none
Unable to create external trust between two different domain

    Question

  • Hi,

    There is  a requirement where we have two domains. Dev.com is production domain controller and oim.com is used for development test.User in oim.com need to access resources from Dev.com and Dev.com users must not be able to access the resources from OIM. Com ! The domain controller in OIM.COM was crashed few days back and there we had only one Domain Controller in OIM. Hence we have re imaged the DC ad promoted the server as DC again and were trying to reconfigure the external trust between OIM.com ad DEV.com

    oim.com has only 1 DC - windows 2012 R2 ( functional level - windows 2008R2)

    Dev.com has multiple DC - All windows 2008 R2 ( functional level - windows server 2003)

    I have created an one way Outgoing trust from oim.com to dev.com and when I validate the trust from oim.com the trust validate successfully. But when I validate the trust from dev.com I am getting the error " windows cannot find active directory domain controller for oim.com.Vreify that ADDC is available and then try again.

    I am able to ping domain controller from both domain vice versa and also I have created a conditional forwarder in oim.com for dev.com and added respective DNS IPs. Also in Dev.com Domain Controller I have added the DNS IP address of OIM.com in network properties. Also added Host records too.

    Also When I tried creating trust from Dev.com I am getting only two option ( Realm Trust and Trust with windows domain ) , But from oim.com when I try creating trust I am able to get all options like external trust, type of trust etc.

    Can anyone suggest how to fix the issue ?


    • Edited by Mcteer Friday, December 30, 2016 5:41 PM
    Friday, December 30, 2016 10:55 AM

All replies

  • Hello,

    Also in Dev.com Domain Controller I have added the DNS IP address of OIM.com in network properties: Do not add an IP of a 'OIM' DNS server on a 'DEV' domain controller. That won't work, unless it's designed that way, and I don't think that's the case.

    __

    Also added Host records too:

    Adding records for a DNS server in 'DEV' forward lookup zone, belonging to another domain won't work.

    __

    Either use delegation, or simply create a conditional forwarder on 'DEV' DNS servers, for oim.com

    __

    Also When I tried creating trust from Dev.com I am getting only two option ( Realm Trust and Trust with windows domain: That is caused by the fact that your domain controller cannot lookup and verify 'oim.com'.

    /\


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Friday, December 30, 2016 5:53 PM
  • One problem here is DEV.com do not use windows based DNS. But OIM.com domain use Windows based DNS.

    oim.com domain and forest functional level  is windows 2008R2 and Dev.com domain and forest functional level is windows server 2003. IS the functional level a problem for this trust issue ?

    IS there any other way we can fix this trust issue from DEV.COM to OIM.COM



    • Edited by Mcteer Saturday, December 31, 2016 5:23 AM
    Saturday, December 31, 2016 4:53 AM
  • As long it is at least 2003, it's okay.

    What DNS service do you use then? You need to be able to ping oim.com, from dev.com.., otherwise it will never work.

    /\


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, December 31, 2016 5:25 AM
  • Third party Linux DNS (Corporate DNS).
    Saturday, December 31, 2016 5:43 AM
  • Can you ping oim.com, from dev.com?

    And, what's the result of 'nslookup oim.com'

    /\


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, December 31, 2016 5:51 AM
  • This is how the ping and nslookup result. But When I ping the OIM domain controller from Dev.com I am able to ping without any issue.


    C:\>ping oim.com
    Ping request could not find host oim.com. Please check the name and try again.

    C:\>nslookup
    Default Server:  UnKnown
    Address:  ::1

    > oim.com
    Server:  UnKnown
    Address:  ::1

    *** UnKnown can't find oim.com: No response from server
    >

    is the functional level of both domainshould be same to create a trust ?

    • Edited by Mcteer Saturday, December 31, 2016 8:31 AM
    Saturday, December 31, 2016 7:36 AM
  • Fix the dns issue first

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Sunday, January 1, 2017 7:55 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 6, 2017 8:24 AM
    Moderator