none
Is PDC to PDC communciation REQUIRED for the establishment of an active directory external trust? RRS feed

  • Question

  • The company I work for needs to setup an external active directory trust with a new business partner. Since the forests reside across the ocean we are going to co-locate two domain controllers at each other’s data centers. Traffic will be restricted between the forests to just resources that require access to each other (this is still being defined). Minimized versions of each other's DNS zones that contain appropriate service records will also be co-located. The external trust setup concept that their active directory consultants worked up does not include PDC to PDC communication and shows that our PDC will be able to establish the trust with their domain controllers in our data center that we (our PDC) can fully route to.

    From my experience I thought that PDC to PDC communication is required to create an external trust, Can anyone confirm this one way or another ?

    Monday, October 26, 2009 3:27 PM

Answers

  • Chris - as far as I understand, you do not need direct connectivity between PDC Emulators in respective domains in order to establish an external trust relationship between them. However, you should keep in mind that if the visibility between the two domains is limited, you should adjust accordingly DNS zones representing the domain on the "other" side of the trust - to eliminate DNS records representing servers which are not reachable from the local domain...

    hth
    Marcin
    Monday, October 26, 2009 7:20 PM
  • The company I work for needs to setup an external active directory trust with a new business partner. Since the forests reside across the ocean we are going to co-locate two domain controllers at each other’s data centers. Traffic will be restricted between the forests to just resources that require access to each other (this is still being defined). Minimized versions of each other's DNS zones that contain appropriate service records will also be co-located. The external trust setup concept that their active directory consultants worked up does not include PDC to PDC communication and shows that our PDC will be able to establish the trust with their domain controllers in our data center that we (our PDC) can fully route to.

    From my experience I thought that PDC to PDC communication is required to create an external trust, Can anyone confirm this one way or another ?


    External trusts are especial :P
    I You should have the PDCe for each END available as mentioned. The PDCe should also be available when you have the need to perform a trust reset.
    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Monday, October 26, 2009 9:24 PM
  • Hi,

    Marcin, Syed is talking about TDO Objects.

    Syed, for those Objects to be created, PDC needs to be available and contactable. It's not at all necessary to create Trust From PDC (which answers Christopher's question mentioned in original Post). Trust can be created from any available Domain Controller which can contact PDC. Ofcourse later on Replication will play it's role as the TDO Objects should go to all the Domain Controllers.
    Tuesday, October 27, 2009 5:42 PM
  • Thanks Sloth and Marcin.

      
              Jorge is right. I found this link on tehcnet http://technet.microsoft.com/en-us/library/cc782773(WS.10).aspx

    Clients are unable to access resources in a domain outside of the forest.

    Cause:  A failure has occurred on the external trust between the domains.

    Solution:  Reset and verify the trust between the domains. The PDC emulator master must be available for a trust to be successfully reset.


    http://technetfaqs.wordpress.com
    Wednesday, October 28, 2009 6:20 AM
  • Hi,

    Ok so if i understand you correctly, we do not have a direct connectivity between the PDC's of the two Forest.

    PDC (Forest 1) cannot Ping PDC (Forest 2) and Vice Versa
    PDC (Forest 1) can ping a Regular DC (Forest 2) and Vice Versa


    If above mentioned situation is correct then i would like to provide you with this link which explains how a PDC sets a Trust Password and stores them in TDO Objects.
    http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx

    If you look at 'TDO PASSWORDS' section mentioned in the Article, it clearly indicates that a Password Reset or Creation is always initiated by PDC. A Regular Domain Controller will never initiate a Password Change. PDC after initiating a Password Change would contact any Regular DC on Target Forest and will give the change. Target Forest DC will then replicate those changes across to the other Domain Controllers.

    Hence, if we go by the situation at your end, i think we should be able to create Trusts without direct PDC to PDC communication. The Term 'Availablity' here indicates PDC being Online and communicable from all the DC's. 


