Solved

Can't authenticate to trusted domain

Posted on 2011-09-13
5
732 Views
Last Modified: 2012-08-14
I have a forest with two domains - D1 and D2; functional level is 2003.  I built a new domain in a new forest - NewD; functional level is 2008.  I need to be able to authenticate D1 users in NewD.  DNS is set up with secondary zones for the other domain in each domain, and zone transfers are working.  I made a two-way domain trust (NOT a forest trust) between the two domains, and it validated.  My problem:  I can authenticate in D1 with NewD users, but when I go to NewD, the D1 domain does not show up in the list of available domains, so I can't authenticate D1 users in the NewD domain.

Two questions:  can I use stub zones instead of  secondary zones in the DNS?  and do I need to do a two-way FOREST trust for the authentication to work?  Or maybe there is just some setting I am missing in my 2008 DCs that will allow the D1 domain to be seen.  Any help is much appreciated.

Tracy
0
Comment
Question by:laugle
  • 4
5 Comments
 
LVL 4

Expert Comment

by:AnthonyHamon
ID: 36531286
Question 1:
Yes, you can use stub zones in DNS rather than secondary zones.

Question 2:
There is no reason to use a forest trust, I would expect the external domain trust that you have configured to work.  Although the D1 domain is not in the domain list when logging onto a workstation in the NewD domain, it may be possible to authenticate a D1 user by specifying the username as <username>@D1, where D1 is the FQDN of the domain (not the NetBIOS name).
0
 

Author Comment

by:laugle
ID: 36531375
Would that work in setting permissions for resources as well?  In both GPO and AD Users & Computers, I need to set permissions for administrators and users, and I haven't been able to because of the issue where the domain will not show up.
0
 

Author Comment

by:laugle
ID: 36531546
I cannot set permissions using groups without NewD active directory being able to see D1.  Without that, I can't log in using my admin account from D1, and I can't administer the domain with my D1 credentials.  Any idea why the AD can't see the D1 domain?
0
 

Accepted Solution

by:
laugle earned 0 total points
ID: 36537826
Found the answer - the 2008 domain was not running WINS.  Domain to domain trusts use WINS, forest trusts use DNS.
0
 

Author Closing Comment

by:laugle
ID: 36558778
This was the way I got it to work - I couldn't use a forest trust because I have other domains that we don't want to involve in this trust.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question