts (http://support.microsoft.com/kb/179442)
If you need to check if ports are open, you can use the Microsoft portqry tool http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8355E537-1EA6-4569-AABB-F248F4BD91D0
ASKER
In the firewall I have everything set as allowed between the 2 locations. but I will check the ports as well.
You might double check and make sure there are not host based firewalls either.
ASKER
This is what I saw (i switched out domain names since this posts on the net:
========================== ========== =========
Starting portqry.exe -n test.test.com -e 135,445 -p TCP ...
Querying target system called:
test.test.com
Attempting to resolve name to IP address...
Name resolved to 10.1.1.11
querying...
TCP port 135 (epmap service): LISTENING
Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:
UUID: 2f5f6521-cb55-1059-b446-00 df0bce31db Unimodem LRPC Endpoint
ncacn_np:test.test.com[\\p ipe\\tapsr v]
UUID: 6bffd098-a112-3610-9833-46 c3f874532d
ncacn_ip_tcp:test.test.com [1044]
UUID: 5b821720-f63b-11d0-aad2-00 c04fc324db
ncacn_ip_tcp:test.test.com [1044]
UUID: 50abc2a4-574d-40b3-9d66-ee 4fd5fba076
ncacn_ip_tcp:test.test.com [1041]
UUID: 45f52c28-7f9f-101a-b52b-08 002b2efabe
ncacn_ip_tcp:test.test.com [1038]
UUID: 45f52c28-7f9f-101a-b52b-08 002b2efabe
ncacn_np:test.test.com[\\p ipe\\WinsP ipe]
UUID: 811109bf-a4e1-11d1-ab54-00 a0c91e9b45
ncacn_ip_tcp:test.test.com [1038]
UUID: 811109bf-a4e1-11d1-ab54-00 a0c91e9b45
ncacn_np:test.test.com[\\p ipe\\WinsP ipe]
UUID: f5cc59b4-4264-101a-8c59-08 002b2f8426 NtFrs Service
ncacn_ip_tcp:test.test.com [1034]
UUID: d049b186-814f-11d1-9a3c-00 c04fc9b232 NtFrs API
ncacn_ip_tcp:test.test.com [1034]
UUID: a00c021c-2be2-11d2-b678-00 00f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:test.test.com [1034]
UUID: 12345778-1234-abcd-ef00-01 23456789ac
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: 12345778-1234-abcd-ef00-01 23456789ac
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: 12345778-1234-abcd-ef00-01 23456789ac
ncacn_ip_tcp:test.test.com [1025]
UUID: ecec0d70-a603-11d0-96b1-00 a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: ecec0d70-a603-11d0-96b1-00 a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: ecec0d70-a603-11d0-96b1-00 a0c91ece30 NTDS Backup Interface
ncacn_ip_tcp:test.test.com [1025]
UUID: 16e0cf3a-a604-11d0-96b1-00 a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: 16e0cf3a-a604-11d0-96b1-00 a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: 16e0cf3a-a604-11d0-96b1-00 a0c91ece30 NTDS Restore Interface
ncacn_ip_tcp:test.test.com [1025]
UUID: e3514235-4b06-11d1-ab04-00 c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: e3514235-4b06-11d1-ab04-00 c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: e3514235-4b06-11d1-ab04-00 c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:test.test.com [1025]
UUID: e3514235-4b06-11d1-ab04-00 c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:test.test.com[1027]
UUID: 12345778-1234-abcd-ef00-01 23456789ab
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: 12345778-1234-abcd-ef00-01 23456789ab
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: 12345778-1234-abcd-ef00-01 23456789ab
ncacn_ip_tcp:test.test.com [1025]
UUID: 12345778-1234-abcd-ef00-01 23456789ab
ncacn_http:test.test.com[1027]
UUID: 12345678-1234-abcd-ef00-01 234567cffb
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: 12345678-1234-abcd-ef00-01 234567cffb
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: 12345678-1234-abcd-ef00-01 234567cffb
ncacn_ip_tcp:test.test.com [1025]
UUID: 12345678-1234-abcd-ef00-01 234567cffb
ncacn_http:test.test.com[1027]
UUID: 12345678-1234-abcd-ef00-01 23456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\P IPE\\lsass ]
UUID: 12345678-1234-abcd-ef00-01 23456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\P IPE\\prote cted_stora ge]
UUID: 12345678-1234-abcd-ef00-01 23456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:test.test.com [1025]
UUID: 12345678-1234-abcd-ef00-01 23456789ab IPSec Policy agent endpoint
ncacn_http:test.test.com[1027]
UUID: 1ff70682-0a51-30e8-076d-74 0be8cee98b
ncacn_np:test.test.com[\\P IPE\\atsvc ]
UUID: 378e52b0-c0a9-11cf-822d-00 aa0051e40f
ncacn_np:test.test.com[\\P IPE\\atsvc ]
UUID: 0a74ef1c-41a4-4e06-83ae-dc 74fb1cdd53
ncacn_np:test.test.com[\\P IPE\\atsvc ]
Total endpoints found: 39
==== End of RPC Endpoint Mapper query response ====
TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n test.test.com -e 135,445 -p TCP exits with return code 0x00000000.
