none
Windows 2003 - 2008 Forest Trusts

    Question

  • Can you set-up a forest trust between 2003-2008 domains? I can't see any info on 2008 domains in cross server trusts. I am trying it and get an error and can only seem to create a Realm trust.

    Also, does anybody know what DNS/SRV entries are looked up/used when a trust is configured?

    Thanks!!
    Monday, July 21, 2008 9:15 AM

Answers

  •  

    Hi,

     

    <Can you set-up a forest trust between 2003-2008 domains?>

     

    You can create trust relation between Windows server 2003 and Windows server 2008. To accurately assist on this issue, could you please inform me what kind of trust you want to create? What is the forest function level of each domain?  

     

    <I am trying it and get an error and can only seem to create a Realm trust.>

     

    May I know why you want to create Realm trust?

     

    Typically, a realm trust is used between any non-Windows Kerberos V5 realm and a Windows domain. This trust relationship allows cross-platform interoperability with security services based on other Kerberos V5 versions such as UNIX and MIT implementations. If both of sides are windows system, you can consider other trust types, such as external, forest etc.

     

    <does anybody know what DNS/SRV entries are looked up/used when a trust is configured?>

    When client accesses resource on trusted domain, it does not refer to DNS records to locate this resource, but it will query Trusted Domain Objects stored in AD, which includes lots of trusted domain attributes, such as GUID, SPN suffix etc.

      

    More information, please refer to the following article:

     

    How Domain and Forest Trusts Work

    http://technet2.microsoft.com/windowsserver/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx?mfr=true

     

    Hope this helps.

     

    Wednesday, July 23, 2008 9:16 AM
    Moderator

All replies

  •  

    Hi,

     

    <Can you set-up a forest trust between 2003-2008 domains?>

     

    You can create trust relation between Windows server 2003 and Windows server 2008. To accurately assist on this issue, could you please inform me what kind of trust you want to create? What is the forest function level of each domain?  

     

    <I am trying it and get an error and can only seem to create a Realm trust.>

     

    May I know why you want to create Realm trust?

     

    Typically, a realm trust is used between any non-Windows Kerberos V5 realm and a Windows domain. This trust relationship allows cross-platform interoperability with security services based on other Kerberos V5 versions such as UNIX and MIT implementations. If both of sides are windows system, you can consider other trust types, such as external, forest etc.

     

    <does anybody know what DNS/SRV entries are looked up/used when a trust is configured?>

    When client accesses resource on trusted domain, it does not refer to DNS records to locate this resource, but it will query Trusted Domain Objects stored in AD, which includes lots of trusted domain attributes, such as GUID, SPN suffix etc.

      

    More information, please refer to the following article:

     

    How Domain and Forest Trusts Work

    http://technet2.microsoft.com/windowsserver/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx?mfr=true

     

    Hope this helps.

     

    Wednesday, July 23, 2008 9:16 AM
    Moderator
  • I would also like to know the answer I'm having the exect same problem.

    DNS is ok, secondary zones from each domain are replicated.

    Ping works, net use works all ports are open (389; 445 AND 88)

    one domain is w2k3 on domain and forest functional level and the other domain on w2k8 domain and forest functional level.

    Thanks  in advance!
    Friday, February 6, 2009 3:37 PM
  • I have problems too with forest trust between 2 domains : 1 under Windows 2003 SP2 (2003 fuctionnality level) and 1 under Windows 2008 (2008 fuctionnality level).

    There are 2 secondary DNS zones on each 2 servers and I can ping and resolve both domain controler names. (I have tested zone transfers too)

    I have disabled all firewall fuctionnalities on Windows 2008.

    When I create a trust, I have no problem until the end of the procedure : "The trust cannot be established for this domain" very explicit... :(

    Kereberos, unidirectionnal, transitive, non transitive...etc...etc...

    You can also note that I have tested with 2003 functionnality level on Windows 2008 controler... same result.

    Thanks for help...
    Tuesday, March 31, 2009 3:49 AM
  • I encountered the same problem with the final step in creating a Forest trust on the Windows 2008 Forest - "different functional levels".
    I had no problems in creating a 2003 - 2008 Forest trust if I did this from the 2003 Forest.

