Announcement

Collapse
No announcement yet.

Multiple domains in a forest

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple domains in a forest

    I'm looking at a Win2003 Forest with multiple domains. We have a parent company, "V" with multiple sister companies, "SDW", "PGRP", "PGL" & "KSW" just to name a few.

    Each has its own domain with at least one domain controller. The individual companies are pretty much seperate except for the fact that all the main servers, like the Forest PDC, ISA (for internet proxy) and Exchange are located in domain "V" and are used by all other domains as well.

    I've found that there are no inter-domain trusts. All the domains have one subnet in Sites & Services which is the local subnet for the respective domain.

    Is this the correct setup for a multi-domain forest? I can't see how ISA could possibly authenticate outer-domain users for internet access.

    +-------------------------------------------------------------------------------------------------------+

    They tell me that they have users who roam b/w domains and they had to create the user in his home domain and the "V" domain so that the users can log in no matter which domain they are in and still be able to access their email on the mail server in domain "V". Without inter-domain trusts, will this work? They tell me that the user's emails are different depending on which domain they log into but I can't see how as their email server is in ONE domain. However, users in the "PGRP" domain have their own email server located in the "PGRP" domain which syncs with the Exchange server in the "V" domain. How would we setup a roaming users who normally is located in the "PGRP" domain?

    The guys at company "V" are setting up Exacta (Microsoft Dynamics) which runs on SQL Server and stores its workspace on AOS servers which will be located in "V". This will work fine for the users located in "V". The users in the other domains will be using Citrix (Citrix server located in domain "V") to access the Exacta application. Will I need to setup a trust between domains for the outer domains to be able to contact the Citrix server?

    With regards to the roaming users, should I migrate them from their home domain into domain "V" but not delete their account in the home domain? I need a way for these users to be able to log in at any domain but still have access to their home drives, login scripts, applied GPOs, etc.
    Last edited by JDMils; 26th June 2007, 13:36.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Multiple domains in a forest

    If all the domains are part of the same forest then there's a trust path between all the domains.

    http://technet2.microsoft.com/window....mspx?mfr=true
    It is not possible to revoke the default two-way, transitive trusts between domains in a forest. Explicitly created shortcut trusts can be deleted.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Multiple domains in a forest

      Sorry, you're right...trusts exist b/w all domains. Helps if your looking in the right place!

      Q. I tried to ping the server "playsrv" which exists in the "p.local" domain, from the "V" domain, and I get:
      C:\>ping playsrv

      Pinging playsrv.v.com.au [192.168.17.40] with 32 bytes of data:

      Reply from 192.168.17.40: bytes=32 time=17ms TTL=126
      Reply from 192.168.17.40: bytes=32 time=15ms TTL=126
      Reply from 192.168.17.40: bytes=32 time=17ms TTL=126
      Reply from 192.168.17.40: bytes=32 time=16ms TTL=126

      Ping statistics for 192.168.17.40:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
      Minimum = 15ms, Maximum = 17ms, Average = 16ms
      I was expecting to get "Pinging playsrv.p.local [192.168.17.40] with 32 bytes of data:". The IP is correct. Why does it do this?
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Multiple domains in a forest

        When your computer sends DNS request and only a hostname is specified, it appends a DNS suffix to the request to make it an FQDN.

        Check the DNS suffixes on your machine. Run ipconfig/all
        Code:
        Windows IP Configuration
        
                Host Name . . . . . . . . . . . . : j-3a978101881c4
                Primary Dns Suffix  . . . . . . . :
                Node Type . . . . . . . . . . . . : Hybrid
                IP Routing Enabled. . . . . . . . : No
                WINS Proxy Enabled. . . . . . . . : No
                DNS Suffix Search List. . . . . . : test.com
        
        Ethernet adapter Local Area Connection:
        
                Media State . . . . . . . . . . . : Media disconnected
                Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
        roller
                Physical Address. . . . . . . . . : 00-15-C5-16-8E-9C
        
        Ethernet adapter Wireless Network Connection:
        
