Jump to content

TRUSTS

rakem

By rakem
in Windows 2000/2003/NT4

 Share

Recommended Posts

rakem

rakem

Posted
Posted

i am having some trouble setting up trusts for my network. I need to make the domain e.g. domain.local trust the domain e.g. network.local. Both servers are running windows server 2003. When i try to confiure the trusts in the AD domains and trusts console i get the error "New trust wizard cannot continue because the specified domain cannot be contacted"

I can easily ping the DC's in both domains and i can browse the files on each DC if i type the full DNS name as a run command.

Does it matter that the domain names are different? will this effect the trust at all?

im trying to set up an external two way trust in this situation any help would be great.

thanks

Link to comment
Share on other sites

Fosteur

Fosteur

Posted
Posted (edited)

Can you ping to a netbios name? Are you using the FQDN for the trust (DNS seems to be working fine)? If you are using WINS then this may be used first for resolution. If so, create a domain name mapping in WINS.

Edited by Fosteur
Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted
i can ping to a FQDN but not to the netbios name, and yes im using a FQDN for the trust..

If you can't ping the NetBIOS name, make sure that recursion is not disable.

Also make sure the DCs are registered with (themselves) their DNS servers properly.

DC1 of Domain1 should have itself listed as the primary (and only) DNS server

DC1 of Domain2 should have itself listed as the primary (and only) DNS server

Add DC1 of Domain2 to Domain1's DNS forwarders list

Add DC1 of Domain1 to Domain2's DNS forwarders list

That's the quick-N-Dirty way to get A to resolve B.

A split-zone DNS with Zone transfers is the cleaner/correct method.

does it matter that the domains have completly different names?

Actually they must be different, or there would be no point in setting up a trust between them (as they would presumably be in/on the same domain). :)

Link to comment
Share on other sites
rakem

rakem

Posted
  • Author
Posted
If you can't ping the NetBIOS name, make sure that recursion is not disable.

what do u mean by this? u have not heard of recursion.

Actually they must be different, or there would be no point in setting up a trust between them (as they would presumably be in/on the same domain). :)

haha yea i know they must be different but i thought they might need to have a common element for example domainA.network.local and domainB.network.local

Link to comment
Share on other sites
rakem

rakem

Posted
  • Author
Posted

ok i have found out about the recursion and it is not disabled.

So i followed the steps you said and the trusts are in place however now i cannot log on i just get an error saying the domain is not available. Also when i try to validate the trust from one domain the error says "windows cannot find a domian controller for the domain ......... verify that the DC is available and try again"

how do i set up a split zone DNS transfer as i would like this to be done properly.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted

Okay...

It's been a while since I've don this myself...So I had to go RTFM :) It's amazing how many details there for a config like this.

Any how.... Here's a section of "The Manual" on how to setup the trust:

Creating an External Trust

An external trust is a trust relationship between a Windows Server 2003 domain and another domain outside of the same forest. External trusts are created to provide back-ward compatibility with Windows NT environments, or to facilitate communications with domains located in another forest not joined by a forest trust. Before you can create an external trust, you must configure a DNS forwarder on both of the DNS servers that are authoritative for the trusting domains.

To configure a DNS conditional forwarder, complete the following steps on both authoritative DNS servers:

1. Click Start, point to Administrative Tools, and then click DNS.

3-22 Chapter 3 Managing and Maintaining an Active Directory Implementation

2. In the console tree, right-click the DNS server you want to configure, and then click Properties.

3. In the Properties dialog box for the DNS server, click the Forwarders tab.

4. On the Forwarders tab, specify the DNS domain names that require queries to be forwarded (conditional forwarding) in the DNS Domain box by clicking New and typing the domain name in the New Forwarder dialog box, as shown in Figure 3-14. Type the IP address or addresses of the server or servers to which the queries are forwarded in the Selected Domain’s Forwarder IP Address List, and then click Add.

Figure 3-14 Configuring a new DNS forwarder for conditional forwarding

5. Click OK in the Forwarders tab, and close the DNS administrative tool.

To create an external trust, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Domains And Trusts.

2. In the console tree, right-click the domain for which you want to create an external trust, and then click Properties.

3. In the Properties dialog box, click the Trusts tab.

4. On the Trusts tab, click New Trust.

5. On the Welcome To The New Trust Wizard page, click Next.

6. On the Trust Name page, type the DNS name of the target domain in the second forest with which you want to establish a trust in the Name box, and then click Next.

