[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 633
  • Last Modified:

Trust relationship between 2008 and 2003

Hi Experts,
I have some issues that worked fine before and suddenly stop working.
I have two domains (D1 and D2) in the different subnet so firewall configured properly because worked before.
D1 is windows 2008 R2 and D2 is windows 2003 upgraded fron NT. When I try to validate, I got this "Windows cannot find an active directory domain controller for the D2.domain.com." I think I have DNS issue so I have checked both DNS and looked fine.

What is an ideal DNS setttings? I can ping each other with IP but name. Somehow DNS is not working the way it should be.

I wish I could provide more information but ask me if you need more.

thanks in advance
  • 2
2 Solutions
Things to start with:

1.  Can you ping D2.domain.com from D1 (literally ping the domain name and see if a DC replies, don't just ping a host).  Same for the other way around...ping D1.domain.com from D2.  Do this from ALL domain controllers in each domain.

2.  Verify that dcdiag on both domains is functioning properly.

3.  Even though you say the firewall is fine, make sure the proper ports are open for the trust to communicate.
KseanAuthor Commented:
I can ping both domain each other. I have one server down each side but the primary servers are up and running. Do I need all servers up and running in order to make the trust relationship?
PberSolutions ArchitectCommented:
As far as your DNS... ideally you would use stub zones on each DNS, pointing to each others DNS zone.  You could also do conditional forwarders for each others zones as well.  

If you share common address space:  i.e.  mydomain.com and anotherdomain.mydomain.com you will have to do a delegation on the mydomain.com server to the subordinate domain.

Other things you can try on the DC's and telneting to the common ports used with trusts and see if you can connect.  53 (DNS, 88 (kerberos), 135 (RPC), 389 (LDAP), 636 (Secure LDAP).   That being said, RPC will allocate high ports to communicate over.  So if you have set high firewall ports that worked before, it is feasable a new port could be used now.  If you have a firewall that can handle DCERPC (or dynamic RPC) you should be OK if that is configured.

Also make sure your time is correct on each server.
KseanAuthor Commented:

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now