Announcement

Collapse
No announcement yet.

Getting DNS working properly before TRUSTing 2 forrests??

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting DNS working properly before TRUSTing 2 forrests??

    ok I have 2 separate forrests - at 2 different sites - both are internal ie domain.local

    I am trying to trust the 2.

    1 site is windows 2000 server
    1 site is wondows 2003 server

    each domain controller runs windows DNS for their respective domains. On each DNS server I have forwarders to my ISP's DNS servers for external queries.


    Ok I want to trust the 2 forrests, so that users/computes can access other resources in each others forrests.

    Now before I run active directory domains and trusts I need to get DNS configured properly on both servers so that they can resolve queries in both forrests

    The articles ive read have advised setting a DNS forward on both DC's which point to eachother. This way, when I try to resolve a name in the other forrest, the dns server will look in its own cache first, then try the public DNS servers (ISP) I have in there, and then try the last entry which is the IP of the other domain controller in the other forrest. Then it looks in the other DC's DNS records and hey presto I should have success

    thats how I envisage it working... but ive setup forwarders on both my DC's which point to each other but I cannot resolve anything across the forrests.

    domain controller 1 (dc1)
    in DNS forwarders has the IP of DC2

    domain controller 2 (dc2)
    in DNS forwarders has the IP of DC1


    If I log onto dc1, and I try to ping the netbios name of dc2 it fails

    if I log onto dc2, and I try to ping the netbios name of dc1, it fails

    So this tells me, that DNS is not working.

    Am I right in my assumptions of how to get it working in the first place??

    I have tried running "domains and trusts" and I created 2 way external trusts between the 2 forrests. it said the trust was successful and I verified it with good results. Yet I still couldnt ping or access anything on the other forrest, so im back to my assumption that it never worked properly, and most likely due to DNS. So Ive 'un-trusted' them and im back to configuring DNS

    anyone got some pointers for me?

    if you need any other info to help troubleshoot just let me know!

    cheers!
    dave

  • #2
    If I log onto dc1, and I try to ping the netbios name of dc2 it fails
    if I log onto dc2, and I try to ping the netbios name of dc1, it fails
    So this tells me, that DNS is not working.
    Not to worry, this is normal behaviour. DNS is hierarchical by nature, contrary to NetBIOS. That means that, in principle, you need to specify the FQDN of the host you want to reach. So, from dc1 you would do:

    ping dc2.otherdomain.local.

    Windows will try uplevel domains by default, and you can add your own DNS suffixes if you like.

    The fact that you got the trust working probably means that DNS is fine, especially since dc1 and dc2 are in seperate subnets.

    Comment


    • #3
      well that's great to hear!

      I will try again, as I CAN ping the FQDN (dc.domain.local) from either box.

      cheers for the info! appreciatte it

      Comment


      • #4
        I managed to get my trust working between two forests, but the browser doesn't seem to work between forests when setting up ACL's or drive mappings (I have to use explicite UCN's), ...is this by design or am i missing something here?

        Comment


        • #5
          Nope, this is by design. If you set up a common WINS environment you will have a working browser, and you will be able to connect using the hostname instead of the FQDN.

          Comment


          • #6
            When you say "common wins environment" do you mean each forest should have a wins server with push/pull relationships between forests?
            Thx.

            Comment


            • #7
              Originally posted by ozbie
              When you say "common wins environment" do you mean each forest should have a wins server with push/pull relationships between forests?
              Thx.
              That's one way to do it, yes. It has the advantage of redundancy.

              The thing to remember is that network browsing requires netbios name resolution. That's what WINS does for you.

              Comment


              • #8
                You can get away by tweaking the DNS suffixes search list, but there is too much overhead involved in managing this.

                WINS is the preferred way to go in this case.
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment

                Working...
                X