    Friday, April 3, 2009 7:35 AM
  • It seems that all these issues have been resolved with SP2.
    Monday, December 21, 2009 10:19 PM
  • I have been having a very similar problem. We have two Windows 2008 servers (SP2) in separate forests. Each has only 1 domain. In trying to set up a two-way cross-forest transitive trust, I reached the Validate button at the very end and received the message:

    "The secure channel (SC) reset on Active Directory Domain Controller \\SERVER01.zmmtraining.local of domain zmmtraining.local to domain dcbusiness.local failed with error: There are currently no logon servers available to service the logon request."

    I am able to ping the other domain. I turned off both Windows Firewalls to test and still failed. The System log has a similar error message:

    "Event ID 5179 NETLOGON This computer was not able to set up a secure session with a domain controller in domain DCBUSINESS due to the following: There are currently no logon servers available to service the logon request."

    Apparently all these issues have not been resolved with SP2, and I am going around in circles, looking at NETDOM, NLTEST, etc. We have WINS turned off.

    Is there a specific set of tests I can perform that will gradually help me identify and rectify the problem? I'm not a very experienced administrator and could use a guide that steps me through an instruction list.

    Each server has a CISCO ASA 5505 unit that stands between the network switch and the broadband cable modem. 

    Thanks for taking the trouble to offer any advice.

    Frank Fallon

    Thursday, April 22, 2010 7:31 PM
  • Having the same/similar problems here as well.  Scenario is as follows...

    DomainA - (1) 2003 x86 DC, (1) 2008 R2 x64 DC

    DomainB - (2) 2008 R2 x64 DC


    DNS on each DC with secondary zones referencing back to the other domain (so DomainA has secondary zones for DomainB and vice versa).

    Establishing an external trust works fine, however, when we try to establish a forest trust, in the final step get the message regarding no logon servers available to process request.

    Anyone solve this?

    Monday, May 3, 2010 7:46 PM
  • I was having a similar problem. I could creat a realm trust but could not create a trust to windows domain. The problem I was having was related to DNS.

    To solve the issue I did two things. I created a conditional dns forwarder on both Domain's to point to the other domain. I kept getting an error that the selected DNS server was not the ahtoritative server. I knew this to be wrong because as each domain only has one DNS server. (Test Lab)

    I went into TCP ip settings on each DC and made sure that the primary DNS server was itself. Still haveing the same issue. I noticed that when I did a nslookup I was not getting back the name of the server just said Unkown and for ip address gave me ::1 (local broadcast address for IPV6 if I remember correclty) So I went into the Local Area Connection Properties and unchecked TCP/IPV6.

    Now when I do nslookups it reports the DNS server name correclty and when I add the Conditional Forwarder I no longer get a error about the server not being authoritative for the domain.

    When creating trusts I now have no problems. It sees both domains just fine.

    My 2 day headache is finally over. Hope this helps.

    • Proposed as answer by kcohne Wednesday, May 5, 2010 9:51 PM
    Wednesday, May 5, 2010 9:21 PM
  • Hi Guys,

    Not sure if this will help to resolve your issue, mine use w2k8  with two domain.

    What I did is the following steps:

    1. opening the following ports :

        - 137 UDP , 138 UDP , 139 TCP , 389 TCP/UDP , 88 TCP/UDP , 445 TCP

    2. adding second domain into first domain as secondary dns and the other way around

    3. create one-way domain trust using external trust, first domain trusting second domain

    4. create a group with Domain Local under Group Scope in first domain and then add group created in second domain with Global under Group Scope.

    I hope this will help you.

    cheers.

     

    reference link http://support.microsoft.com/kb/179442/en-us

     

    Thursday, July 15, 2010 9:28 AM
  • Thank youkcohne , this worked for me from 2k8 AD to 2k3.. The trust relationship worked the first time from 2k3 to 2k8, but NOT from 2k8 to 2k3 until I just unchecked  IPv6 in the NIC properties. In server 2k8 DC > Local area connections > properties > uncheck IPv6 and presto!

    Had the same problem as kcohne did, so i followed his advice, it worked 

    Friday, July 23, 2010 11:26 PM
  • Mr. Morgan...please guide step wise how to establish two way relationship b/w win server 2003 and 2008???
    Monday, November 29, 2010 5:45 AM
  • HI Frank

    Had a similar problem, but mine was caused by the UDP being closed on my side

    Wednesday, July 17, 2013 2:09 PM