Ralph Scharping
asked on
Adding an Active Directory trust
Hi,
I'm trying to create a two-way domain trust between two ad domains. The two networks are linked via VPN. Firewall is open.
Each domain has two DCs. One has 2008 R2 + 2016 with domain and forrest functional level at 2008 R2.
The other has 2x 2016 with domain and forrest functional level also at 2008 R2.
I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain. I added both forward and reverse lookup. NSlookup-queries are answered fine. nslookup -q=ns domain2.local produces the expected results.
When I try to add the trust, message sais that the domain could not be found. This happens in command line and in the wizard on both ends the same way. There are no relevant events in event log.
One of the two domains (the one with the 2008R2+2016 DC) already has a trust to another domain in place. I added that trust back in 2016 and it was a very simple process that succeded on the first try.
What am I missing?
Thanks,
Ralph
I'm trying to create a two-way domain trust between two ad domains. The two networks are linked via VPN. Firewall is open.
Each domain has two DCs. One has 2008 R2 + 2016 with domain and forrest functional level at 2008 R2.
The other has 2x 2016 with domain and forrest functional level also at 2008 R2.
I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain. I added both forward and reverse lookup. NSlookup-queries are answered fine. nslookup -q=ns domain2.local produces the expected results.
When I try to add the trust, message sais that the domain could not be found. This happens in command line and in the wizard on both ends the same way. There are no relevant events in event log.
One of the two domains (the one with the 2008R2+2016 DC) already has a trust to another domain in place. I added that trust back in 2016 and it was a very simple process that succeded on the first try.
What am I missing?
Thanks,
Ralph
ASKER
Hi Ibrahim,
thanks for your reply. I am not sure I understand the difference. The domains shold be able to access each other. Adding the trust does not work either way.
Yes, the DCs are able to ping each other both by name and by address.
thanks for your reply. I am not sure I understand the difference. The domains shold be able to access each other. Adding the trust does not work either way.
Yes, the DCs are able to ping each other both by name and by address.
I have added DNS domains in reciprocal DNS first as a secondary domain, then as a conditional forwarding domain. I added both forward and reverse lookup.
what do you mean by secondary domain?
All you need is *only* conditional forwarder between both domains pointing to each other
Ex:
A.com and B.com
A.com should have conditional forwarder pointing to B.com with B.com DNS servers IP address
Similarly, B.com should have conditional forwarder pointing to A.com with A.com DNS servers IP address
As long as srv query to opposite domain is resolving you can resolve dns and you can build trust
In each domain DNS server type:
nslookup
_ldap._tcp.dc._msdcs.Domai
you should get answer
ASKER
Hi Mahesh,
thanks for your reply.
By secondary domain I mean that I first tried to add the B.com domain as a secondary domain in the DNS of a.com.
After that did not work, I removed the secondary domain and added the conditional forwarding as you described.
nslookup reply looks like this:
C:\Windows\system>nslookup _ldap._tcp.dc._msdcs.b.com
Server: dc.a.com
Address: 192.168.1.1
Name: _ldap._tcp.dc._msdcs.b.com
That is all - no other information is given.
thanks for your reply.
By secondary domain I mean that I first tried to add the B.com domain as a secondary domain in the DNS of a.com.
After that did not work, I removed the secondary domain and added the conditional forwarding as you described.
nslookup reply looks like this:
C:\Windows\system>nslookup
Server: dc.a.com
Address: 192.168.1.1
Name: _ldap._tcp.dc._msdcs.b.com
That is all - no other information is given.
remove all secondary domains and just use conditional forwarders and then try nslookup query from cmd
nslookup <enter>
_ldap._tcp.dc._msdcs.Domai n.com <Enter>
If you get proper response in srv lookup, your name resolution is working and then you can build trust
nslookup <enter>
_ldap._tcp.dc._msdcs.Domai
If you get proper response in srv lookup, your name resolution is working and then you can build trust
ASKER
I HAVE already removed all secondary domains. Even before adding conditional forwardes I have removed them. And I rebooted all servers. And I refreshed all zones and emptied all caches.
What is the proper response that I should be receiving? Is the response I posted not proper? I get the same thing when I ask this question within my domain...
What is the proper response that I should be receiving? Is the response I posted not proper? I get the same thing when I ask this question within my domain...
check query output from below article, it should match
https://support.microsoft.com/en-in/help/816587/how-to-verify-that-srv-dns-records-have-been-created-for-a-domain-cont
https://support.microsoft.com/en-in/help/816587/how-to-verify-that-srv-dns-records-have-been-created-for-a-domain-cont
I believe you missed step "set type=all" in nslookup prompt
ASKER
It does match. Only thing I notice: it lists three DCs like this:
_ldap._tcp.dc._msdcs.bc.co m SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC02.b.com
_ldap._tcp.dc._msdcs.b.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC01.b.com
_ldap._tcp.dc._msdcs.b.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc02.b.com
DC02.b.com internet address = 192.168.2.1
DC01.b.com internet address = 192.168.2.2
dc02.b.com internet address = 192.168.2.1
Notice how it lists the second DC twice. But other than that names and IPs are correct.
