?
Solved

Windows Server 2003 Domain Trusts

Posted on 2011-10-20
9
Medium Priority
?
247 Views
Last Modified: 2012-05-12
I have setup a VPN between 4 sites successfully using Cisco ASA's . All 4 domain contollers are Windows Server 2003. Once I was able to ping between all 4 sites by IP, I went ahead and configured DNS by adding name servers by IP and transferring zones to each server. I am now able to ping across all 4 sites by name as follows.

servername.domainname.local

I can also ping each domain from the other by FQDN without issue, and I can ping each domain from the other by name.

However, when I go to create a two-way trust between each domain I get the following error:

Cannot Continue:
The New Trust Wizard cannot contine because the specified domain cannot be contacted.
Either the domain does not exist, or network or other problems are preventing connection.

This doesnt make sense at all, as I can ping each domain by FQDN from all servers.

All domain and forest functional levels are Windows Server 2003.

Any ideas?
0
Comment
Question by:TJacoberger1
  • 5
  • 4
9 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36999860
I would suggest to do that other way. Do not set up zone transfers for DNS zones (remove them). Configure only Conditional Forwarders for those domains to resolve DNS names.

After that ensure, that all DCs in particular domains have specified IP address of their internal DNS server(s) only.
Check if all necessary ports are opened on a firewall/router
http://support.microsoft.com/kb/179442

re-try forest trust(s) creation process

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36999867
sorry, wrong link has been paste :/
Should be this one
http://technet.microsoft.com/en-us/library/cc756944%28WS.10%29.aspx#w2k3tr_trust_tools_knfk

Krzysztof
0
 

Author Comment

by:TJacoberger1
ID: 37005820
Ok I removed all DNS zone transfers and just added forwarders from each PDC to the other.

I also made sure each PDC is only using its internal IP for DNS on the NIC.

I then opened all ports needed.

Now I cant ping across by name at all only by IP.

Do the ports need to be pointed staticly back to the respective IPs of each DC?

Still have the same issue.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 37010383
Hm, make sure that UDP/53 is opened on firewall. It's used for name resolution (for DNS server)
And then you should be able to access DNS names of that another forest

You may also use portqry2 to be sure that all of those ports are really opened.
http://www.microsoft.com/download/en/details.aspx?id=17148

Krzysztof
0
 

Author Comment

by:TJacoberger1
ID: 37018334
Still not working.

I can ping across by FQDN without issue.

Not sure why this is so difficult.
0
 

Author Comment

by:TJacoberger1
ID: 37018784
I got it.

Thanks everyone.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 37023227
What was the issue, can you tell us, please?

Krzysztof
0
 

Accepted Solution

by:
TJacoberger1 earned 0 total points
ID: 37032528
I removed the DNS seconday zones from one server to another, then instead of just adding each IP as a forwarder I added the actual FQDN to the DNS domain forwarder. I also opened all necessary ports on the ASA.
0
 

Author Closing Comment

by:TJacoberger1
ID: 37307720
I found my own solution.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question