Creating a forest trust

Home Forums Microsoft Networking and Management Services DNS Creating a forest trust

This topic contains 42 replies, has 4 voices, and was last updated by Avatar [email protected] 2 years, 8 months ago.

Viewing 30 posts - 1 through 30 (of 43 total)
  • Author
    Posts
  • Avatar
    uk2us88
    Member
    #163569

    am getting the error The new Trust wizard cannot continue because the specified domain cannot be contacted when trying to create a forest trust between separate locations. These servers are separate domains and locations connected via SonicWall site to site VPNs

    I have created the secondary DNS zones and can ping and nslookup without problem.

    My understanding is that I need to add a SRV record:

    DNS Resource Records That Are Required for Secondary Zones

    There are two DNS resource records that must be registered properly on the DNS server that hosts the secondary copy of the trusted domain or forest:Service (SRV) resource record (_ldap._tcp.dc._msdcs.)Host (A) resource recordThese records must be in place and registered properly before you establish a domain or forest trust.

    Where exactly do I add this at the root of the forward lookup zone or in the secondary zone?Any insight would be greatful~

    There are two DNS resource records that must be registered properly on the DNS server that hosts the secondary copy of the trusted domain or forest:

    Service (SRV) resource record (_ldap._tcp.dc._msdcs.)Host (A) resource record

    These records must be in place and registered properly before you establish a domain or forest trust.

    Where exactly do I add this at the root of the forward lookup zone or in the secondary zone?

    Any insight would be greatful~

    Avatar
    joeqwerty
    Moderator
    #304281

    Re: Creating a forest trust

    Instead of adding secondary zones in each domain for the opposing domains DNS why not just set up conditional forwarders in each domain for the opposing domains DNS?

    Avatar
    -MH-
    Member
    #389875

    Re: Creating a forest trust

    reading technet etc. it would seem that secondary is preferred?

    Avatar
    joeqwerty
    Moderator
    #304282

    Re: Creating a forest trust

    I don’t know that I’ve ever read that one is preferred over the other but I’ve always used conditional forwarders with good success.

    Avatar
    -MH-
    Member
    #389876

    Re: Creating a forest trust

    OK created a conditional forwarder… do I have to do one on both domains?

    Avatar
    joeqwerty
    Moderator
    #304284

    Re: Creating a forest trust

    Yes. In each domain you need to set up a conditional forwarder for the other domain.

    Avatar
    -MH-
    Member
    #389877

    Re: Creating a forest trust

    Still having the same issue? Do i need to add a reverse look up too?

    Avatar
    joeqwerty
    Moderator
    #304285

    Re: Creating a forest trust

    No. rDNS zones aren’t used in any way, shape or form in AD. Did you delete the secondary zones that you had created earlier? If not, do so. Then flush the DNS client cache and the DNS server cache on each DC/DNS server and try again.

    Avatar
    -MH-
    Member
    #389878

    Re: Creating a forest trust

    Done the above and still no dice….. this shouldn’t be this hard!

    Avatar
    joeqwerty
    Moderator
    #304286

    Re: Creating a forest trust

    Yeah. I’ve created forest trusts many times using conditional forwarders and have never had issues. Possible VPN problem? Can you nslookup the appropriate SRV records for each domain from the opposing domain? Any VPN traffic rules that may be blocking traffic?

    Avatar
    -MH-
    Member
    #389879

    Re: Creating a forest trust

    joeqwerty;283047 wrote:
    Yeah. I’ve created forest trusts many times using conditional forwarders and have never had issues. Possible VPN problem? Can you nslookup the appropriate SRV records for each domain from the opposing domain? Any VPN traffic rules that may be blocking traffic?

    I couldn’t until I put in the IP addresses in each host file. The sites are connected with a Site to Site VPN with two Sonicwalls.

    Avatar
    joeqwerty
    Moderator
    #304287

    Re: Creating a forest trust

    What did you put in the hosts file and where? It sounds like the VPN may be part of the issue. Remove the entries you put in the hosts file and flush the DNS client cache on each server (ipconfig/flushdns).

    Avatar
    -MH-
    Member
    #389880

    Re: Creating a forest trust

    OK, removed entries. Completed the flush and still the same issue. Maybe I need to wait until the morning? its becoming frustrating….

