Trust relationship between 2008 and 2003

Posted on 2011-10-25
Last Modified: 2012-05-12
Hi Experts,
I have some issues that worked fine before and suddenly stop working.
I have two domains (D1 and D2) in the different subnet so firewall configured properly because worked before.
D1 is windows 2008 R2 and D2 is windows 2003 upgraded fron NT. When I try to validate, I got this "Windows cannot find an active directory domain controller for the" I think I have DNS issue so I have checked both DNS and looked fine.

What is an ideal DNS setttings? I can ping each other with IP but name. Somehow DNS is not working the way it should be.

I wish I could provide more information but ask me if you need more.

thanks in advance
Question by:Ksean
    LVL 23

    Accepted Solution

    Things to start with:

    1.  Can you ping from D1 (literally ping the domain name and see if a DC replies, don't just ping a host).  Same for the other way from D2.  Do this from ALL domain controllers in each domain.

    2.  Verify that dcdiag on both domains is functioning properly.

    3.  Even though you say the firewall is fine, make sure the proper ports are open for the trust to communicate.

    Author Comment

    I can ping both domain each other. I have one server down each side but the primary servers are up and running. Do I need all servers up and running in order to make the trust relationship?
    LVL 26

    Assisted Solution

    As far as your DNS... ideally you would use stub zones on each DNS, pointing to each others DNS zone.  You could also do conditional forwarders for each others zones as well.  

    If you share common address space:  i.e. and you will have to do a delegation on the server to the subordinate domain.

    Other things you can try on the DC's and telneting to the common ports used with trusts and see if you can connect.  53 (DNS, 88 (kerberos), 135 (RPC), 389 (LDAP), 636 (Secure LDAP).   That being said, RPC will allocate high ports to communicate over.  So if you have set high firewall ports that worked before, it is feasable a new port could be used now.  If you have a firewall that can handle DCERPC (or dynamic RPC) you should be OK if that is configured.

    Also make sure your time is correct on each server.

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now