troubleshoot domain trust between 2 domains connected via 2 Sonicwall TZ-210 VPN

I have 2 domains connected via 2 sonicwall TZ-210 devices. This is a VPN connection.

I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings. I can ping the domains from each other through the VPN.

The issue I am running into is I am trying to create a trust between the 2 domains and the forest trust option is missing. I was told the forest trust option is what I need to use.

This is between windows server 2008 server 2003.

Any idea?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaxDes101Author Commented:
Looks like both of the forward lookup zone entries in the DNS portions are set as secondary. Is this correct?
brwwigginsIT ManagerCommented:
Do you have any firewalls between the hosts? Generally when you don't see the forest option in the trust wizard it is because that server could not lookup the other domain name or could not contact a domain controller in the other domain.
MaxDes101Author Commented:
As mentioned I am connected via VPN between 2 Sonicwall-TZ210 devices.
I can ping the fully qualified host name of each server with no issues.... As well as all devices on the remote network and vice versa.

I.E. -
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

brwwigginsIT ManagerCommented:
sorry, i'm not that familiar with Sonicwall devices. Most of the time I see issues it's with TCP 135 or 445 being blocked.

Here are the reference ports that are needed for tusts (

If you need to check if ports are open, you can use the Microsoft portqry tool
MaxDes101Author Commented:
In the firewall I have everything set as allowed between the 2 locations. but I will check the ports as well.
brwwigginsIT ManagerCommented:
You might double check and make sure there are not host based firewalls either.
MaxDes101Author Commented:
This is what I saw (i switched out domain names since this posts on the net:


 Starting portqry.exe -n -e 135,445 -p TCP ...

Querying target system called:

Attempting to resolve name to IP address...

Name resolved to


TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 2f5f6521-cb55-1059-b446-00df0bce31db Unimodem LRPC Endpoint[\\pipe\\tapsrv]

UUID: 6bffd098-a112-3610-9833-46c3f874532d[1044]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db[1044]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076[1041]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe[1038]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45[1038]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45[\\pipe\\WinsPipe]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service[1034]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API[1034]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE[1034]

UUID: 12345778-1234-abcd-ef00-0123456789ac[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac[1025]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface[\\PIPE\\protected_storage]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface[1025]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface[\\PIPE\\protected_storage]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface[1027]

UUID: 12345778-1234-abcd-ef00-0123456789ab[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab[1025]

UUID: 12345778-1234-abcd-ef00-0123456789ab[1027]

UUID: 12345678-1234-abcd-ef00-01234567cffb[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb[1025]

UUID: 12345678-1234-abcd-ef00-01234567cffb[1027]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint[1025]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint[1027]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f[\\PIPE\\atsvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53[\\PIPE\\atsvc]

Total endpoints found: 39

==== End of RPC Endpoint Mapper query response ====

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n -e 135,445 -p TCP exits with return code 0x00000000.
brwwigginsIT ManagerCommented:
hmm, ok. Two things

(1) What are the functional levels of the domains?

(2) From each side, can you run nltest /dsgetdc:<domain> and see if it resolves?
Port information from MS re domains and trusts:
MaxDes101Author Commented:
Functional level on one was 2000, this has been changed to 2003 and has allowed me to change create the two-way trust on that DC.

The other is 2008 and nltest fails and still will not show a forest trust option.
MaxDes101Author Commented:
Fails for error_No_Such_Domain.
brwwigginsIT ManagerCommented:
so that points to DNS issues. Back to your original post

"I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings"

Did you create stub zones or conditional forwarders? I typically do conditional forwarders for these cases

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaxDes101Author Commented:
I created secondary zones......
MaxDes101Author Commented:
Conditional forwarders worked
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.