7. If the forest functional level is set to Windows Server 2003, the Trust Type page appears, as shown in Figure 3-15. Select the External Trust option, and then click Next. Otherwise, skip to the next step.

Lesson 1 Understanding and Managing Trust Relationships and UPNs 3-23

Figure 3-15 The Trust Type page

8. On the Direction Of Trust page, select one of the following choices:

❑ If you want all users in both domains to be able to access all resources in either domain, select Two-Way, and then click Next.

❑ If you want only users in this domain to be able to access resources in the second domain, select One-Way: Incoming, and then click Next. Note By selecting the One-Way: Incoming option, users in the domain in the second forest will not be able to access any resources in the domain in this forest.

❑ If you want only users in the second domain to be able to access resources in this domain, select One-Way: Outgoing, and then click Next. Note By selecting the One-Way: Outgoing option, users in the domain in this forest will not be able to access any resources in the domain in the second forest.

9. On the Sides Of Trust page, select one of the following choices:

❑ Select This Domain Only to create the trust relationship in the local domain. Click Next.

❑ Select Both This Domain And The Specified Domain to create a trust relation-ship in the local domain and a trust relationship in the specified domain. If you select this option, you must have trust creation privileges in the specified domain. Click Next. 

3-24 Chapter 3 Managing and Maintaining an Active Directory Implementation

10. Select one of the following paths, depending on your choices in steps 8 and 9:

❑ If you selected Two-Way or One-Way: Outgoing in step 8, and This Domain Only in step 9, the Outgoing Trust Authentication Level page appears. Select Domain-Wide Authentication to automatically authenticate all users in the specified domain for all resources in the local domain. Select Selective Authentication if you do not want to automatically authenticate all users in the specified domain for all resources in the local domain. Click Next. On the Trust Password page, type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

❑ If you selected One-Way: Incoming in step 8 and This Domain Only in step 9, the Trust Password page appears. Type a password for the trust in the Trust Password and Confirm Trust Password boxes. Click Next.

❑ If you selected Both This Domain And The Specified Domain in step 9, the User Name And Password page appears. Type the user name and password of an account that has administrative privileges in the specified domain. Click Next.

11. On the Trust Selections Complete page, verify that the correct trust settings are configured, and then click Next. The wizard creates the trust.

12. On the Trust Creation Complete page, verify the settings, and then click Next.

13. On the Confirm Outgoing Trust page, select Yes, Confirm The Outgoing Trust if you created both sides of the trust. If you created only one side, choose No, Do Not Confirm The Outgoing Trust. Click Next.

14. On the Confirm Incoming Trust page select Yes, Confirm The Incoming Trust if you created both sides of the trust. If you created only one side, choose No, Do Not Confirm The Incoming Trust. Click Next.

15. On the Completing The New Trust Wizard page, verify the settings, and then click Finish.

16. Note the presence of the external trust you just set up in the Trusts tab of the Properties dialog box for the domain. An example is shown in Figure 3-16. Click OK.

...Sorry about the formatting, I'm just doing a quicky cut-N-paste at work.

Link to comment
Share on other sites
rakem

rakem

Posted
  • Author
Posted

Ok thanks for those steps. i have configured everything but now when i go to validate the trust on one side i get this error

"The verification of the incoming trust failed with the following error(s):

The trust password verification test was inconclusive.

A secure channel reset will be attempted.

The secure channel reset failed with error 1311: There are currently no logon servers available to service the logon request.

The outgoing trust has been verified. It is in place and active."

all passwords and usernames are the same also so im not sure what the password verification test is supposed to mean

When i validate the trust on the other side it just says "cannot find a domain controller ..... verifiy that the DC is available and try again"

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted (edited)
The trust password verification test was inconclusive.

:blink: Okay... Now that's weird.

Long shot, but you mentioned earlier that you were getting Win32time errors in the logs. If the time on both servers is different by 5 or more minutes (by default) then Kerberos will start rejection traffic.

How is you time service (SNTP) configured?

...Also found 2 links that might be helpful

EventID 5719

Problem with domain trust after W2003SP1 upgrade

Edited by Stoic Joker
Link to comment
Share on other sites
  • 2 years later...
  • 1 month later...
duendeskt

duendeskt

Posted
Posted

alright,

you need to do zone transfers in your dns (both servers), try both by dns and wins, thats all what you need, you will be able to contact and make the trust.

i have 2 trust with different networks, one in san felipe bc and the other one in denver co. im at mazatlan mexico,ç

saludos!!!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...