Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Create a Trust Between Two Forests / Domains (2003)

Status
Not open for further replies.

Caddey

IS-IT--Management
Sep 27, 2006
12
GB
HI peeps, we have got two domains, one is called companyname.uk and the other is called companyname.usa.

The problem is when the domains where set up the system automaticly called both domains OFFICEBROKER (pre-windows 2000) and it seems this is stopping us from creating a trust between them.

All the error says is "A trust cannot be create on this domain"

Both domains are current at 2003 compatability and we have done every test known and this is the only thing that we think it could be.

Any one got an suggestions on how to sort this?

May be we could trick the systems into thinking a NEtBios names of the two domains are diffrent.

For Example.

COuld we add a record in the DNS at both sides. Say we add OFFICEBROKERUK some where in the DNS on the USA side and add OFFICEBROKERUSA to the DNS on the UK side. Is this possible to force a resolution of a NetBios name?

I no saying putting it in the DNS prob wont work because NetBIOS does not use DNS to resolve its names, but there must be a way we can trick it into thinking OFFICEBROKERUK and OFFICEBROKERUSA exsist and give it an address?
 
are you setting up the trust by FQDN or by NetBIOS name? You may want to try FQDN if you are not at this point.

Try setting a conditional forwarder on each end specifically for the other domain and give it a shot.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Thanks mate, yeah im using a FQDN link.

Its works all the way until the last step so its nearly working.

Not sure if adding a conditional forwarder to the DNS would help matters, may be its somthing else thats stopping the trust from being formed.

WHen you use the wizard it gets all the way to the end, after asking for authentication on both ends, what sort of trust, how the trust is set up.

At the final state it just says

A Trust cannot be formed on the current domain.

Quite strange i think.
 

There is a part in here saying:

Active Directory Domains and Trusts will detect a name suffix conflict when:

• The same Domain Name System (DNS) name is already in use.

• The same NetBIOS name is already in use.

• A domain security ID (SID) conflicts with another name suffix SID.

This link may be helpful in disabling NETBios for the trust. Give it a shot.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003
 
Thanks mate, can’t seem to find out how to disable NetBios with NetDom :(

Don’t suppose you have done it before?
 
No :)

But i'll do some playing with it in my lab today. The boss man has me jam packed with meetings, so if anyone else has an answer, please post - i may not get to this today.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Reading further, it looks like this may only be an option with Windows 2003 Native Mode.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Well both domains have got 2003 running on them (fully rasied to 2003 level, which is 2003 navtive?)
 
Yeah i have done mate but it all seems too risky as the network is mission critical to the max, no network, no company :)
 
both forest must be raised to 2003.

not just the domains

Josh Williams

 
Yeha that forest is 2003 too mate, sorry
 
just curious, when you put in credentials, are you supplying WINNT or LDAP names? If you're using the old Domain\UserName style, try putting in the LDAP counterpart to those addresses.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Hi mate, im using Username@Domain.xxx

The authentication seems to be fine as it gets all the way to the final step in the wizard.
 
well now there's a brain teaser... it must be the NetBIOS name then. Renaming is not an option for you?

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Not really mate, its the US office and im back in the UK now. Appart from that if anything was to go wrong it would cost us thousands in down time.

Its either i get it working or i leave it as a seperate network with the admins having logins on both sides. Not exactly ideal but there is nothing else i can think of doing?

Any suggestions?
 
Any firewalls, etc. in between these devices that you can check logs on? The only thing i can offer at this time is perhaps load up NetMon on both sides, try the trust again with the sniffer in place. perhaps you can figure out what is failing with a capture.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 
Yeah may be, there is a firewall between the two sites (on at each end) but they have a VPN link between them so i would be very shocked if it was that.

Never used NetMon to test this befor.

Do i just fire it up on both sides and try the wizard again?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top