locked
Issue with same name Internal and External domain RRS feed

  • Question

  • Hi,

    We have an existing Win2003 internal domain abc.com. We are in the process of changing the domain name to xyz.com as well as upgrading it to Win2008R2.

    Let me summarize the steps that we have followed

    1. Installed a Win2008R2 DC in a seperate forest and named it xyz.com
    2. Added forwarders for abc.com domain in the xyz.com domain and vice versa
    3. Established a trust between abc.com and xyz.com
    4. Added the administrators from both the forest to the built in administrator group in each domain
    5. Installed ADMT for migration of Groups/Users/Computers

    Following are some of the issues that we are facing

    1. Unable to ping xyz.com domain from a system connected to the abc.com
    2. unable to nslookup the xyz.com domain
    3. Unable to add any user from the xyz.com domain in the local system groups.
    4. Unable to login to the xyz.com

    Some more details

    1. Current abc.com dns servers have public DNS IPs as forwarders
    2. there is  forward lookup zone "xyz.com" in the dns servers of abc.com

    Queries ;

    1. Do we have to remove the forward lookup zone ?
    2. Do we have to remove the public IP in the DNS forwarders list ?

    Awaiting your reply.

    Thanks,

    Javed

    Friday, March 9, 2012 10:00 AM

Answers

  • I guess your issue is more with the connectivity or firewall problem not exactly with the ADMT tool. Make sure necessary ports are opened on the firewall and defining the connectivity is critical. Regarding the ping, it can be due to security software like antivirus or  ICMP packet is blocked. You can use any other method to setup dns like forwarders/conditional forwarders/secondary zone or stub zone. Take a look at below article.

    http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

    http://awinish.wordpress.com/2010/12/24/intraforest-interforest-migration/

    Can you ping other domain using IP instead of the DNS hostname? 

    1. Do we have to remove the forward lookup zone ?

          Nope, if you have configured as forwarder, it should provide name resolution depends on the connectivity.

    1. Do we have to remove the public IP in the DNS forwarders list ?

          No, its not mandatory as public IP are used for external domain name resolution.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Elytis Cheng Monday, March 12, 2012 6:05 AM
    • Marked as answer by Elytis Cheng Tuesday, March 20, 2012 7:39 AM
    Friday, March 9, 2012 11:33 AM
  • It seems to dns resolution issue.Check below setting.

    I would recommend first point the dns setting of both DC to point to each other as alternate DNS setting.

    You can create conditional forwarder or create secondaries zones on each forest that would carry a secondary of the other forest Primary zone that you do by going in to the zone configuration and allowing zone transfer to the other forest DNS IP, then on the other forest DNS you create a new zone as "Secondary" pointing it to pull the zone from the 1st forest DNS you just enabled Zone transfer.do the same on the other Forest (both should have secondaries of each other Primaries).

    Check the firewall necessary port should be open.

    How to configure a firewall for domains and trusts
    http://support.microsoft.com/kb/179442

    Active Directory Firewall Ports - Let's Try To Make This Simple
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    Ensure that forest trust is created correctly.

    Checklist: Creating a forest trust: Active Directory
    Jan 21, 2005 ... (Optional) Review the various trust types and understand forest trust concepts ... Raise the forest functional level. Create a forest trust. ...
    http://technet.microsoft.com/en-us/library/cc756852(WS.10).aspx

    Create a forest trust: Active Directory, Jan 21, 2005 ...
    To successfully create a forest trust, your environment will need to be set up properly. For more information, see the checklist for...
    http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Elytis Cheng Monday, March 12, 2012 6:05 AM
    • Marked as answer by Elytis Cheng Tuesday, March 20, 2012 7:39 AM
    Friday, March 9, 2012 5:21 PM
  • Thanks guys for all your replies.

    The issue was resolved by.

    1. Removed the forward lookup zone xyz.com from the abc.com dns servers

    2. created conditional forwarder for xyz.com domain in the abc.com domain

    3. login issue and user add isues were resolved by opening AD ports on the firewall 


    Thanks

    Javed

    • Edited by JDSH Wednesday, March 21, 2012 10:48 AM
    • Marked as answer by JDSH Wednesday, March 21, 2012 10:50 AM
    Wednesday, March 21, 2012 10:44 AM

All replies

  • Hi,

    Did you configure the conditional forwarder for intersite migration?  Also ensure the required ports are open on firewall.

    http://robiulislam.wordpress.com/2011/09/26/inter-forest-migration/


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Proposed as answer by Patris_70 Friday, March 9, 2012 11:34 AM
    • Edited by Abhijit Waikar Friday, March 9, 2012 4:38 PM
    Friday, March 9, 2012 10:23 AM
  • 1. You have to remove the zone xyz.com  from abc.com DNS

    2. there is no problem to keep the forwarder to ISP IP

    3. Please check you have sufficient communication opened between both xyz.com & abc.com


    Sajeed AM

    Friday, March 9, 2012 10:28 AM
  • Seems there is issue with Trust Relationship.

