Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

Can't authenticate to trusted domain

I have a forest with two domains - D1 and D2; functional level is 2003.  I built a new domain in a new forest - NewD; functional level is 2008.  I need to be able to authenticate D1 users in NewD.  DNS is set up with secondary zones for the other domain in each domain, and zone transfers are working.  I made a two-way domain trust (NOT a forest trust) between the two domains, and it validated.  My problem:  I can authenticate in D1 with NewD users, but when I go to NewD, the D1 domain does not show up in the list of available domains, so I can't authenticate D1 users in the NewD domain.

Two questions:  can I use stub zones instead of  secondary zones in the DNS?  and do I need to do a two-way FOREST trust for the authentication to work?  Or maybe there is just some setting I am missing in my 2008 DCs that will allow the D1 domain to be seen.  Any help is much appreciated.

Tracy
0
laugle
Asked:
laugle
  • 4
1 Solution
 
AnthonyHamonCommented:
Question 1:
Yes, you can use stub zones in DNS rather than secondary zones.

Question 2:
There is no reason to use a forest trust, I would expect the external domain trust that you have configured to work.  Although the D1 domain is not in the domain list when logging onto a workstation in the NewD domain, it may be possible to authenticate a D1 user by specifying the username as <username>@D1, where D1 is the FQDN of the domain (not the NetBIOS name).
0
 
laugleAuthor Commented:
Would that work in setting permissions for resources as well?  In both GPO and AD Users & Computers, I need to set permissions for administrators and users, and I haven't been able to because of the issue where the domain will not show up.
0
 
laugleAuthor Commented:
I cannot set permissions using groups without NewD active directory being able to see D1.  Without that, I can't log in using my admin account from D1, and I can't administer the domain with my D1 credentials.  Any idea why the AD can't see the D1 domain?
0
 
laugleAuthor Commented:
Found the answer - the 2008 domain was not running WINS.  Domain to domain trusts use WINS, forest trusts use DNS.
0
 
laugleAuthor Commented:
This was the way I got it to work - I couldn't use a forest trust because I have other domains that we don't want to involve in this trust.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now