PDA

View Full Version : Create a trust between two forrests - one not named properly

Leythos
I have two forests that were created when we had no plans on connecting
the remote offices:

Forest1 locA.company.lan
Forest2 companyloc (notice no .lan or anything)

I have all the trusts working for the other remote offices (locB,
locC,...)

I can't seem to get a trust working between locA.company.lan and
companloc - it always fails.

I have secondary DNS working between the forests, but I can't create a
trust between the improperly named forest.

Any ideas?

Thanks.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Tim Hines [MSFT]
What error do you receive when you attempt to create the trust? It could be
a DNS resolution problem because there are name registration problems with
single label DNS domain names.

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



"Leythos" wrote in message
news:MPG.1aad7ef1bdfc08bf98a297@news-server.columbus.rr.com...
> I have two forests that were created when we had no plans on connecting
> the remote offices:
>
> Forest1 locA.company.lan
> Forest2 companyloc (notice no .lan or anything)
>
> I have all the trusts working for the other remote offices (locB,
> locC,...)
>
> I can't seem to get a trust working between locA.company.lan and
> companloc - it always fails.
>
> I have secondary DNS working between the forests, but I can't create a
> trust between the improperly named forest.
>
> Any ideas?
>
> Thanks.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)


Leythos
In article ,
timhines@online.microsoft.com says...
> What error do you receive when you attempt to create the trust? It could be
> a DNS resolution problem because there are name registration problems with
> single label DNS domain names.

I can ping the server (DNS server) in the single name domain from the
one I'm trying to trust with it.

In fact, when I setup the secondary DNS on locA.company.lan to pull a
copy from locBcompany it worked fine - I can see all the systems in
locBcompany in the DNS manager on locA.company.lan just fine.

The GUI for the trusts, from locA.company.lan, only gives an error
stating that the function can not be completed and does not create the
trust (I didn't look in the event log).

I'll see if I can get more info and post it.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Tim Hines [MSFT]
There won't be an event in the evt log. You will get an error when creating
a trust. That is the error that I am looking for. A typical one is "the
specified domain does not exist or could not be contacted"

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



"Leythos" wrote in message
news:MPG.1aae3e038edaaa8c98a29f@news-server.columbus.rr.com...
> In article ,
> timhines@online.microsoft.com says...
> > What error do you receive when you attempt to create the trust? It
could be
> > a DNS resolution problem because there are name registration problems
with
> > single label DNS domain names.
>
> I can ping the server (DNS server) in the single name domain from the
> one I'm trying to trust with it.
>
> In fact, when I setup the secondary DNS on locA.company.lan to pull a
> copy from locBcompany it worked fine - I can see all the systems in
> locBcompany in the DNS manager on locA.company.lan just fine.
>
> The GUI for the trusts, from locA.company.lan, only gives an error
> stating that the function can not be completed and does not create the
> trust (I didn't look in the event log).
>
> I'll see if I can get more info and post it.
>
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)


Leythos
In article ,
timhines@online.microsoft.com says...
> There won't be an event in the evt log. You will get an error when creating
> a trust. That is the error that I am looking for. A typical one is "the
> specified domain does not exist or could not be contacted"

Ok, I open the AD D&T, right click the W2003 domain name, Properties,
Trusts, NEW Trust, Wizard opens, Next, Trust Name (single domain name
entered 'locBcompany'), Select "Trust with a Windows Domain", enter
'locBcompany', click NEXT, get "Cannot continue. The new trust wizard
can not continue because the specified domain can not be located. Either
the domain does not exist, or network or other problems are preventing
connection"

Now, if I ping S2KSRV001.LOCBCOMPANY, it resolves and I get good ping
times. So, DNS is working, and I can even see the LOCBCOMPANY systems in
the DNS Forward and Reverse lookup Zones.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Tim Hines [MSFT]
Being able to ping a DC is not a good test of DNS resolution. When clients
look for DCs they search for SRV records in DNS. The same concept applies
to WINS resolution being able to ping by host name doesn't guarantee that
name resolution is completely working. The client looks for a 0x1b record
in the winds database to determine which servers are GCs. Verify that ldap
SRV records are available for the DCs.

The following links discuss name resolution in AD

247811 How Domain Controllers Are Located in Windows
http://support.microsoft.com/?id=247811

Name resolution in AD
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/wsrvdsys.mspx


--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



"Leythos" wrote in message
news:MPG.1aae884ebd7046d098a2a8@news-server.columbus.rr.com...
> In article ,
> timhines@online.microsoft.com says...
> > There won't be an event in the evt log. You will get an error when
creating
> > a trust. That is the error that I am looking for. A typical one is
"the
> > specified domain does not exist or could not be contacted"
>
> Ok, I open the AD D&T, right click the W2003 domain name, Properties,
> Trusts, NEW Trust, Wizard opens, Next, Trust Name (single domain name
> entered 'locBcompany'), Select "Trust with a Windows Domain", enter
> 'locBcompany', click NEXT, get "Cannot continue. The new trust wizard
> can not continue because the specified domain can not be located. Either
> the domain does not exist, or network or other problems are preventing
> connection"
>
> Now, if I ping S2KSRV001.LOCBCOMPANY, it resolves and I get good ping
> times. So, DNS is working, and I can even see the LOCBCOMPANY systems in
> the DNS Forward and Reverse lookup Zones.
>
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)


Leythos
In article ,
timhines@online.microsoft.com says...
> Being able to ping a DC is not a good test of DNS resolution. When clients
> look for DCs they search for SRV records in DNS. The same concept applies
> to WINS resolution being able to ping by host name doesn't guarantee that
> name resolution is completely working. The client looks for a 0x1b record
> in the winds database to determine which servers are GCs. Verify that ldap
> SRV records are available for the DCs.
>
> The following links discuss name resolution in AD
>
> 247811 How Domain Controllers Are Located in Windows
> http://support.microsoft.com/?id=247811
>
> Name resolution in AD
> http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/wsrvdsys.mspx

Thanks, I'm reading them now.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Leythos
In article ,
timhines@online.microsoft.com says...
> Being able to ping a DC is not a good test of DNS resolution. When clients
> look for DCs they search for SRV records in DNS. The same concept applies
> to WINS resolution being able to ping by host name doesn't guarantee that
> name resolution is completely working. The client looks for a 0x1b record
> in the winds database to determine which servers are GCs. Verify that ldap
> SRV records are available for the DCs.
>
> The following links discuss name resolution in AD
>
> 247811 How Domain Controllers Are Located in Windows
> http://support.microsoft.com/?id=247811
>
> Name resolution in AD
> http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/wsrvdsys.mspx

As a side note, I would have expected that if I can setup secondary DNS
pulls from the other server that they should be able to communicate with
each other. Maybe I should re-read what I just typed.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)