Creating Trust Relation between 2 forests in Windows 2000 Server

[2a]

Can someone out there please help me solve this problem. I have 2 forest in 2 different subnets. Subnets one is 10.195.2.0 and the second one is 10.195.3.0. The problem I am having is that there is a Active directory domain controller on each subnets. One is domain is cas.com and the other is named cas.local. Cas.local is is using kerberos protocol. I will like to create a trust between this two forests. They can ping each other using IP address, but not by name. I have created a standard primary DNS entry for each of the tree. Still they can't see each other. Can someone please help me. I need to get this done for a huge project. A million thanks in advance for all your help.

 

[mlichstein]

You need a secondary zone for each domain. So you have domainA and domainB. DomainA needs a secondary copy of domainB's zone, and domainB needs a secondary copy of domainA's zone.

 

[AV1611]

Will the same scenario work for two domains that aren't kerberos mlichstein??

AV

 

[mlichstein]

Yes..kerberos has nothing to do with name resolution. Also, you can only create an external kerberos trust between two 2003 forests.

 

[AV1611]

My situation is about the same in that I have two domains, something.com and somethingelse.com, with 192.168.1.1 & 192.168.4.1 IP scheme. When I go try to create a trust it says it can't contact the other one. In the Trust, it has the domain listed and then under relationship it says, Non-Windows Kerberos Realm and under Transitive it says No.

When I click this and go to edit it doesn't give me a box to verify. I assume this is because I didn't create a secondary for each domain on the other domain??

Thanks for the help on this, AV

 

[lengoo]

You need to synchronise the DNS

 

[AV1611]

How do you synchronise the DNS??

AV

 

[2a]

I want to thank each one of you for all your input. However, I created a standard secondary DNS on each of the forest to replicate each other. When I tried to verify the forest it, I still get an error can't contact a domain controller or the forest is not available. I even changed the admin password on both forests to the same password to no avail. They're on a seperate corporate network, but there is no firewall in between since the are on the same physical location. Please help!

 

[AV1611]

When you went to do the trust did you put A in the trusting and B in the trusted first? Just do one of each, and then go back and do the other if you want a two way trust. This worked for me and it verified itself.

AV

 

[2a]

Yes, I did put A in trusitng then B in trusted. Still cann't talk to each other. Weird, I must be doing something wrong. This is my first time with AD and Domain Trusting. Perhaps, I need step-by-step of this procedures. Thanks.

 

[AV1611]

Ok,

1. Make sure you can ping the other domain.
2. Go to the DNS on Domain A and Right Click on Forward lookup Zone.
3. Select New Zone.
4. Then hit next and select Standard Secondary.
5. Follow this out putting in domain B as the Standard Secondary.
6. Do this on Domain B for Domain A.
7. After this you should be able to go ping the Server on Domain B from Domain A by name instead of IP. server.domainB.com and it should resolve.
8. If not you didn't get to first base and we need to trouble shoot that.
9. Then go to AD Domains & Trust on Domain A. & right click on Domain A.
10. Go to properties and select the Trust Tab.
11. In domains trusted by this domain add Domain B and give a password of your choosing.
12. Then Go to Domain B, AD Domain and trust, follow out the same pattern except in this one go to the bottom DOMAINS that trust this domain and add Domain A using the same password as you did for Domain B.
13. They should have a trust formed. Then you can go back and do the other two empty slots if you want a 2 way trust.
14. Then go to Network Places, Entire Network, and Search for Computer. put in the whole name of the Server on Domain B or A, whichever is opposite where you are. server.domain.com and search. It should find it.

AV

 

[2a]

A million thanks to you AV1611. I have done just exactly what you outlined here in my previous steps. I still cannot get to this stinky Domain. The other Domain was setup by a consultant where they locked down everything. They are even using kerboros on these servers. Of course they don'tknow what to do either, and they're telling me that they have never done this before. I do apreciate your effort and I'll keep on researching this. Perhaps, I have to call Microsoft.

 

[AV1611]

Can you ping? the other side & can they ping you?

Also how are you setting this up? Terminal Services so that you can do both sides at the same time or are you going over there??

AV

 

[2a]

Yes I can ping both sides. Like I said both Forests are in the same pysical location, which I have access to, so to answer your question I am not using RTS.

 

[AV1611]

Ok, can you ping using the name of the Server on Domain B from Domain A.

As in, ping server1.DomainB.com

If you can't do this your DNS isn't right.

Try nslookup from the command line and then try typing the names of the servers and hit enter. See if it will resolve their IP's for you.

If you can get all that, another thing to try is to check allow zone transfers to any server in the Zone A in DNS and see if that free's it up.

AV