Luis_Romero
asked on
Setup Domain Trust for internal networks fail
I have two domains that for the life of me, I cannot set up a trust between the two. I have tried setting up conditional forwarding, stub zone, zone transfer method and nothing works. nslookup does not resolve the second domain nor does the ip address resolve in the New Zone Wizards.
My main domain that will hold all of the resources are Windows 2003 domain controllers and the new domain is using Windows Server 2008r2. Am I having so much trouble because they are different server platforms? Could it be because during dcpromo I selected 2008 for domain compatibility? I didnt think that would matter if I am just creating the trust, but I could see why it would be if thats the case.
Thanks.
My main domain that will hold all of the resources are Windows 2003 domain controllers and the new domain is using Windows Server 2008r2. Am I having so much trouble because they are different server platforms? Could it be because during dcpromo I selected 2008 for domain compatibility? I didnt think that would matter if I am just creating the trust, but I could see why it would be if thats the case.
Thanks.
ASKER
Yes I did. And yes, when doing it from scratch I can ping the DCs FQDN. At this point I am more interested in using stub zones though.
only 3 things is needed.
domain name
FQDN of the DNS server
IP of the DNS server
as long as you can ping it........ and I assume you can nslookup by using server on the other domain you should be good to go (make sure no firewall or network issue via port 53)
example
nslookup somename other_dc_servername
domain name
FQDN of the DNS server
IP of the DNS server
as long as you can ping it........ and I assume you can nslookup by using server on the other domain you should be good to go (make sure no firewall or network issue via port 53)
example
nslookup somename other_dc_servername
ASKER
Thats the problem, I can ping, but nslookup wont resolve. The two domains are within our company firewall, so I dont see why I am unable to get this working...
even you try to nslookup www.google.com (OtherDCFQDNname or IP)
by using the other dns server. do you have dns proxy set to only all certain ip for dns lookup on your network?
another word, does all the DNS traffic sent to your FW and then back to your DC for lookup?
by using the other dns server. do you have dns proxy set to only all certain ip for dns lookup on your network?
another word, does all the DNS traffic sent to your FW and then back to your DC for lookup?
ASKER
If I do www.google.com it resolves fine and there are no proxies. And our dns resolves on our servers, not our firewall.
ASKER
The rules on our firewall for dns is to block incoming dns and allow dns going out.
from 2nd domain dc
do nslookup
server primary domain dc ip or fqdn name
lookup primary domain machine
does it resolve?
do nslookup
server primary domain dc ip or fqdn name
lookup primary domain machine
does it resolve?
ASKER
If I do nslookup using the ipaddress, it shows correctly. If I do it using the FQDN, it times out after a couple seconds.
that's normal since you domain doesn't know how to resolve that name.
but IP works. that's good enough.
now try to setup the stub zone, and add the IP of other domain as a forwarder under DNS.
but IP works. that's good enough.
now try to setup the stub zone, and add the IP of other domain as a forwarder under DNS.
ASKER
Adding the IP of the other domain still fails to validate under Forwarders and stub zone setup... it does resolve the server name though...
yes you DNS doesn't resolve that name, then it will try it via the forwarder.
what if you add the primary domain DNS server as the forwarder, does it resolve it afterward?
you can do the trick by adding an A record. and then try again.
what if you add the primary domain DNS server as the forwarder, does it resolve it afterward?
you can do the trick by adding an A record. and then try again.
ASKER
If I add the primary domain controller as a forwarder onto the new domain, no. It fails to validate.
If I add the DC that I am working on into the forwarders, then it validates fine.
If I add the DC that I am working on into the forwarders, then it validates fine.
add an reverse A record than it will resolve it
ASKER
Same thing, doesnt resolve or validate with the reverse lookup added.
ASKER
{removed}
after you add the reverse lookup IP, and if you lookup the ip, does it return the pointer name?
ASKER
this is from the primary domain's DC...
C:\Documents and Settings\Administrator>nsl
Default Server: xxxx.mm.com
Address: 10.1.1.1
> server 10.1.2.10
Default Server: mpdc1.2.1.10.in-addr.arpa
Address: 10.1.2.10
> server mpdc1.mp.local
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
C:\Documents and Settings\Administrator>nsl
Default Server: xxxx.mm.com
Address: 10.1.1.1
> server 10.1.2.10
Default Server: mpdc1.2.1.10.in-addr.arpa
Address: 10.1.2.10
> server mpdc1.mp.local
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
so you don't have the record on the DNS server.
ASKER
I do, under the reverse lookup zone, zone 2.1.10-in-addr.arpa, I have a A record for mpdc1 which points to the domain controller. mpdc1 : 10.1.2.10. It is also listed in my Forwarders tab. This is on the main domain's DC.
C:\Documents and Settings\Administrator>nsl
Default Server: xxxx.mm.com
Address: 10.1.1.1
> server 10.1.2.10
Default Server: mpdc1.2.1.10.in-addr.arpa
Address: 10.1.2.10
> server mpdc1.mp.local <------ just lookup the name by not using that as lookup server
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local <-------------------- you just type the name not server xxxxx
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
Default Server: xxxx.mm.com
Address: 10.1.1.1
> server 10.1.2.10
Default Server: mpdc1.2.1.10.in-addr.arpa
Address: 10.1.2.10
> server mpdc1.mp.local <------ just lookup the name by not using that as lookup server
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server mpdc1.mp.local: Timed out
> server 10.1.2.10.mp.local <-------------------- you just type the name not server xxxxx
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Can't find address for server 10.1.2.10.mp.local: Timed out
>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
good that you found the root cause.
ASKER
I resolved my own issue.
and do it from scratch, are you able to ping the DCs on the primary domain from the secondary?