==========================
Starting portqry.exe -n test.test.com -e 135,445 -p TCP ...
Querying target system called:
test.test.com
Attempting to resolve name to IP address...
Name resolved to 10.1.1.11
querying...
TCP port 135 (epmap service): LISTENING
Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:
UUID: 2f5f6521-cb55-1059-b446-00
ncacn_np:test.test.com[\\p
UUID: 6bffd098-a112-3610-9833-46
ncacn_ip_tcp:test.test.com
UUID: 5b821720-f63b-11d0-aad2-00
ncacn_ip_tcp:test.test.com
UUID: 50abc2a4-574d-40b3-9d66-ee
ncacn_ip_tcp:test.test.com
UUID: 45f52c28-7f9f-101a-b52b-08
ncacn_ip_tcp:test.test.com
UUID: 45f52c28-7f9f-101a-b52b-08
ncacn_np:test.test.com[\\p
UUID: 811109bf-a4e1-11d1-ab54-00
ncacn_ip_tcp:test.test.com
UUID: 811109bf-a4e1-11d1-ab54-00
ncacn_np:test.test.com[\\p
UUID: f5cc59b4-4264-101a-8c59-08
ncacn_ip_tcp:test.test.com
UUID: d049b186-814f-11d1-9a3c-00
ncacn_ip_tcp:test.test.com
UUID: a00c021c-2be2-11d2-b678-00
ncacn_ip_tcp:test.test.com
UUID: 12345778-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345778-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345778-1234-abcd-ef00-01
ncacn_ip_tcp:test.test.com
UUID: ecec0d70-a603-11d0-96b1-00
ncacn_np:test.test.com[\\P
UUID: ecec0d70-a603-11d0-96b1-00
ncacn_np:test.test.com[\\P
UUID: ecec0d70-a603-11d0-96b1-00
ncacn_ip_tcp:test.test.com
UUID: 16e0cf3a-a604-11d0-96b1-00
ncacn_np:test.test.com[\\P
UUID: 16e0cf3a-a604-11d0-96b1-00
ncacn_np:test.test.com[\\P
UUID: 16e0cf3a-a604-11d0-96b1-00
ncacn_ip_tcp:test.test.com
UUID: e3514235-4b06-11d1-ab04-00
ncacn_np:test.test.com[\\P
UUID: e3514235-4b06-11d1-ab04-00
ncacn_np:test.test.com[\\P
UUID: e3514235-4b06-11d1-ab04-00
ncacn_ip_tcp:test.test.com
UUID: e3514235-4b06-11d1-ab04-00
ncacn_http:test.test.com[1027]
UUID: 12345778-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345778-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345778-1234-abcd-ef00-01
ncacn_ip_tcp:test.test.com
UUID: 12345778-1234-abcd-ef00-01
ncacn_http:test.test.com[1027]
UUID: 12345678-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345678-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345678-1234-abcd-ef00-01
ncacn_ip_tcp:test.test.com
UUID: 12345678-1234-abcd-ef00-01
ncacn_http:test.test.com[1027]
UUID: 12345678-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345678-1234-abcd-ef00-01
ncacn_np:test.test.com[\\P
UUID: 12345678-1234-abcd-ef00-01
ncacn_ip_tcp:test.test.com
UUID: 12345678-1234-abcd-ef00-01
ncacn_http:test.test.com[1027]
UUID: 1ff70682-0a51-30e8-076d-74
ncacn_np:test.test.com[\\P
UUID: 378e52b0-c0a9-11cf-822d-00
ncacn_np:test.test.com[\\P
UUID: 0a74ef1c-41a4-4e06-83ae-dc
ncacn_np:test.test.com[\\P
Total endpoints found: 39
==== End of RPC Endpoint Mapper query response ====
TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n test.test.com -e 135,445 -p TCP exits with return code 0x00000000.
hmm, ok. Two things
(1) What are the functional levels of the domains?
(2) From each side, can you run nltest /dsgetdc:<domain> and see if it resolves?
(1) What are the functional levels of the domains?
(2) From each side, can you run nltest /dsgetdc:<domain> and see if it resolves?
Port information from MS re domains and trusts:
http://support.microsoft.com/kb/179442
http://support.microsoft.com/kb/179442
ASKER
Functional level on one was 2000, this has been changed to 2003 and has allowed me to change create the two-way trust on that DC.
The other is 2008 and nltest fails and still will not show a forest trust option.
The other is 2008 and nltest fails and still will not show a forest trust option.
ASKER
Fails for error_No_Such_Domain.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I created secondary zones......
ASKER
Conditional forwarders worked
ASKER