1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Domain Trusts

Discussion in 'Networks' started by Slam, May 12, 2007.

  1. Slam

    Slam Bit Poster

    37
    0
    2
    Hi guys,

    I'm trying to fix a domain trust that wasn't setup properly, from what I've gathered I have to create a secondary zone on each DNS server that points to the trusted domain.

    Only problems is that each domain uses the same DNS server which resides in the first domain, I have absolutely no idea if it is adviseable to have such a configuration? Probably not is my guess.

    Any help would be greatly appreciated.

    Cheers
    S
     
  2. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Slam,

    What kind of domain environment(s) are you referring to?
    1. Windows NT 4.0?
    2. Windows 2000?
    3. Windows 2003?
    4. Other?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  3. Slam

    Slam Bit Poster

    37
    0
    2
    Windows 2000 domain, DC with DNS, Windows 2003 domain using DNS on the 2000 DC - I never set it up.
     
  4. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Hi Slam, judging from your reply it is not quite clear if your want to implement the trust on each of your Domain. Please, provide some more info and we might be able to nailed it:biggrin
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  5. Slam

    Slam Bit Poster

    37
    0
    2
    Hi,

    Sorry guys, relatively new to this so I'll try my best to be a bit more clear.

    There is a two-way trust in place already, although when I try to validate the trust from the Windows 2000 domain I get an error message - rpc service unavailable. I've checked Microsofts website and the fix is to setup a secondary DNS zone for the trusted domain, but because the trusted domain is using the same DNS server as the trusting domain there is already a primary DNS zone setup for the trusted domain.

    At the present time, we can't give access to local resources on one domain to users from the other domain. When I try to add a user in from the other domain, I simply don't have access to the domain in the access control list of a shared folder/printer etc. Security groups are universal to.

    I hope I've explained it a bit better?
     
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    I take it the RPC Windows service is actually running though? :blink

    Also does DNS work ok? For example can you ping a host on the other domain (by name) and it responds ok? It looks like you are trying to troubleshoot name resolution which may be causing some problems with the domain trust.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. Slam

    Slam Bit Poster

    37
    0
    2
    DNS does work, I can use nslookup and get the appropriate response. The error message I get relating to the RPC service had an answer on Microsoft's site, stating that a secondary DNS zone should be setup pointing to the trusted domain. But the most confusing part for me is that both domains are using the same DNS server, so on the same DNS server can I have a primary and secondary zone pointing to the same namespace? Or should I install the DNS service on the other domain's DC and remove the primary zone for that domain from the other domain's DNS server? (lol, so confusing)

    So basically I guess the first question should be, should each domain have its own DNS server?
     
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    nslookup will work for name resolution on one domain and then forwarders or root hints will take care of the external name resolution.

    Can you ping a PC on the *other* domain though? 8) This is what the suggested fix is trying to resolve. Basically you are configuring a zone trasfer so you can resolve PC names etc on the other domain.

    It looks like you will have the primary and secondary zone for the same domain on the same *physical* DNS server. Not sure if that will work to be honest! :biggrin

    Edit: can you not have DNS installed on each individual DC and therefore you can create the zones as needed?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. Slam

    Slam Bit Poster

    37
    0
    2
    Hi Sparky,

    I can ping any machine from either side of the domain, nslookup works from both sides to.

    Unfortunately, I don't have a great deal of knowledge when it comes to DNS - learning quickly though.

    The windows 2003 domain validates the windows 2000 domain with no errors, its only when I try to validate the 2003 domain from the windows 200 domain I get this particular error.

    So should I setup DNS on the windows 2003 domain? Then create secondary zones for both dns servers pointing to the opposite domain? Then create a root hint in the secondary zones pointing to the DNS server of the other domain?

    The problem is I'm new to this and I don't want to make the situation worse, so looking for some clear cut instructions.

    Thanks for responses
     
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Hmmm, has the trust ever worked?

    Also if DNS is not installed on the DCs I take it you have two zones on the DNS server?

    Dont reconfigure the DNS just yet! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  11. Slam

    Slam Bit Poster

    37
    0
    2
    It has never worked properly and there is two zones on the one DNS server -one primary zone for each domain.
     
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Do you know why it was setup this way? :blink

    Edit: On the DCs what IP address is used (in the LAN settings) for DNS?

    Edit: I tried to add a secondary zone on my DNS server (which hosts the primary zone) but it didnt work. Got a error message that said that the zone already exists.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  13. Slam

    Slam Bit Poster

    37
    0
    2
    To be honest mate, I have absolutely no idea why it was setup that way. I think the person before me didn't put much research into it.

    The 2003 domain's DC has its IP settings pointing to the DNS server on the 2000 domain.

    So I'm going to install DNS on the 2003 domain, delete the 2003 zone from the other DNS server then create secondary zones on each DNS server. I think thats the way to go?

    At least I now know you can't have a primary and secondary zone pointing to the same domain - cheers Sparky.
     
  14. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Be careful what you are doing with the DNS zones, remember they will have all the srv records for Acrive Directory.

    As for creating secondary zones they have to be populated from a primary zone.

    If you install DNS on the Windows 2003 server you can then configure a secondary zone. On the 2k DNS server configure the primary zone (in the zone transfers tab) to replicate to the Windows 2003 server (just put in the I.P).

    AD in Windows DNS link:
    http://www.petri.co.il/active_directory_srv_records.htm
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  15. Slam

    Slam Bit Poster

    37
    0
    2
    Hello,

    Quick update, DNS is now configured properly. DNS was setup in the other domain afterall. So I deleted the Primary zone from the other domain, added in a secondary and pointed it to the the REAL primary. Now I can validate the trust from both sides with success.

    I'm still confused though, I can give access to resources from one domain to the other but I can't make users from one domain members of a universal group located on the other domain. I'm now thinking its not suppose to be setup that way?
     
  16. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Not an expert with trusts but do you not have to configure a two way trust?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  17. Slam

    Slam Bit Poster

    37
    0
    2
    I went through the wizard on the 2003 DC, I did select a two way trust. I'm now thinking its by design that you can't have outside users nested in universal groups on the opposite domain. Hopefully I'm wrong but I can't find any options anywhere for it.
     
  18. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Can you create a universal group and have one user from each domain in it?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  19. Slam

    Slam Bit Poster

    37
    0
    2
    I can create a universal group, when I attempt to add a user from domain B into domains it can't find the other domain.

    Although it finds the other domain if I goto delegate control of AD and I can add users in that way.
     
  20. Slam

    Slam Bit Poster

    37
    0
    2
    I might be wrong but it looks like you can't nest users from Domain A straight into universal groups located on Domain B. At least I know everything is working the way it should now - I hope.

    Thanks for all the help, cheers.
     

Share This Page

Loading...