Adding an Active Directory trust

Ralph Scharping
Ralph Scharping used Ask the Experts™
on
Hi,

I'm trying to create a two-way domain trust between two ad domains.  The two networks are linked via VPN.  Firewall is open.  
Each domain has two DCs.  One has 2008 R2 + 2016 with domain and forrest functional level at 2008 R2.
The other has 2x 2016 with domain and forrest functional level also at 2008 R2.

I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.  NSlookup-queries are answered fine.  nslookup -q=ns domain2.local produces the expected results.

When I try to add the trust, message sais that the domain could not be found.  This happens in command line and in the wizard on both ends the same way.  There are no relevant events in event log.

One of the two domains (the one with the 2008R2+2016 DC) already has a trust to another domain in place.  I added that trust back in 2016 and it was a very simple process that succeded on the first try.

What am I missing?

Thanks,
Ralph
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
are you trying to add a 2-way trust relationship? If not which domain is the trusting and which is the trusted? Remember you need to configure the trust on the trusting domain first.

Are you able to ping the domain controllers in both directions?
Ralph ScharpingDigital Therapist

Author

Commented:
Hi Ibrahim,

thanks for your reply.  I am not sure I understand the difference.  The domains shold be able to access each other.  Adding the trust does not work either way.
Yes, the DCs are able to ping each other both by name and by address.
MaheshArchitect
Distinguished Expert 2018

Commented:
I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.

what do you mean by secondary domain?

All you need is *only* conditional forwarder between both domains pointing to each other
Ex:
A.com and B.com
A.com should have conditional forwarder pointing to B.com with B.com DNS servers IP address
Similarly, B.com should have conditional forwarder pointing to A.com with A.com DNS servers IP address

As long as srv query to opposite domain is resolving you can resolve dns and you can build trust

In each domain DNS server type:
nslookup
_ldap._tcp.dc._msdcs.Domain.com

you should get answer
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Ralph ScharpingDigital Therapist

Author

Commented:
Hi Mahesh,

thanks for your reply.
By secondary domain I mean that I first tried to add the B.com domain as a secondary domain in the DNS of a.com.
After that did not work, I removed the secondary domain and added the conditional forwarding as you described.

nslookup reply looks like this:

C:\Windows\system>nslookup _ldap._tcp.dc._msdcs.b.com
Server:     dc.a.com
Address:  192.168.1.1

Name:    _ldap._tcp.dc._msdcs.b.com

That is all - no other information is given.
MaheshArchitect
Distinguished Expert 2018

Commented:
remove all secondary domains and just use conditional forwarders and then try nslookup query from cmd

nslookup <enter>
_ldap._tcp.dc._msdcs.Domain.com <Enter>

If you get proper response in srv lookup, your name resolution is working and then you can build trust
Ralph ScharpingDigital Therapist

Author

Commented:
I HAVE already removed all secondary domains.  Even before adding conditional forwardes I have removed them.  And I rebooted all servers.  And I refreshed all zones and emptied all caches.

What is the proper response that I should be receiving? Is the response I posted not proper?  I get the same thing when I ask this question within my domain...
MaheshArchitect
Distinguished Expert 2018

Commented:
MaheshArchitect
Distinguished Expert 2018

Commented:
I believe you missed step "set type=all" in nslookup prompt
Ralph ScharpingDigital Therapist

Author

Commented:
It does match.  Only thing I notice:  it lists three DCs like this:

_ldap._tcp.dc._msdcs.bc.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC02.b.com
_ldap._tcp.dc._msdcs.b.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC01.b.com
_ldap._tcp.dc._msdcs.b.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc02.b.com

DC02.b.com   internet address = 192.168.2.1
DC01.b.com   internet address = 192.168.2.2
dc02.b.com   internet address = 192.168.2.1

Notice how it lists the second DC twice.  But other than that names and IPs are correct.
MaheshArchitect
Distinguished Expert 2018

Commented:
still you are not able to built trust?

what error you are getting?

ensure that if any-any ports are allowed bi-directionally between both source and target DCs
Ralph ScharpingDigital Therapist

Author

Commented:
All ports are allowed bi-directionally.
I have not yet changed anything, only looked at the result of the new nslookup-query that I had not yet previously seen.

No, I still cannot build the trust.
The wizard starts by asking my domain, then it takes about 30sec.  
On the next page I have two options:  add a trust to a Kerberos V5-Scope that is not an AD-domain or add a trust to an AD-domain.
This is already odd - it should not be asking this.
I choose Windows-domain, of course.  It asks me the domain name again.
On the next page it sais that the domain could not be found.

It has been behaving like this since the very beginning.
MaheshArchitect
Distinguished Expert 2018

Commented:
can you check domain controller NIC advanced dns config and post here ?

Did you set any dns search suffix list in domain level policy which excluds own domain?

download PortQueryUI tool from MS and try domain and trusts test for opposite domain controllers and post results here, check if all AD ports are open from output
Ralph ScharpingDigital Therapist

Author

Commented:
The server is running German language windows - I might not accurately transcribe all terms.

The list of DNS-suffixes is empty.  "add the primary DNS-suffix of the connection" is active.  "Add inherited-suffixes of the primay DNS-suffix" is active.  The field for DNS-suffix for this connection is empty.
"register addresses of this connection in DNS" is active.
"use DNS-suffix of this connection in DNS-registration" is inactive.

While you read this, I will deactivate windows firewall on both ends and retry.  I'd be really embarrassed if that's the problem...
Ralph ScharpingDigital Therapist

Author

Commented:
No change with deactivated windows firewall.
MaheshArchitect
Distinguished Expert 2018

Commented:
DNS
Above under dns addresses there should point to only internal DNS servers (Primary and secondary and there should not be any public dns entry

rest of the settings also needs to be same

also have you tried PortQueryUI tool?
Ralph ScharpingDigital Therapist

Author

Commented:
The screenshot looks identical.

Yes, I have tried PortQuery.  These ports are returned as listening:
135 TCP
53 TCP + UDP
445 TCP
139 TCP

These ports are returned as filtered:
389 UDP + TCP
363 TCP
3268 TCP
3269 TCP
88 TCP + UDP
137 UDP
138 UDP
42 TCP

Most of these ports I have never heard of, but the relevant ports seem to be open.  I'm not so sure about the LDAP port 389 - I guess that one should be open.  My VPN-firewall has all ports open, windows-firewall is disabled on both ends.  Sophos Endpoint Protection is disabled on both ends.
Architect
Distinguished Expert 2018
Commented:
Refer below ports to be opened bi-directionally between source and target PDC master for trust to be working and you should configure trust from PDC servers only, if you tried from other servers, it 1st tried to contact PDC only

TCP and UDP 389, 445, 53, 88, 464
TCP 636, 139, 3268, 3269, 49152-65535
UDP 137, 138, 123, 49152-65535

https://www.experts-exchange.com/questions/29125445/Ports-that-Win-10-uses-to-logon-to-Server-2016-RODC.html
Ralph ScharpingDigital Therapist

Author

Commented:
Antivirus-Software on one and had an integrated firewall that was acting up.  That was unexpected - and a bit embarassing.  Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial