Link to home
Create AccountLog in
Avatar of MaxDes101
MaxDes101

asked on

troubleshoot domain trust between 2 domains connected via 2 Sonicwall TZ-210 VPN

I have 2 domains connected via 2 sonicwall TZ-210 devices. This is a VPN connection.

I have added both the DNS forward lookup zones to each domain/dns server and I can see the DNS information from either domain in either domain's DNS settings. I can ping the domains from each other through the VPN.

The issue I am running into is I am trying to create a trust between the 2 domains and the forest trust option is missing. I was told the forest trust option is what I need to use.

This is between windows server 2008 server 2003.

Any idea?
Avatar of MaxDes101
MaxDes101

ASKER

Looks like both of the forward lookup zone entries in the DNS portions are set as secondary. Is this correct?
Do you have any firewalls between the hosts? Generally when you don't see the forest option in the trust wizard it is because that server could not lookup the other domain name or could not contact a domain controller in the other domain.
As mentioned I am connected via VPN between 2 Sonicwall-TZ210 devices.
I can ping the fully qualified host name of each server with no issues.... As well as all devices on the remote network and vice versa.

I.E. -  server01.domain.com
sorry, i'm not that familiar with Sonicwall devices. Most of the time I see issues it's with TCP 135 or 445 being blocked.

Here are the reference ports that are needed for tusts (http://support.microsoft.com/kb/179442)

If you need to check if ports are open, you can use the Microsoft portqry tool http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8355E537-1EA6-4569-AABB-F248F4BD91D0
In the firewall I have everything set as allowed between the 2 locations. but I will check the ports as well.
You might double check and make sure there are not host based firewalls either.
This is what I saw (i switched out domain names since this posts on the net:

=============================================

 Starting portqry.exe -n test.test.com -e 135,445 -p TCP ...


Querying target system called:

 test.test.com

Attempting to resolve name to IP address...

Name resolved to 10.1.1.11

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 2f5f6521-cb55-1059-b446-00df0bce31db Unimodem LRPC Endpoint
ncacn_np:test.test.com[\\pipe\\tapsrv]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:test.test.com[1044]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:test.test.com[1044]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:test.test.com[1041]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:test.test.com[1038]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:test.test.com[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:test.test.com[1038]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:test.test.com[\\pipe\\WinsPipe]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:test.test.com[1034]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:test.test.com[1034]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:test.test.com[1034]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:test.test.com[1025]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:test.test.com[1025]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:test.test.com[1027]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345778-1234-abcd-ef00-0123456789ab
ncacn_http:test.test.com[1027]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:test.test.com[1027]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_np:test.test.com[\\PIPE\\protected_storage]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_ip_tcp:test.test.com[1025]

UUID: 12345678-1234-abcd-ef00-0123456789ab IPSec Policy agent endpoint
ncacn_http:test.test.com[1027]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:test.test.com[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:test.test.com[\\PIPE\\atsvc]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ncacn_np:test.test.com[\\PIPE\\atsvc]

Total endpoints found: 39



==== End of RPC Endpoint Mapper query response ====

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n test.test.com -e 135,445 -p TCP exits with return code 0x00000000.
hmm, ok. Two things

(1) What are the functional levels of the domains?

(2) From each side, can you run nltest /dsgetdc:<domain> and see if it resolves?
Avatar of 65td
Port information from MS re domains and trusts:
http://support.microsoft.com/kb/179442
Functional level on one was 2000, this has been changed to 2003 and has allowed me to change create the two-way trust on that DC.

The other is 2008 and nltest fails and still will not show a forest trust option.
Fails for error_No_Such_Domain.
ASKER CERTIFIED SOLUTION
Avatar of brwwiggins
brwwiggins
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I created secondary zones......
Conditional forwarders worked