    Avatar
    joeqwerty
    Moderator
    #304288

    Re: Creating a forest trust

    Taking a break sounds like a good idea. Fresh eyes in the morning might lead us to a solution.

    Avatar
    -MH-
    Member
    #389881

    Re: Creating a forest trust

    still working on this and no luck. When i do a nslookup on the domain it cant find it over the VPN. Is there any tweaks I could do to “trick” the servers into finding each other?

    Avatar
    joeqwerty
    Moderator
    #304289

    Re: Creating a forest trust

    It really sounds like a VPN or routing issue to me. Here’s what I’m guessing:

    1. The servers at each site don’t have a specific route to the opposing network and the traffic from one site to the other (and vice versa) is not transiting the VPN link. I don’t work with VPN’s much but if the traffic from one site to the other is going to a different Default Gateway or is not being routed properly by the VPN connection then that would explain it.

    What happens if you run tracert from one DC to a DC in the other site? Does the traffic go through the VPN? If not then that’s the problem.

    Also, can you post the ip addressing info for one of the servers at each site and for both sides of the VPN? Can you also post the routing table from those servers?

    Avatar
    joeqwerty
    Moderator
    #304290

    Re: Creating a forest trust

    Also, can you post a screen shot of the conditional forwarders from each side?

    Avatar
    -MH-
    Member
    #389882

    Re: Creating a forest trust

    tracert gives one hop to the other domain

    Tracing route to dc1.hills [192.168.1.2]
    over a maximum of 30 hops:

    1 33 ms 73 ms 42 ms dc1.hills [192.168.1.2]

    Trace complete.

    Same coming back the other way just naming different and IP is 192.168.2.2

    They do go out on different gateways as they are on different subnets.

    DC1 goes through 192.168.1.1 Server 2008
    DC2 goes through 192.168.2.1 Server 2003

    Avatar
    -MH-
    Member
    #389883

    Re: Creating a forest trust

    Heres the conditional forwarder on the 08 machine… about the same on the 03 machine

    Avatar
    joeqwerty
    Moderator
    #304291

    Re: Creating a forest trust

    So you did a tracert for the host name in the other domain and it resolved. So DNS is working?

    Since the tracert resolves in 1 hop I’m assuming that the VPN is acting as a bridge?

    192.168.1.1 and 192.168.2.1 are the ip addresses of the VPN endpoints on the firewall?

    Avatar
    -MH-
    Member
    #389884

    Re: Creating a forest trust

    correct…

    They go through sonicwalls and the VPN setup in there

    Avatar
    joeqwerty
    Moderator
    #304292

    Re: Creating a forest trust

    So from one DC if you nslookup the FQDN of the other domain does it work or no? Can you post the nslookup output?

    Avatar
    -MH-
    Member
    #389885

    Re: Creating a forest trust

    here you go

    Avatar
    joeqwerty
    Moderator
    #304293

    Re: Creating a forest trust

    OK, so nslookup is working. So that means that DNS is working. Does the trust setup still fail?

    Avatar
    -MH-
    Member
    #389886

    Re: Creating a forest trust

    Yes… See attached

    Avatar
    joeqwerty
    Moderator
    #304294

    Re: Creating a forest trust

    OK, Duh moment for me. Are you using the FQDN or the NetBIOS name of the domain when setting up the trust?

    Avatar
    -MH-
    Member
    #389887

    Re: Creating a forest trust

    the FQDN “servername.local” then the domain name on the 2nd screen.

    Avatar
    joeqwerty
    Moderator
    #304295

    Re: Creating a forest trust

    I don’t understand. I’m running through this in a lab and there’s only one field that needs input, the Name: field. What are you putting there? Can you post screen shots of the wizard?

    Avatar
    -MH-
    Member
    #389888

    Re: Creating a forest trust

    new trust wizard –> Trsust name (FQDN is what I use of server) –> trust type I select trust with windows domain… this is where it errors.

    Avatar
    joeqwerty
    Moderator
    #304296

    Re: Creating a forest trust

    OK, so you’re saying that in the Name: field you’re putting the name of the server? If so, that’s the problem. You need to put the name of the domain (domain.local or whatever). The conditional forwarders allow the Trust wizard to find the servers for the domain.

Viewing 30 posts - 1 through 30 (of 43 total)

You must be logged in to reply to this topic.