                Connection-specific DNS Suffix  . : test.com
                Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card
                Physical Address. . . . . . . . . : 00-16-CE-6C-73-DC
                Dhcp Enabled. . . . . . . . . . . : Yes
                Autoconfiguration Enabled . . . . : Yes
                IP Address. . . . . . . . . . . . : 172.18.21.223
                Subnet Mask . . . . . . . . . . . : 255.255.255.0
                Default Gateway . . . . . . . . . : 172.18.21.65
                DHCP Server . . . . . . . . . . . : 172.18.21.65
                DNS Servers . . . . . . . . . . . : 172.18.21.66
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Multiple domains in a forest

          Here's what I've got:
          C:\>ipconfig /all

          Windows IP Configuration

          Host Name . . . . . . . . . . . . : fileserver
          Primary Dns Suffix . . . . . . . : v.com.au
          Node Type . . . . . . . . . . . . : Hybrid
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : v.com.au
          p2.com.au
          p.local
          s1.com.au
          s2.com.au
          ac.com.au

          Ethernet adapter Local Area Connection:

          Connection-specific DNS Suffix . : v.com.au
          Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Co
          nnection
          Physical Address. . . . . . . . . : 00-09-6B-F1-3A-7A
          DHCP Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 193.1.1.106
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : 193.1.1.110
          DNS Servers . . . . . . . . . . . : 193.1.1.106
          193.1.1.101
          Primary WINS Server . . . . . . . : 193.1.1.106
          Secondary WINS Server . . . . . . : 193.1.1.101

          C:\>ping playsrv

          Pinging playsrv.v.com.au [192.168.17.40] with 32 bytes of data:

          Reply from 192.168.17.40: bytes=32 time=17ms TTL=126
          Reply from 192.168.17.40: bytes=32 time=30ms TTL=126
          Reply from 192.168.17.40: bytes=32 time=23ms TTL=126
          Reply from 192.168.17.40: bytes=32 time=18ms TTL=126

          Ping statistics for 192.168.17.40:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
          Approximate round trip times in milli-seconds:
          Minimum = 17ms, Maximum = 30ms, Average = 22ms

          C:\>
          I would have thought that since I have all the domain suffixes in the Search List that the correct domain suffix would be returned.

          You are correct that if I ping the FQDN of the workstation it returns the correct DNS Suffix. Should I be worried about this situation?

          What if there are two workstations in seperate domains with the same name? I'd possibly be getting the wrong workstation unless I use the FQDN- true?

          Here's something I just found which puzzles me. There are two DCs in the p.local domain, "Server4" & "PlaySrv2". Here's what happens when I ping both from a DC in the "V" domain:
          C:\>ping server4

          Pinging server4.p.local [192.168.17.9] with 32 bytes of data:

          Reply from 192.168.17.9: bytes=32 time=22ms TTL=126
          Reply from 192.168.17.9: bytes=32 time=16ms TTL=126
          Reply from 192.168.17.9: bytes=32 time=17ms TTL=126
          Reply from 192.168.17.9: bytes=32 time=20ms TTL=126

          Ping statistics for 192.168.17.9:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
          Approximate round trip times in milli-seconds:
          Minimum = 16ms, Maximum = 22ms, Average = 18ms



          C:\>ping playsrv2

          Pinging playsrv2.v.com.au [192.168.17.2] with 32 bytes of data:

          Reply from 192.168.17.2: bytes=32 time=15ms TTL=126
          Reply from 192.168.17.2: bytes=32 time=27ms TTL=126
          Reply from 192.168.17.2: bytes=32 time=15ms TTL=126
          Reply from 192.168.17.2: bytes=32 time=15ms TTL=126

          Ping statistics for 192.168.17.2:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
          Approximate round trip times in milli-seconds:
          Minimum = 15ms, Maximum = 27ms, Average = 18ms

          C:\>
          Notice that Server4 returns with its correct DNS suffix but PlaySrv2 returns with the local server's (where Im running the ping off) DNS suffix. What's going on?
          Last edited by JDMils; 28th June 2007, 04:42.
          |
          +-- JDMils
          |
          +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
          |

          Comment


          • #6
            Re: Multiple domains in a forest

            It will use the suffix at the top and work its way down until it finds a match or exhausts the suffix list
            .
            The reason you get playsrv2.v.com.au is because it's an actual record in DNS. ( you can use nslookup to verify)

            The reason you get server4.p.local is because there's no record for v.com.au or p2.com.au with the host name of server4 but there is one in the p.local zone.

            Does that make sense?

