Windows Server 2003 Domain Trusts
I have setup a VPN between 4 sites successfully using Cisco ASA's . All 4 domain contollers are Windows Server 2003. Once I was able to ping between all 4 sites by IP, I went ahead and configured DNS by adding name servers by IP and transferring zones to each server. I am now able to ping across all 4 sites by name as follows.
servername.domainname.loca
I can also ping each domain from the other by FQDN without issue, and I can ping each domain from the other by name.
However, when I go to create a two-way trust between each domain I get the following error:
Cannot Continue:
The New Trust Wizard cannot contine because the specified domain cannot be contacted.
Either the domain does not exist, or network or other problems are preventing connection.
This doesnt make sense at all, as I can ping each domain by FQDN from all servers.
All domain and forest functional levels are Windows Server 2003.
Any ideas?
servername.domainname.loca
I can also ping each domain from the other by FQDN without issue, and I can ping each domain from the other by name.
However, when I go to create a two-way trust between each domain I get the following error:
Cannot Continue:
The New Trust Wizard cannot contine because the specified domain cannot be contacted.
Either the domain does not exist, or network or other problems are preventing connection.
This doesnt make sense at all, as I can ping each domain by FQDN from all servers.
All domain and forest functional levels are Windows Server 2003.
Any ideas?
sorry, wrong link has been paste :/
Should be this one
http://technet.microsoft.com/en-us/library/cc756944%28WS.10%29.aspx#w2k3tr_trust_tools_knfk
Krzysztof
Should be this one
http://technet.microsoft.com/en-us/library/cc756944%28WS.10%29.aspx#w2k3tr_trust_tools_knfk
Krzysztof
ASKER
Ok I removed all DNS zone transfers and just added forwarders from each PDC to the other.
I also made sure each PDC is only using its internal IP for DNS on the NIC.
I then opened all ports needed.
Now I cant ping across by name at all only by IP.
Do the ports need to be pointed staticly back to the respective IPs of each DC?
Still have the same issue.
I also made sure each PDC is only using its internal IP for DNS on the NIC.
I then opened all ports needed.
Now I cant ping across by name at all only by IP.
Do the ports need to be pointed staticly back to the respective IPs of each DC?
Still have the same issue.
Hm, make sure that UDP/53 is opened on firewall. It's used for name resolution (for DNS server)
And then you should be able to access DNS names of that another forest
You may also use portqry2 to be sure that all of those ports are really opened.
http://www.microsoft.com/download/en/details.aspx?id=17148
Krzysztof
And then you should be able to access DNS names of that another forest
You may also use portqry2 to be sure that all of those ports are really opened.
http://www.microsoft.com/download/en/details.aspx?id=17148
Krzysztof
ASKER
Still not working.
I can ping across by FQDN without issue.
Not sure why this is so difficult.
I can ping across by FQDN without issue.
Not sure why this is so difficult.
ASKER
I got it.
Thanks everyone.
Thanks everyone.
What was the issue, can you tell us, please?
Krzysztof
Krzysztof
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found my own solution.
After that ensure, that all DCs in particular domains have specified IP address of their internal DNS server(s) only.
Check if all necessary ports are opened on a firewall/router
http://support.microsoft.com/kb/179442
re-try forest trust(s) creation process
Regards,
Krzysztof