Avatar of Ralph Scharping
Ralph Scharping
Flag for Germany asked on

Adding an Active Directory trust

Hi,

I'm trying to create a two-way domain trust between two ad domains.  The two networks are linked via VPN.  Firewall is open.  
Each domain has two DCs.  One has 2008 R2 + 2016 with domain and forrest functional level at 2008 R2.
The other has 2x 2016 with domain and forrest functional level also at 2008 R2.

I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.  NSlookup-queries are answered fine.  nslookup -q=ns domain2.local produces the expected results.

When I try to add the trust, message sais that the domain could not be found.  This happens in command line and in the wizard on both ends the same way.  There are no relevant events in event log.

One of the two domains (the one with the 2008R2+2016 DC) already has a trust to another domain in place.  I added that trust back in 2016 and it was a very simple process that succeded on the first try.

What am I missing?

Thanks,
Ralph
Active DirectoryWindows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
Ralph Scharping

8/22/2022 - Mon
Ibrahim Benna

are you trying to add a 2-way trust relationship? If not which domain is the trusting and which is the trusted? Remember you need to configure the trust on the trusting domain first.

Are you able to ping the domain controllers in both directions?
Ralph Scharping

ASKER
Hi Ibrahim,

thanks for your reply.  I am not sure I understand the difference.  The domains shold be able to access each other.  Adding the trust does not work either way.
Yes, the DCs are able to ping each other both by name and by address.
Mahesh

I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain.  I added both forward and reverse lookup.

what do you mean by secondary domain?

All you need is *only* conditional forwarder between both domains pointing to each other
Ex:
A.com and B.com
A.com should have conditional forwarder pointing to B.com with B.com DNS servers IP address
Similarly, B.com should have conditional forwarder pointing to A.com with A.com DNS servers IP address

As long as srv query to opposite domain is resolving you can resolve dns and you can build trust

In each domain DNS server type:
nslookup
_ldap._tcp.dc._msdcs.Domain.com

you should get answer
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ralph Scharping

ASKER
Hi Mahesh,

thanks for your reply.
By secondary domain I mean that I first tried to add the B.com domain as a secondary domain in the DNS of a.com.
After that did not work, I removed the secondary domain and added the conditional forwarding as you described.

nslookup reply looks like this:

C:\Windows\system>nslookup _ldap._tcp.dc._msdcs.b.com
Server:     dc.a.com
Address:  192.168.1.1

Name:    _ldap._tcp.dc._msdcs.b.com

That is all - no other information is given.
Mahesh

remove all secondary domains and just use conditional forwarders and then try nslookup query from cmd

nslookup <enter>
_ldap._tcp.dc._msdcs.Domain.com <Enter>

If you get proper response in srv lookup, your name resolution is working and then you can build trust
Ralph Scharping

ASKER
I HAVE already removed all secondary domains.  Even before adding conditional forwardes I have removed them.  And I rebooted all servers.  And I refreshed all zones and emptied all caches.

What is the proper response that I should be receiving? Is the response I posted not proper?  I get the same thing when I ask this question within my domain...
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Mahesh

Mahesh

I believe you missed step "set type=all" in nslookup prompt
Ralph Scharping

ASKER
It does match.  Only thing I notice:  it lists three DCs like this:

_ldap._tcp.dc._msdcs.bc.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC02.b.com
_ldap._tcp.dc._msdcs.b.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = DC01.b.com
_ldap._tcp.dc._msdcs.b.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc02.b.com

DC02.b.com   internet address = 192.168.2.1
DC01.b.com   internet address = 192.168.2.2
dc02.b.com   internet address = 192.168.2.1

Notice how it lists the second DC twice.  But other than that names and IPs are correct.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Mahesh

still you are not able to built trust?

what error you are getting?

ensure that if any-any ports are allowed bi-directionally between both source and target DCs
Ralph Scharping

ASKER
All ports are allowed bi-directionally.
I have not yet changed anything, only looked at the result of the new nslookup-query that I had not yet previously seen.

No, I still cannot build the trust.
The wizard starts by asking my domain, then it takes about 30sec.  
On the next page I have two options:  add a trust to a Kerberos V5-Scope that is not an AD-domain or add a trust to an AD-domain.
This is already odd - it should not be asking this.
I choose Windows-domain, of course.  It asks me the domain name again.
On the next page it sais that the domain could not be found.

It has been behaving like this since the very beginning.
Mahesh

can you check domain controller NIC advanced dns config and post here ?

Did you set any dns search suffix list in domain level policy which excluds own domain?

download PortQueryUI tool from MS and try domain and trusts test for opposite domain controllers and post results here, check if all AD ports are open from output
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Ralph Scharping

ASKER
The server is running German language windows - I might not accurately transcribe all terms.

The list of DNS-suffixes is empty.  "add the primary DNS-suffix of the connection" is active.  "Add inherited-suffixes of the primay DNS-suffix" is active.  The field for DNS-suffix for this connection is empty.
"register addresses of this connection in DNS" is active.
"use DNS-suffix of this connection in DNS-registration" is inactive.

While you read this, I will deactivate windows firewall on both ends and retry.  I'd be really embarrassed if that's the problem...
Ralph Scharping

ASKER
No change with deactivated windows firewall.
Mahesh

DNS
Above under dns addresses there should point to only internal DNS servers (Primary and secondary and there should not be any public dns entry

rest of the settings also needs to be same

also have you tried PortQueryUI tool?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Ralph Scharping

ASKER
The screenshot looks identical.

Yes, I have tried PortQuery.  These ports are returned as listening:
135 TCP
53 TCP + UDP
445 TCP
139 TCP

These ports are returned as filtered:
389 UDP + TCP
363 TCP
3268 TCP
3269 TCP
88 TCP + UDP
137 UDP
138 UDP
42 TCP

Most of these ports I have never heard of, but the relevant ports seem to be open.  I'm not so sure about the LDAP port 389 - I guess that one should be open.  My VPN-firewall has all ports open, windows-firewall is disabled on both ends.  Sophos Endpoint Protection is disabled on both ends.
ASKER CERTIFIED SOLUTION
Mahesh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Ralph Scharping

ASKER
Antivirus-Software on one and had an integrated firewall that was acting up.  That was unexpected - and a bit embarassing.  Thanks for your help.