    Did you Verify the trust between the forest?

    Please find below article to understand this better.

    http://www.informit.com/articles/article.aspx?p=680305&seqNum=5

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 9, 2012 10:47 AM
  • Hello,

    Agree with Abhijit. You need configuring Conditional Forwarding.

    Please read this articles:

    Windows Server 2008 or 2008 R2:

    How to Configure Conditional Forwarders in Windows Server 2008

    Windows Server 2003 (read section:  How to Configure Conditional Forwarding)

    DNS Conditional Forwarding in Windows Server 2003

    Regards

    Friday, March 9, 2012 11:21 AM
  • I guess your issue is more with the connectivity or firewall problem not exactly with the ADMT tool. Make sure necessary ports are opened on the firewall and defining the connectivity is critical. Regarding the ping, it can be due to security software like antivirus or  ICMP packet is blocked. You can use any other method to setup dns like forwarders/conditional forwarders/secondary zone or stub zone. Take a look at below article.

    http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

    http://awinish.wordpress.com/2010/12/24/intraforest-interforest-migration/

    Can you ping other domain using IP instead of the DNS hostname? 

    1. Do we have to remove the forward lookup zone ?

          Nope, if you have configured as forwarder, it should provide name resolution depends on the connectivity.

    1. Do we have to remove the public IP in the DNS forwarders list ?

          No, its not mandatory as public IP are used for external domain name resolution.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Elytis Cheng Monday, March 12, 2012 6:05 AM
    • Marked as answer by Elytis Cheng Tuesday, March 20, 2012 7:39 AM
    Friday, March 9, 2012 11:33 AM
  • Your title of this question is little confusing “Issue with same name Internal and External domain”.  FYI..you can same internal and external name. However, you need to maintain an split-brain DNS structure.

    Did you already establish the trust? Or that was just an assumption?  If you don’t have proper name resolution, you won’t be able to establish the trust.

    Do you have any firewall between these 2 domains?  As Awinish pointed out, you need to make sure all RPC ports are open?  If needed, you can use Portquery tool to verify this - http://www.microsoft.com/download/en/details.aspx?id=24009


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Friday, March 9, 2012 4:25 PM
  • It seems to dns resolution issue.Check below setting.

    I would recommend first point the dns setting of both DC to point to each other as alternate DNS setting.

    You can create conditional forwarder or create secondaries zones on each forest that would carry a secondary of the other forest Primary zone that you do by going in to the zone configuration and allowing zone transfer to the other forest DNS IP, then on the other forest DNS you create a new zone as "Secondary" pointing it to pull the zone from the 1st forest DNS you just enabled Zone transfer.do the same on the other Forest (both should have secondaries of each other Primaries).

    Check the firewall necessary port should be open.

    How to configure a firewall for domains and trusts
    http://support.microsoft.com/kb/179442

    Active Directory Firewall Ports - Let's Try To Make This Simple
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    Ensure that forest trust is created correctly.

    Checklist: Creating a forest trust: Active Directory
    Jan 21, 2005 ... (Optional) Review the various trust types and understand forest trust concepts ... Raise the forest functional level. Create a forest trust. ...
    http://technet.microsoft.com/en-us/library/cc756852(WS.10).aspx

    Create a forest trust: Active Directory, Jan 21, 2005 ...
    To successfully create a forest trust, your environment will need to be set up properly. For more information, see the checklist for...
    http://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Elytis Cheng Monday, March 12, 2012 6:05 AM
    • Marked as answer by Elytis Cheng Tuesday, March 20, 2012 7:39 AM
    Friday, March 9, 2012 5:21 PM
  • Thanks guys for all your replies.

    The issue was resolved by.

    1. Removed the forward lookup zone xyz.com from the abc.com dns servers

    2. created conditional forwarder for xyz.com domain in the abc.com domain

    3. login issue and user add isues were resolved by opening AD ports on the firewall 


    Thanks

    Javed

    • Edited by JDSH Wednesday, March 21, 2012 10:48 AM
    • Marked as answer by JDSH Wednesday, March 21, 2012 10:50 AM
    Wednesday, March 21, 2012 10:44 AM