Thursday, September 24, 2009 4:55 PMHi,
we have two forests, a.domain.com and b.domain.com where:
- a.domain.com is in LAN, 2 DC: S2T30 (pdc - WS2008 SP1) and S2T01 (WS2008 R2), both running DNS (192.168.0.0/24)
- b.domain.com is in DMZ, 1 DC: DMZ2T01 (WS2008 R2), of course running DNS (192.168.10.0/24)
- domain.com parent domain does not exist
- a rule on the firewall allows traffic between DMZ2T01 and S2T01 servers
We wanted to configure an unidirectional trust, having DMZ2T01 trusting S2T01.
The problem is: cross-setting dns IPs in servers NIC settings I can resolve machine names of each network, but I can't resolve domain names! So from b.domain.com I can't ping a.domain.com and vice-versa, but machine.b.domain.com can ping machine.a.domain.com..
I also tried setting forwarders in DNS cross-setted but when I try to do it windows says they're not authoritative (they are authoritative!)
is there a way to let the two forests see each other to configure trust?
is there a way to let the two forest understand that even if parent domain.com doesn not exist, they're part of the same thing?
what am I doing wrong?
Thanx a lot
Thursday, September 24, 2009 5:08 PM
The prerequisite of the trust is cross-domain name resolution. Start by ensuring that all necessary ports are open on the firewall by following http://support.microsoft.com/kb/179442
Next, use either conditional forwarders, stub or secondary zones to provide DNS name resolution between domains.
You should be able to create external trust between domains - forest trust is not an option...
Thursday, September 24, 2009 5:30 PMThe traffic between DMZ2T01 and S2T01 is completely open, so firewall is not blocking it.
I tried using conditional forwarders but on both sides I get an error sayng that other DNS is not authoritative.. but they are..
could you give me any example about how to try with stub or secondary zones? I have no idea..
another thing: is configuring each server NIC DNS settings to point to itself as primary and the other as secondary right?
I mean DMZ2T01 NIC DNS set as itself+S2T01 and S2T01 having itself+DM2T01
or if DNS service is configured right this is not necessary, avery points to itself only?
Thursday, September 24, 2009 5:46 PMRefer to http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
Are you creating forwarders to the target domain (rather than to the target forest)?
Btw. these are two domains in separate forests - correct? Is this related to an earlier post where the parent domain got deleted?
Thursday, September 24, 2009 5:49 PMYes, they are two domains in separate forests,
no, it's not related to any deletion :)
I only have to understand how to set conditional forwarders..
I go in DNS settings on a server, I type the other server ip and an error appear: the server is not authoritative for this zone (or something like that)
The same happens on the other server..
Friday, September 25, 2009 12:30 AMLaunch nslookup on a DC in a.domain.com and point to a DNS server hosting the b.domain.com zone (server IP_address command). Next, query b.domain.com and verify if you are getting correct responses.
If so, ignore the error message you are referring to (the one about non-authorititative server) when configuring the conditional forwarder in a.domain.com.
Perform the same procedure in b.domain.com
- Marked As Answer by Bruce-LiuModerator Friday, October 02, 2009 9:11 AM