Announcement

Collapse
No announcement yet.

Trust issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trust issue

    I have a two-way external trust setup between two Windows 2003 domains (let's say domain A and Domain B). Resource access, group assignments work fine. The problem is that I can only validate the trust from my PDC on domain A and from the PDC on domain B. If I try to validate the trust from another DC on domain A (domain B currently has just one DC) I get the error "Windows cannot find the domain controller for domain B..." DNS is setup correctly and I can ping and get to the domain B DC shares from the domain A DC. So why the error? The reason I ask is I suspect that my Password Migration isn;t working because of this (I use the secondary DC in domain A as the PES Server).

    Any ideas? Thanks in advance.

  • #2
    Re: Trust issue

    Trust validation is done by the PDC emulator (one of the PDCE roles is also validating Trust relationship).

    the reason most likely it fails validation on the other Domain Controllers is b/c you don't have on the other Domain controller (the one that fails the trust validation) a Zone copy (secondary Zone) of the other domain DNS or a conditional forwarder of that zone to the other domain's DNS server.

    Assuming your DNS Servers are AD Integrated.
    Create an AD integrated conditional forwarder on “DomainA.com” DNS to forward any DNS queries of “DomainB.com” domain to the DomainB's domain’s DNS server. This could be done by running the following command on one of “DomainA.com” DNS servers : DnsCmd DEVDCServer /ZoneAdd DomainB.com /DsForwarder xx.xx.xx.xx (IP Address of the DomainB's Domain’s DNS Server).
    that would create a Conditional Forwarding to DomainB.com on all your DNS servers in DomainA.
    The same could be done on DomainB for validating trusts from any DC to DomainA (just replace the command the other way around).
    Last edited by Akila; 13th October 2008, 21:26.

    Comment


    • #3
      Re: Trust issue

      "the reason most likely it fails validation on the other Domain Controllers is b/c you don't have on the other Domain controller (the one that fails the trust validation) a Zone copy (secondary Zone) of the other domain DNS or a conditional forwarder of that zone to the other domain's DNS server."

      Actually, all my domainA DC's are also DNS servers and they all have a secondary zone setup for DomainB.

      Comment


      • #4
        Re: Trust issue

        I see, so are there any firewalls in between that block some DC traffic between domains?
        like DOMAIN-A DC can't reach fully the PDCE on DOMAIN-B and vise versa (example).

        Comment


        • #5
          Re: Trust issue

          No, no firewalls. I can get to domainB PDC and ping it just fine.

          Comment

          Working...
          X