Solved

Can't authenticate to trusted domain

Posted on 2011-09-13
5
724 Views
Last Modified: 2012-08-14
I have a forest with two domains - D1 and D2; functional level is 2003.  I built a new domain in a new forest - NewD; functional level is 2008.  I need to be able to authenticate D1 users in NewD.  DNS is set up with secondary zones for the other domain in each domain, and zone transfers are working.  I made a two-way domain trust (NOT a forest trust) between the two domains, and it validated.  My problem:  I can authenticate in D1 with NewD users, but when I go to NewD, the D1 domain does not show up in the list of available domains, so I can't authenticate D1 users in the NewD domain.

Two questions:  can I use stub zones instead of  secondary zones in the DNS?  and do I need to do a two-way FOREST trust for the authentication to work?  Or maybe there is just some setting I am missing in my 2008 DCs that will allow the D1 domain to be seen.  Any help is much appreciated.

Tracy
0
Comment
Question by:laugle
  • 4
5 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 36531286
Question 1:
Yes, you can use stub zones in DNS rather than secondary zones.

Question 2:
There is no reason to use a forest trust, I would expect the external domain trust that you have configured to work.  Although the D1 domain is not in the domain list when logging onto a workstation in the NewD domain, it may be possible to authenticate a D1 user by specifying the username as <username>@D1, where D1 is the FQDN of the domain (not the NetBIOS name).
0
 

Author Comment

by:laugle
ID: 36531375
Would that work in setting permissions for resources as well?  In both GPO and AD Users & Computers, I need to set permissions for administrators and users, and I haven't been able to because of the issue where the domain will not show up.
0
 

Author Comment

by:laugle
ID: 36531546
I cannot set permissions using groups without NewD active directory being able to see D1.  Without that, I can't log in using my admin account from D1, and I can't administer the domain with my D1 credentials.  Any idea why the AD can't see the D1 domain?
0
 

Accepted Solution

by:
laugle earned 0 total points
ID: 36537826
Found the answer - the 2008 domain was not running WINS.  Domain to domain trusts use WINS, forest trusts use DNS.
0
 

Author Closing Comment

by:laugle
ID: 36558778
This was the way I got it to work - I couldn't use a forest trust because I have other domains that we don't want to involve in this trust.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A safe way to clean winsxs folder from your windows server 2008 R2 editions
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now