My overall goal right now is configuring a domain trust between our local AD, and a cloud hosted AD server. Site to Site VPN already in place, pinging across the VPN without any trouble.
Cloud AD is Server 2012, Active Directory Level is 2008 R2, DNS is configured locally for the domain, and it is the only DNS server it uses.
Local AD is Server 2003, Active Directory Level is 2003, DNS is configured locally for the domain, and it is one of two domain DNS servers.
What I've done so far:
Configured reverse lookup zones on both AD DNS Servers, and configured Conditional Forwarders on both AD DNS Servers.
Currently, from the Cloud AD server, I'm able to ping random FQDNs on my Local AD network. Using NSLOOKUP, I can see the proper response on the Non-authoritative answer.
From my Local AD, none of the above works correctly, although I've run over the configuration a number of times, and its consistent in both of them. I have the Reverse Lookup in there (including the PTR record), I have the conditional forwarder, I can ping the other server, but I cannot resolve the FQDN of the other server. NSLOOKUPs against the Cloud Domain responds with "Non-existent domain".
The only thing I've found that shows up wrong, is that the conditional forwarded has the error message "Validation not supported" with a yellow triangle. I've been presuming this was related to the functional level mismatch, and that the stock 2003 DNS menus mention nothing about Validation.
Per-chance, could anyone point me in the right direction? I feel like I'm missing something small/silly, but I'm very close to having this whole thing figured out.