Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Change domain types from .local to .com

Status
Not open for further replies.

dandy34

MIS
Nov 11, 2005
50
US
Hello,
We have one domain living behind an existing firewall on a class c IP (192.168.xxx.xxx). I want to create a trust and be able to get to the machines I support.
I wasn't in on the configuration of this server but when I look at the domain names on my other two DCs I see that they are named domain.ourplace.com (Names changed to protect the innocent) but when I look at the one behind the firewall the name is domain.local.
Am I wasting my time trying sync up DNS and create trusts with it like this? Do I need to do a dcpromo? Any ideas would be helpful.
Thanks,
Sam
 
AD recognizies domain.local as this is somewhat used when a user doesnt want the domain exposed with a .com, .net, .org

There shouldnt be any problems creating a trust at all as long as you have the proper access to both domains to create the trust.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Thanks for the info. I've tried to create a trust but the domain outside the firewall can't see the other one and vice-versa. I've tried creating non-transitive trusts on both side but can only make Realm trusts. That's not working.
I've added DNS host names on both sides and can actually RDP from both side into servers and workstations.
So I guess the question is how do I create a trust between two domains that can't see each other but are part of the same organization? I'm fairly certain the problem lies in DNS and the class C IP addresses but am not sure how to address it.
Thanks,

Sam
 
A couple of things to try;
1. In the DNS server properties for each server add a root hint pointing to each other domains DNS servers
2. If that doesn't work you will need to enable common Netbios ports (138,139,445)on your firewall since trusts are still NetBios based

Hope this helps.
 
Hmmm, I added the hints and the firewall is allowing the Netbios ports. When I try to create a trust I the wizard still can't see the other domain (from either side) and wants to make a realm trust. I'm feeling sort of dumb here but can't the .local part of the domain name cause a problem?
 
This is not at all a domain problem. This is 100% a firewall/connectivity issue. If packets are being filtered or blocked between the 2 domains, it will not work. The trust is dependant on the right type of connectivity.
 
If I have the ability to RDP to machines and can ping them from this side of the firewall and have allowed the appropriate ports, what else do I need to allow?
 
The port for RDP and ICMP have nothing to so with the communication needed for this to work. If I were to guess, I would say that ports 137-139 need opened (netbios). I do not exactly know if that is all that is needed, but you need to be able to do DNS resolution/lookups for it to work. As a test, you may want to try a test by setting up the fw to forward all ports coming from your DC to the other DC. Just as a test, that should tell you how well it is working.
 
Dandy it has nothing to do with the domain. I have an internal management application that resides on a DC in a domain with a .local suffix which has a trust established with another domain in another forest. All I needed to do was to enable root hints (there is no firewall between these two domains they are on the same subnet). Hope this helps.
 
Firewall...open NetBios as above,.. but also add UDP 53 for outbound DNS requests TCP 53 for inbound responses. Im a little rusty on DNS. A.D. pretty picky about DNS, kinda lives and dies on it.

Good Luck

-Zen
 
A thought, you may be having issue if both domains have the same NetBIOS name. During setting up a trust I noticed I couldn't trust our development and prod domain at the sametime because one was called domain.dev and domain.local
Windows trusts still rely on NetBIOS therefore if the NetBIOS names (regardless of DNS suffix) are the same you may not be able to initiate the trust
 
Still working on this, I've opened the firewall completely up, allowing all traffic both in and out. I threw security out the window awhile ago and still can't get the DNS servers to see each other. Any other thoughts out there not involving sledge hammers?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top