Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Setup Domain Trust for internal networks fail

Posted on 2014-04-09
24
Medium Priority
?
98 Views
Last Modified: 2015-01-26
I have two domains that for the life of me, I cannot set up a trust between the two. I have tried setting up conditional forwarding, stub zone, zone transfer method and nothing works. nslookup does not resolve the second domain nor does the ip address resolve in the New Zone Wizards.

My main domain that will hold all of the resources are Windows 2003 domain controllers and the new domain is using Windows Server 2008r2. Am I having so much trouble because they are different server platforms? Could it be because during dcpromo I selected 2008 for domain compatibility? I didnt think that would matter if I am just creating the trust, but I could see why it would be if thats the case.

Thanks.
0
Comment
Question by:Luis_Romero
  • 13
  • 11
24 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39988667
did you set "IP" allow on your DNS server to allow zone transfer.

and do it from scratch, are you able to ping the DCs on the primary domain from the secondary?
0
 

Author Comment

by:Luis_Romero
ID: 39988701
Yes I did. And yes, when doing it from scratch I can ping the DCs FQDN. At this point I am more interested in using stub zones though.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39988723
only 3 things is needed.

domain name
FQDN of the DNS server
IP of the DNS server

as long as you can ping it........ and I assume you can nslookup by using server on the other domain you should be good to go (make sure no firewall or network issue via port 53)

example
nslookup somename other_dc_servername
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:Luis_Romero
ID: 39988784
Thats the problem, I can ping, but nslookup wont resolve. The two domains are within our company firewall, so I dont see why I am unable to get this working...
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39988849
even you try to nslookup www.google.com (OtherDCFQDNname or IP)

by using the other dns server. do you have dns proxy set to only all certain ip for dns lookup on your network?

another word, does all the DNS traffic sent to your FW and then back to your DC for lookup?
0
 

Author Comment

by:Luis_Romero
ID: 39988911
If I do www.google.com it resolves fine and there are no proxies. And our dns resolves on our servers, not our firewall.
0
 

Author Comment

by:Luis_Romero
ID: 39988916
The rules on our firewall for dns is to block incoming dns and allow dns going out.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39988917
from 2nd domain dc
do nslookup
server primary domain dc ip or fqdn name
lookup primary domain machine

does it resolve?
0
 

Author Comment

by:Luis_Romero
ID: 39988995
If I do nslookup using the ipaddress, it shows correctly. If I do it using the FQDN, it times out after a couple seconds.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39989060
that's normal since you domain doesn't know how to resolve that name.

but IP works. that's good enough.

now try to setup the stub zone, and add the IP of other domain as a forwarder under DNS.
0
 

Author Comment

by:Luis_Romero
ID: 39989137
Adding the IP of the other domain still fails to validate under Forwarders and stub zone setup... it does resolve the server name though...
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39989314
yes you DNS doesn't resolve that name, then it will try it via the forwarder.

what if you add the primary domain DNS server as the forwarder, does it resolve it afterward?

you can do the trick by adding an A record. and then try again.
0
 

Author Comment

by:Luis_Romero
ID: 39989361
If I add the primary domain controller as a forwarder onto the new domain, no. It fails to validate.
If I add the DC that I am working on into the forwarders, then it validates fine.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39989485
add an reverse A record than it will resolve it
0
 

Author Comment

by:Luis_Romero
ID: 39993910
Same thing, doesnt resolve or validate with the reverse lookup added.
0
 

Author Comment

by:Luis_Romero
ID: 39993914
{removed}
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39994119
after you add the reverse lookup IP, and if you lookup the ip, does it return the pointer name?
0
 

Author Comment

by:Luis_Romero
ID: 39994497
this is from the primary domain's DC...

C:\Documents and Settings\Administrator>nslookup
Default Server:  xxxx.mm.com
Address:  10.1.1.1

> server 10.1.2.10
Default Server:  mpdc1.2.1.10.in-addr.arpa
Address:  10.1.2.10

> server mpdc1.mp.local
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39994706
so you don't have the record on the DNS server.
0
 

Author Comment

by:Luis_Romero
ID: 39994886
I do, under the reverse lookup zone, zone 2.1.10-in-addr.arpa, I have a A record for mpdc1 which points to the domain controller. mpdc1 : 10.1.2.10. It is also listed in my Forwarders tab. This is on the main domain's DC.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39994898
C:\Documents and Settings\Administrator>nslookup
Default Server:  xxxx.mm.com
Address:  10.1.1.1

> server 10.1.2.10
Default Server:  mpdc1.2.1.10.in-addr.arpa
Address:  10.1.2.10

> server mpdc1.mp.local <------ just lookup the name by not using that as lookup server
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local <-------------------- you just type the name not server xxxxx
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
0
 

Accepted Solution

by:
Luis_Romero earned 0 total points
ID: 40000184
I have found the issue. It seems that this server that is hosting my virtual domain environment is in a dmz and no one told me. I added a second network card that ties directly into the other domain, and did the same on the other network and was able to establish a domain trust. Thank you everyone who contributed to this exhausting and painful process!
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 40000204
good that you found the root cause.
0
 

Author Closing Comment

by:Luis_Romero
ID: 40570218
I resolved my own issue.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question