Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Domains (Forests) trust problem

Answered Domains (Forests) trust problem

  • Thursday, September 24, 2009 4:55 PM
     
     
    Sign In to Vote
    0
    Hi,

    we have two forests, a.domain.com and b.domain.com where:
    - a.domain.com is in LAN, 2 DC: S2T30 (pdc - WS2008 SP1) and S2T01 (WS2008 R2), both running DNS (192.168.0.0/24)
    - b.domain.com is in DMZ, 1 DC: DMZ2T01 (WS2008 R2), of course running DNS (192.168.10.0/24)
    - domain.com parent domain does not exist
    - a rule on the firewall allows traffic between DMZ2T01 and S2T01 servers

    We wanted to configure an unidirectional trust, having DMZ2T01 trusting S2T01.
    The problem is: cross-setting dns IPs in servers NIC settings I can resolve machine names of each network, but I can't resolve domain names! So from b.domain.com I can't ping a.domain.com and vice-versa, but machine.b.domain.com can ping machine.a.domain.com..

    I also tried setting forwarders in DNS cross-setted but when I try to do it windows says they're not authoritative (they are authoritative!)

    Questions:
    is there a way to let the two forests see each other to configure trust?
    is there a way to let the two forest understand that even if parent domain.com doesn not exist, they're part of the same thing?
    what am I doing wrong?

    Thanx a lot


     

All Replies

  • Thursday, September 24, 2009 5:08 PM
     
     
    Sign In to Vote
    0

    The prerequisite of the trust is cross-domain name resolution. Start by ensuring that all necessary ports are open on the firewall by following http://support.microsoft.com/kb/179442
    Next, use either conditional forwarders, stub or secondary zones to provide DNS name resolution between domains.
    You should be able to create external trust between domains - forest trust is not an option...

    hth
    Marcin

     
  • Thursday, September 24, 2009 5:30 PM
     
     
    Sign In to Vote
    0
    The traffic between DMZ2T01 and S2T01 is completely open, so firewall is not blocking it.
    I tried using conditional forwarders but on both sides I get an error sayng that other DNS is not authoritative.. but they are..

    could you give me any example about how to try with stub or secondary zones? I have no idea..

    another thing: is configuring each server NIC DNS settings to point to itself as primary and the other as secondary right?
    I mean DMZ2T01 NIC DNS set as itself+S2T01 and S2T01 having itself+DM2T01
    or if DNS service is configured right this is not necessary, avery points to itself only?
     
  • Thursday, September 24, 2009 5:46 PM
     
     
    Sign In to Vote
    0
    Refer to http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx

    Are you creating forwarders to the target domain (rather than to the target forest)? 
    Btw. these are two domains in separate forests - correct? Is this related to an earlier post where the parent domain got deleted?

    hth
    Marcin
     
  • Thursday, September 24, 2009 5:49 PM
     
     
    Sign In to Vote
    0
    Yes, they are two domains in separate forests,
    no, it's not related to any deletion :)

    I only have to understand how to set conditional forwarders..
    I go in DNS settings on a server, I type the other server ip and an error appear: the server is not authoritative for this zone (or something like that)
    The same happens on the other server..
     
  • Friday, September 25, 2009 12:30 AM
     
     Answered
    Sign In to Vote
    0
    Launch nslookup on a DC in a.domain.com and point to a DNS server hosting the b.domain.com zone (server IP_address command). Next, query b.domain.com and verify if you are getting correct responses.
    If so, ignore the error message you are referring to (the one about non-authorititative server) when configuring the conditional forwarder in a.domain.com.

    Perform the same procedure in b.domain.com

    hth
    Marcin