_ldap._tcp.dc._msdcs.bc.co
priority = 0
weight = 100
port = 389
svr hostname = DC02.b.com
_ldap._tcp.dc._msdcs.b.com
priority = 0
weight = 100
port = 389
svr hostname = DC01.b.com
_ldap._tcp.dc._msdcs.b.com
priority = 0
weight = 100
port = 389
svr hostname = dc02.b.com
DC02.b.com internet address = 192.168.2.1
DC01.b.com internet address = 192.168.2.2
dc02.b.com internet address = 192.168.2.1
Notice how it lists the second DC twice. But other than that names and IPs are correct.
still you are not able to built trust?
what error you are getting?
ensure that if any-any ports are allowed bi-directionally between both source and target DCs
what error you are getting?
ensure that if any-any ports are allowed bi-directionally between both source and target DCs
ASKER
All ports are allowed bi-directionally.
I have not yet changed anything, only looked at the result of the new nslookup-query that I had not yet previously seen.
No, I still cannot build the trust.
The wizard starts by asking my domain, then it takes about 30sec.
On the next page I have two options: add a trust to a Kerberos V5-Scope that is not an AD-domain or add a trust to an AD-domain.
This is already odd - it should not be asking this.
I choose Windows-domain, of course. It asks me the domain name again.
On the next page it sais that the domain could not be found.
It has been behaving like this since the very beginning.
I have not yet changed anything, only looked at the result of the new nslookup-query that I had not yet previously seen.
No, I still cannot build the trust.
The wizard starts by asking my domain, then it takes about 30sec.
On the next page I have two options: add a trust to a Kerberos V5-Scope that is not an AD-domain or add a trust to an AD-domain.
This is already odd - it should not be asking this.
I choose Windows-domain, of course. It asks me the domain name again.
On the next page it sais that the domain could not be found.
It has been behaving like this since the very beginning.
can you check domain controller NIC advanced dns config and post here ?
Did you set any dns search suffix list in domain level policy which excluds own domain?
download PortQueryUI tool from MS and try domain and trusts test for opposite domain controllers and post results here, check if all AD ports are open from output
Did you set any dns search suffix list in domain level policy which excluds own domain?
download PortQueryUI tool from MS and try domain and trusts test for opposite domain controllers and post results here, check if all AD ports are open from output
ASKER
The server is running German language windows - I might not accurately transcribe all terms.
The list of DNS-suffixes is empty. "add the primary DNS-suffix of the connection" is active. "Add inherited-suffixes of the primay DNS-suffix" is active. The field for DNS-suffix for this connection is empty.
"register addresses of this connection in DNS" is active.
"use DNS-suffix of this connection in DNS-registration" is inactive.
While you read this, I will deactivate windows firewall on both ends and retry. I'd be really embarrassed if that's the problem...
The list of DNS-suffixes is empty. "add the primary DNS-suffix of the connection" is active. "Add inherited-suffixes of the primay DNS-suffix" is active. The field for DNS-suffix for this connection is empty.
"register addresses of this connection in DNS" is active.
"use DNS-suffix of this connection in DNS-registration" is inactive.
While you read this, I will deactivate windows firewall on both ends and retry. I'd be really embarrassed if that's the problem...
ASKER
No change with deactivated windows firewall.
ASKER
The screenshot looks identical.
Yes, I have tried PortQuery. These ports are returned as listening:
135 TCP
53 TCP + UDP
445 TCP
139 TCP
These ports are returned as filtered:
389 UDP + TCP
363 TCP
3268 TCP
3269 TCP
88 TCP + UDP
137 UDP
138 UDP
42 TCP
Most of these ports I have never heard of, but the relevant ports seem to be open. I'm not so sure about the LDAP port 389 - I guess that one should be open. My VPN-firewall has all ports open, windows-firewall is disabled on both ends. Sophos Endpoint Protection is disabled on both ends.
Yes, I have tried PortQuery. These ports are returned as listening:
135 TCP
53 TCP + UDP
445 TCP
139 TCP
These ports are returned as filtered:
389 UDP + TCP
363 TCP
3268 TCP
3269 TCP
88 TCP + UDP
137 UDP
138 UDP
42 TCP
Most of these ports I have never heard of, but the relevant ports seem to be open. I'm not so sure about the LDAP port 389 - I guess that one should be open. My VPN-firewall has all ports open, windows-firewall is disabled on both ends. Sophos Endpoint Protection is disabled on both ends.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Antivirus-Software on one and had an integrated firewall that was acting up. That was unexpected - and a bit embarassing. Thanks for your help.
Are you able to ping the domain controllers in both directions?