Trust Between Domains In Forest

Home Forums Microsoft Networking and Management Services Active Directory Trust Between Domains In Forest

This topic contains 6 replies, has 2 voices, and was last updated by Avatar Robert R. 8 years, 12 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    Robert R.
    Participant
    #153911

    Environment:

    new active directory forest

    empty root domain: x.tld (functional level: Windows 2008 )
    domain: prod.x.tld (functional level: Windows 2008 )
    domain: office.x.tld (functional level: Windows 2003, because we’re going to import existing Windows 2003 domain controllers from our current Active Directory, ad.xsys.tld)

    All domain controllers in the new forest are Windows 2008 R2.

    User accounts reside in office.x.tld

    A two-way transitive trust exists between prod.x.tld and office.x.tld

    I can configure the domain controllers in prod.x.tld to accept office.x.tld credentials for Remote Desktop.

    But when I try to configure members servers in prod.x.tld to accept office.x.tld credentials for Remote Desktop login, I get the following:

    Name Not Found
    An object name “robertr” cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection.

    What else should I be looking at?

    UPDATED TO ADD: From the console of memberserver.prod.x.tld, I can log in with my office.x.tld credentials. I just can’t add office.x.tld users to Remote Desktop Users on memberserver.prod.x.tld. This makes me suspect it’s more of a Remote Desktop/GPO issue than a Trust issue.

    Avatar
    v-2nas
    Member
    #338508

    Re: Trust Between Domains In Forest

    Try this, create (AD)domain local security group, make it a member of Remote desktop users group (local member server)

    Now add users from office.x.tld to domain local security group (prod.x.tld)

    Avatar
    Robert R.
    Participant
    #353176

    Re: Trust Between Domains In Forest

    v-2nas,

    Thanks. That worked.

    The issue I’m having now is when I log in to a PROD member server using OFFICE credentials, it takes about 10+ minutes:

    ~ 2 minutes at the “Welcome” screen
    ~ 2 minutes at the “Please wait for the User Profile Service” screen
    ~ 7 minutes at the “Applying user settings” screen

    At first I thought this might be related to creating the user profile for the first time, but it happens when I use the same credentials over and over.

    This is not an issue when logging in as [email protected] — that only takes a few seconds.

    Currently, the x.tld, office.x.tld, and prod.x.tld domain controllers are all in the same physical location (they’re VMware virtual machines on the same hardware).

    Avatar
    v-2nas
    Member
    #338509

    Re: Trust Between Domains In Forest

    Hi,

    Do you have a gpo setting enabled for wait for network to become ready before logo.

    Try disabling that, otherwise we need to check narrow down which gpo is causing the issue, are clients picking out of site dc, or dns needs to be tweaked.

    Avatar
    Robert R.
    Participant
    #353177

    Re: Trust Between Domains In Forest

    “dns needs to be tweaked”

    One of the network administrators came to me today saying that DNS lookups, while resolving, were taking an unusually long time — although he didn’t quantify it for me.

    What tools do you recommend for troubleshooting Windows DNS performance issues? For many years, DNS has been administered by our Unix admins, so using Windows DNS is something that’s relatively new for our organization.

    Thanks.

    Avatar
    v-2nas
    Member
    #338510

    Re: Trust Between Domains In Forest

    Hi,

    basically some understanding of how dns works, nslookup, and it’s output, then you need to check how you have your dns setup and how is resolving, using forwarders, stub zones, conditional forwarders, root hit.

    I am windows guy so not sure about how unix is doing it. Probably you can check with unix consultant and tell to take a look into it.

    Advance troubleshooting would taking a dns trace and checking for the queries why it’s taking so long to response.

    Avatar
    Robert R.
    Participant
    #353178

    Re: Trust Between Domains In Forest

    Long story short (leaving out a lot of details):

    Rather than using forwarders, I set up the DNS zones to replicate across the entire forest, not just within their domains and then relying on forwarders to resolve between domains.

    It seemed to have worked.

    Since DNS that is something that was handled by the Unix group for many years, moving to Windows-based DNS servers and having to take on this responsibility has definitely been a learning experience.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.