Improve company productivity with a Business Account.Sign Up

x
?
Solved

Can't authenticate to trusted domain

Posted on 2011-09-13
5
Medium Priority
?
747 Views
Last Modified: 2012-08-14
I have a forest with two domains - D1 and D2; functional level is 2003.  I built a new domain in a new forest - NewD; functional level is 2008.  I need to be able to authenticate D1 users in NewD.  DNS is set up with secondary zones for the other domain in each domain, and zone transfers are working.  I made a two-way domain trust (NOT a forest trust) between the two domains, and it validated.  My problem:  I can authenticate in D1 with NewD users, but when I go to NewD, the D1 domain does not show up in the list of available domains, so I can't authenticate D1 users in the NewD domain.

Two questions:  can I use stub zones instead of  secondary zones in the DNS?  and do I need to do a two-way FOREST trust for the authentication to work?  Or maybe there is just some setting I am missing in my 2008 DCs that will allow the D1 domain to be seen.  Any help is much appreciated.

Tracy
0
Comment
Question by:laugle
  • 4
5 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 36531286
Question 1:
Yes, you can use stub zones in DNS rather than secondary zones.

Question 2:
There is no reason to use a forest trust, I would expect the external domain trust that you have configured to work.  Although the D1 domain is not in the domain list when logging onto a workstation in the NewD domain, it may be possible to authenticate a D1 user by specifying the username as <username>@D1, where D1 is the FQDN of the domain (not the NetBIOS name).
0
 

Author Comment

by:laugle
ID: 36531375
Would that work in setting permissions for resources as well?  In both GPO and AD Users & Computers, I need to set permissions for administrators and users, and I haven't been able to because of the issue where the domain will not show up.
0
 

Author Comment

by:laugle
ID: 36531546
I cannot set permissions using groups without NewD active directory being able to see D1.  Without that, I can't log in using my admin account from D1, and I can't administer the domain with my D1 credentials.  Any idea why the AD can't see the D1 domain?
0
 

Accepted Solution

by:
laugle earned 0 total points
ID: 36537826
Found the answer - the 2008 domain was not running WINS.  Domain to domain trusts use WINS, forest trusts use DNS.
0
 

Author Closing Comment

by:laugle
ID: 36558778
This was the way I got it to work - I couldn't use a forest trust because I have other domains that we don't want to involve in this trust.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question