    Having said this i would also like to bring in concept of Trusted Domain and Trusting Domain

    A Password Change is always initiated by a Trusting Domain PDC and not by the Trusted Domain PDC. 

    So if i am sitting in Trusting Domain and my PDC Role Owner is down than ofcourse i would not be able to Reset the Password.
    However, if my PDC is up and running, than Password Change would be initiated no matter if my PDC is able to contact the other Forest PDC or not, it would inform any Regular DC in other Forest about the Password Change. Now it's the work on that Domain Controller to Replicate the changes to other DC's including PDC.

    Again in order to reach the DC's at other Forest, Trusting Domain PDC will rely on DNS Zones. It will find one of the DC's in other Forest to communicate. So make sure that the DNS Zones are populated and replicated across.

    I hope i am correct on this though i expect some more inputs. 

    cheers
    Nitin
    Wednesday, October 28, 2009 7:15 PM
  • Christopher,

    Theoretical discussions aside, you might want to simply test it. In essence all you need are 3 VMs configured as DCs in two separate domains/forests. Place them on different subnets and modify their routing tables, effectively preventing DC1 and DC3 from communicating directly...

    hth
    Marcin

    Wednesday, October 28, 2009 7:38 PM

All replies

  • its important to have the PDC communication to create an external trust  When establishing an External Trust with an NT 4 domain, the pdc emulator is always used to create the necessary objects in the directory


    http://technetfaqs.wordpress.com
    Monday, October 26, 2009 5:10 PM
  • Hi,

    As far as my understanding goes, PDC should be contactable while creating the Trusts Relationships. It is not compulsory to create a Trust from PDC only. We should not get any issues even if we are creating Trusts from a normal Domain Controller, provided communication with PDC is proper. PDC would be required to create related Objects in AD (TDO Objects).

    Trusts are always created between Forests or Domains and not Domain Controllers.

    You may visit following Links to get more info on the same --

    How Domain and Forest Trust works --  http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx
    Understanding Trusts --  http://technet.microsoft.com/en-us/library/cc736874(WS.10).aspx
    Managing Trusts -- http://technet.microsoft.com/en-us/library/bb727050.aspx

    Revert back if you have any issues.

    Thanks,
    Nitin
    Monday, October 26, 2009 6:47 PM
  • Chris - as far as I understand, you do not need direct connectivity between PDC Emulators in respective domains in order to establish an external trust relationship between them. However, you should keep in mind that if the visibility between the two domains is limited, you should adjust accordingly DNS zones representing the domain on the "other" side of the trust - to eliminate DNS records representing servers which are not reachable from the local domain...

    hth
    Marcin
    Monday, October 26, 2009 7:20 PM
  • Hello Marcin,

               Dont you think When establishing an External Trust with an NT 4 domain, the pdc emulator is always used to create the necessary objects in the directory  ??
    http://technetfaqs.wordpress.com
    Monday, October 26, 2009 7:39 PM
  • Syed,
    what objects are you referring to?

    cheers,
    Marcin
    Monday, October 26, 2009 8:51 PM
  • The company I work for needs to setup an external active directory trust with a new business partner. Since the forests reside across the ocean we are going to co-locate two domain controllers at each other’s data centers. Traffic will be restricted between the forests to just resources that require access to each other (this is still being defined). Minimized versions of each other's DNS zones that contain appropriate service records will also be co-located. The external trust setup concept that their active directory consultants worked up does not include PDC to PDC communication and shows that our PDC will be able to establish the trust with their domain controllers in our data center that we (our PDC) can fully route to.

    From my experience I thought that PDC to PDC communication is required to create an external trust, Can anyone confirm this one way or another ?


    External trusts are especial :P
    I You should have the PDCe for each END available as mentioned. The PDCe should also be available when you have the need to perform a trust reset.
    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Monday, October 26, 2009 9:24 PM
  • Hi,

    Marcin, Syed is talking about TDO Objects.

