Domain Trusts

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi guys,

I'm trying to fix a domain trust that wasn't setup properly, from what I've gathered I have to create a secondary zone on each DNS server that points to the trusted domain.

Only problems is that each domain uses the same DNS server which resides in the first domain, I have absolutely no idea if it is adviseable to have such a configuration? Probably not is my guess.

Any help would be greatly appreciated.

Cheers
S

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Slam,

What kind of domain environment(s) are you referring to?

1. Windows NT 4.0?
2. Windows 2000?
3. Windows 2003?
4. Other?

 

Windows 2000 domain, DC with DNS, Windows 2003 domain using DNS on the 2000 DC - I never set it up.

 

Hi Slam, judging from your reply it is not quite clear if your want to implement the trust on each of your Domain. Please, provide some more info and we might be able to nailed it

 

Hi,

Sorry guys, relatively new to this so I'll try my best to be a bit more clear.

There is a two-way trust in place already, although when I try to validate the trust from the Windows 2000 domain I get an error message - rpc service unavailable. I've checked Microsofts website and the fix is to setup a secondary DNS zone for the trusted domain, but because the trusted domain is using the same DNS server as the trusting domain there is already a primary DNS zone setup for the trusted domain.

At the present time, we can't give access to local resources on one domain to users from the other domain. When I try to add a user in from the other domain, I simply don't have access to the domain in the access control list of a shared folder/printer etc. Security groups are universal to.

I hope I've explained it a bit better?

 

DNS does work, I can use nslookup and get the appropriate response. The error message I get relating to the RPC service had an answer on Microsoft's site, stating that a secondary DNS zone should be setup pointing to the trusted domain. But the most confusing part for me is that both domains are using the same DNS server, so on the same DNS server can I have a primary and secondary zone pointing to the same namespace? Or should I install the DNS service on the other domain's DC and remove the primary zone for that domain from the other domain's DNS server? (lol, so confusing)

So basically I guess the first question should be, should each domain have its own DNS server?

 

Hi Sparky,

I can ping any machine from either side of the domain, nslookup works from both sides to.

Unfortunately, I don't have a great deal of knowledge when it comes to DNS - learning quickly though.

The windows 2003 domain validates the windows 2000 domain with no errors, its only when I try to validate the 2003 domain from the windows 200 domain I get this particular error.

So should I setup DNS on the windows 2003 domain? Then create secondary zones for both dns servers pointing to the opposite domain? Then create a root hint in the secondary zones pointing to the DNS server of the other domain?

The problem is I'm new to this and I don't want to make the situation worse, so looking for some clear cut instructions.

Thanks for responses

 

It has never worked properly and there is two zones on the one DNS server -one primary zone for each domain.

 

To be honest mate, I have absolutely no idea why it was setup that way. I think the person before me didn't put much research into it.

The 2003 domain's DC has its IP settings pointing to the DNS server on the 2000 domain.

So I'm going to install DNS on the 2003 domain, delete the 2003 zone from the other DNS server then create secondary zones on each DNS server. I think thats the way to go?

At least I now know you can't have a primary and secondary zone pointing to the same domain - cheers Sparky.

 

Hello,

Quick update, DNS is now configured properly. DNS was setup in the other domain afterall. So I deleted the Primary zone from the other domain, added in a secondary and pointed it to the the REAL primary. Now I can validate the trust from both sides with success.

I'm still confused though, I can give access to resources from one domain to the other but I can't make users from one domain members of a universal group located on the other domain. I'm now thinking its not suppose to be setup that way?

 

I went through the wizard on the 2003 DC, I did select a two way trust. I'm now thinking its by design that you can't have outside users nested in universal groups on the opposite domain. Hopefully I'm wrong but I can't find any options anywhere for it.

 

I can create a universal group, when I attempt to add a user from domain B into domains it can't find the other domain.

Although it finds the other domain if I goto delegate control of AD and I can add users in that way.

 

I might be wrong but it looks like you can't nest users from Domain A straight into universal groups located on Domain B. At least I know everything is working the way it should now - I hope.

Thanks for all the help, cheers.