            What if there are two workstations in seperate domains with the same name? I'd possibly be getting the wrong workstation unless I use the FQDN- true?
            Yes... but often the DNS suffixes are handed out by the DHCP server so there is some control over what server you'll go for based on location. You can also specify DNS suffixes through Group Policy.

            So there's lots of options out there.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Multiple domains in a forest

              The reason you get server4.p.local is because there's no record for v.com.au or p2.com.au with the host name of server4 but there is one in the p.local zone.

              Does that make sense?
              Sorry, no. I checked the DNS server in the V domain DNS\Fileserver\Forward Lookup Zone\v.com.au, and there is no listing for PlaySrv2. NSLookup shows it with the v.com.au suffix tho. I can see it in the DNS\Fileserver\Forward Lookup Zone\p.local zone, tho.
              |
              +-- JDMils
              |
              +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
              |

              Comment


              • #8
                Re: Multiple domains in a forest

                Originally posted by JDMils View Post
                Sorry, no. I checked the DNS server in the V domain DNS\Fileserver\Forward Lookup Zone\v.com.au, and there is no listing for PlaySrv2. NSLookup shows it with the v.com.au suffix tho. I can see it in the DNS\Fileserver\Forward Lookup Zone\p.local zone, tho.
                If you queried with nslookup and got a response then that means there's a record on a DNS server somewhere.

                To find out what server has the record you can try the following in nslookup

                Code:
                >set type=soa
                >playsrv2.v.com.au
                
                or
                
                >set type=ns
                >playsrv2.v.com.au
                That should help in tracking down the responsible server(s)
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Multiple domains in a forest

                  I'm having a problem. I tried to tracert a server in the v.com.au domain called NTServer from the p.com.au domain here's what I see:
                  C:\>tracert ntserver

                  Tracing route to ntserver.p.com.au [193.1.1.101]
                  over a maximum of 30 hops:

                  1 <1 ms <1 ms <1 ms 192.168.10.5
                  2 10 ms 9 ms 9 ms 192.168.4.1
                  3 10 ms 9 ms 9 ms ntserver.v.com.au [193.1.1.101]

                  Trace complete.

                  C:\>
                  I then tried your suggestion, and get this:
                  C:\>nslookup
                  Default Server: fileserver.v.com.au
                  Address: 193.1.1.106

                  > set type=ns
                  > ntserver
                  Server: fileserver.v.com.au
                  Address: 193.1.1.106

                  p.com.au
                  primary name server = fileserver.v.com.au
                  responsible mail addr = hostmaster.p.com.au
                  serial = 2346
                  refresh = 900 (15 mins)
                  retry = 600 (10 mins)
                  expire = 86400 (1 day)
                  default TTL = 900 (15 mins)
                  >
                  I looked in the DNS Server on the DC for p.com.au and could only find NTServer in:
                  DNS
                  --Playcorp1
                  ----Forward Lookup Zones
                  ------v.com.au
                  ............ntserver Host(A) 193.1.1.101

                  I thus do not understand why when I ping ntserver I get ntserver.p.com.au??
                  |
                  +-- JDMils
                  |
                  +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                  |

                  Comment


                  • #10
                    Re: Multiple domains in a forest

                    It does seem strange... hmm.

                    Is there an entry for ntserver in the p.com.au domain?

                    You can test that by using nslookup as well. Just punching the FQDN:
                    Code:
                    > ntserver.p.com.au
                    EDIT - you can ignore what I said above. I just reread your post. TBH, I don't know why it's resolving when seemingly there's no resource record for it.
                    Last edited by JeremyW; 6th July 2007, 19:44.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Multiple domains in a forest

                      I wonder if there is an old HOSTS. entry that has been forgotten?
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: Multiple domains in a forest

                        Thanks Chris,

                        I checked both the hosts & lmhosts.sam files but there is nothing to mention in these. Oh well, I might just drop this one into the 2-hard basket.
                        |
                        +-- JDMils
                        |
                        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                        |

                        Comment


                        • #13
                          Re: Multiple domains in a forest

                          LMHOSTS.SAM is simply an example file used to show you how to build a proper one. If there is no "LMHOSTS" file with no extension then Windows is not using one.


                          Tom
                          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                          Anything you say will be misquoted and used against you

                          Comment

                          Working...
                          X