    Syed, for those Objects to be created, PDC needs to be available and contactable. It's not at all necessary to create Trust From PDC (which answers Christopher's question mentioned in original Post). Trust can be created from any available Domain Controller which can contact PDC. Ofcourse later on Replication will play it's role as the TDO Objects should go to all the Domain Controllers.
    Tuesday, October 27, 2009 5:42 PM
  • Nitin,
    agreed - that's the reason I stated "you do not need DIRECT connectivity between PDC Emulators in respective domains in order to establish an external trust relationship between them"...

    regards,
    Marcin
    Tuesday, October 27, 2009 5:44 PM
  • Agreed :)

    cheers,
    Nitin

    Tuesday, October 27, 2009 5:58 PM
  • Thanks Sloth and Marcin.

      
              Jorge is right. I found this link on tehcnet http://technet.microsoft.com/en-us/library/cc782773(WS.10).aspx

    Clients are unable to access resources in a domain outside of the forest.

    Cause:  A failure has occurred on the external trust between the domains.

    Solution:  Reset and verify the trust between the domains. The PDC emulator master must be available for a trust to be successfully reset.


    http://technetfaqs.wordpress.com
    Wednesday, October 28, 2009 6:20 AM
  • Thank you all for your valuable input. This is a very interesting thread with many varied replies. To approach some statements and clairfy my question. Firstly, both environments are at forest and domain functional level 2003. Second my question was not if I had to create the external turst from the PDCE (as in from the console or RDP session). My question was if PDCE to PDCE COMMUNICATION was required. To further clarify, with the current design you could not ping the other forests PDC from ours and vice versa. I also wish to note that Syed'd last post refrenceing the technet article on Troubleshooting trusts was one the first articles I went to to verify this. The statement on trust reset and verification follows "Clients are unable to access resources in a domain outside of the forest. Cause: A failure has occurred on the external trust between the domains. Solution: Reset and verify the trust between the domains. The PDC emulator master must be available for a trust to be successfully reset. See also: Verify a trust; Operations master roles; When to create an external trust" My interoperation of the statement "The PDC emulator master must be available for a trust to be successfully reset. ." does not definitely state that the PDCE needs direct communication to the other forest PDCE. The problem is that "available" could mean quite a few things. What I am trying to figure out is available to what? The current design allows for PDCE availability to all Domain Controllers in it's "home" forest and two domain controllers in the trusted forest. So can a forest trust be established and maintained (meaning facilitate the 30 day trust reset requirement ) using kind of a referral from the other forest non role holder DC or not ? Can the Trusted Domain Objects also be created in this manner? I am going to send this to a friend that is a Microsoft Business Consulta to see what he thinks. Please keep up your input. I will continue research and will post my frined's reply when I get it. I may aslo have to put this in a sandbox to see for myself..
    Wednesday, October 28, 2009 11:53 AM
  • Hi,

    Ok so if i understand you correctly, we do not have a direct connectivity between the PDC's of the two Forest.

    PDC (Forest 1) cannot Ping PDC (Forest 2) and Vice Versa
    PDC (Forest 1) can ping a Regular DC (Forest 2) and Vice Versa


    If above mentioned situation is correct then i would like to provide you with this link which explains how a PDC sets a Trust Password and stores them in TDO Objects.
    http://technet.microsoft.com/en-us/library/cc773178(WS.10).aspx

    If you look at 'TDO PASSWORDS' section mentioned in the Article, it clearly indicates that a Password Reset or Creation is always initiated by PDC. A Regular Domain Controller will never initiate a Password Change. PDC after initiating a Password Change would contact any Regular DC on Target Forest and will give the change. Target Forest DC will then replicate those changes across to the other Domain Controllers.

    Hence, if we go by the situation at your end, i think we should be able to create Trusts without direct PDC to PDC communication. The Term 'Availablity' here indicates PDC being Online and communicable from all the DC's. 


    Having said this i would also like to bring in concept of Trusted Domain and Trusting Domain

    A Password Change is always initiated by a Trusting Domain PDC and not by the Trusted Domain PDC. 

    So if i am sitting in Trusting Domain and my PDC Role Owner is down than ofcourse i would not be able to Reset the Password.
    However, if my PDC is up and running, than Password Change would be initiated no matter if my PDC is able to contact the other Forest PDC or not, it would inform any Regular DC in other Forest about the Password Change. Now it's the work on that Domain Controller to Replicate the changes to other DC's including PDC.

    Again in order to reach the DC's at other Forest, Trusting Domain PDC will rely on DNS Zones. It will find one of the DC's in other Forest to communicate. So make sure that the DNS Zones are populated and replicated across.

    I hope i am correct on this though i expect some more inputs. 

    cheers
    Nitin
    Wednesday, October 28, 2009 7:15 PM
  • Christopher,

    Theoretical discussions aside, you might want to simply test it. In essence all you need are 3 VMs configured as DCs in two separate domains/forests. Place them on different subnets and modify their routing tables, effectively preventing DC1 and DC3 from communicating directly...

    hth
    Marcin

    Wednesday, October 28, 2009 7:38 PM
  • Yes, u'll get a clear cut picture. I would have done that but unfortunately not getting time to test.
    Revert back with the findings.

    cheers
    Nitin
    Wednesday, October 28, 2009 7:53 PM
  • WOW Nitin that was a very detailed and well thought reply!!! I will be scouring it and the referenced Microsoft article. And yes the cited scenario is accurate and yes the DNS zone records will be critical to success. I do have a VM lab that I could put this scenario in place, however time is very tight and this is just the start of meeting many critical requirements by the end of the year..same old story :-) as I have had difficulty find a direct answer to this question in Microsoft resources, and feel it is a great theoretical discussion for AD architects, and will be implementing it in a pre-production environment in 2-3 weeks from now.. And WILL post a reply with our test results, that this is and will be a completely satisfying discussion.. Thanks for all your replies,. Keep them up if you have an opinion or reference, look for my replies with the results fro our pre-production deployment!
    Thursday, October 29, 2009 2:31 PM
  • Hi,

    I am in the same situation as Chris - not having direct connectivity between the PDC Emulators in the trusting and trusted domains. I have tested setting up the trust and it appears to be working correctly, however I did receive an error when attempting to confirm the trust from both the trusting and trusted domains.

    I understood that I could not create the trust in "Both this domain and the specified domain" from one of the domains, since it would error out with "Cannot create both sides of the trust because a primary domain controller (PDC) for the specified domain cannot be contacted."

    I instead created each side of the trust from a domain controller in each of the respective domains. When attempting to confirm each side of the trust, the following error is displayed:

    "The verification of the incoming trust failed with the following error(s):
    The trust password verification failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.
    A secure channel reset will be attempted.
    The secure channel reset failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship."

    If I ignore this error the trust appears to work correctly, so I'm treating this error more like a warning.

    The trust has only been in place for a couple of hours now, so I'm unsure if there will be any fallout when, for instance, the trust password is changed. Any thoughts on whether or not any action needs to be taken on this error?

    Thanks,
    Cory
    Wednesday, February 17, 2010 9:51 PM
  • Hi Cory,

    I know its 6 years ago, so I hope you can remember! but I face a similar issue today and I was wondering if the trust did survive the 30days password reset?

    Tuesday, January 19, 2016 1:52 PM
  • I think PDC to PDC connectivity was only required back in the old days of Legacy NT4 trusts.

    With Win2003 or higher DFL, any writable domain controller can be used to create the trust. However, there are a bunch of firewall ports that need to be opened between the two sides.

    The domain controller being used to create the trust will notify the PDC in its own domain to actually create the TDO.

    The PDC then initiates an urgent replication notification, so all DCs in the domain are aware of the new trust object.

    Tuesday, February 2, 2016 7:26 PM