Creating Trusts?

[AdamKerr]

How do I set up a trust between two domains?

I get to the stage where you specify trust between two but then it fails and says 'operation could not be completed on this domain controller'.

Server1 is dc for domain1.com.local
ip 192.168.1.250
Raised domain functionality to 2003.

Server2 is dc for domain2.co.uk.local
ip 192.168.1.240
Raised domain functionality to 2003.

I get to the stage where you specify trust between two but then it fails and says 'operation could not be completed on this domain controller'. Both servers can ping each other.

Where have I gone wrong??

 

[lhuegele]

Do you have local DNS replicating between the 2 domains?

 

[AdamKerr]

No, how would i go about setting this up?
I have a forwarder set up on each server that points to one another for the domains.

 

[lhuegele]

We had problems with the forwarders. We had to actually create a secondary zone and bring the internal records over to DNS servers on both sides. Do you need specific instructions on doing this?

 

[WhoKilledKenny]

Are to domains in two different regions? It looks like the issue is that they are using the same private IP sceme and when you try to set up a forwarder from 192.168.1.250 to 192.168.1.240, it may be looking locally.

Would you supply more info regarding your site topology. Is this a test environment?

I have set up forrest root trusts between disjointed domains, using forwarders, and have not had issues.

 

[AdamKerr]

Hi, test environment - same network.

lhuegele, if you could provide more information that would be great.

 

[WhoKilledKenny]

AdamKerr,
Here is a link to creating the type of trust you are requesting.

http://technet2.microsoft.com/Windo...3a7f-4d6f-a2b0-569462fb44321033.mspx?mfr=true

We had problems with the forwarders. We had to actually create a secondary zone and bring the internal records over to DNS servers on both sides. Do you need specific instructions on doing this?

The link above has the instructions on how to set up a secondary zone. But, even the documentation states that this is used when one of the DNS servers is not a MS DNS server. Still, i would suggest that you use forwarders to set up this trust. Less configuration, management, and delegation of rights between the two domains.

Suggestion only:
If you have a third server in your test environment, try building it as a stand alone server and use RRAS to route traffic between the two domains. Have one domain on 10.x.x.x and the other on 192.168.x.x. This should solve the issue with setting up the forwarder.

Good luck, have fun testing...

 

[lhuegele]

I don't know if the IP subnets actually have to be different. As long as the domain names are different it should be ok for them to be on the same subnets (IP address ranges).

For the forward lookup zone on each server/domain, right-click on the domain itself and go to properties. You should see a "zone transfers" tab where you can set-up the "allow zone transfers". We allow this to any server but you can set it up to only specific ones if you like. Do this on both DNS servers.

Once you've set each server up to allow zone transfers, you will create a new secondary forward lookup zone on each DNS server. You will transfer this from the other DNS server.

Once that's complete you should have full DNS information available for each domain and should be able to create your new trusts.

Hope this helps and good luck.

 

[WhoKilledKenny]

I don't know if the IP subnets actually have to be different. As long as the domain names are different it should be ok for them to be on the same subnets (IP address ranges).

I think you a right...
I was able to set up a fowarder when both domains were on the same wire using same subnet. But to take it a step further, in my test AD i attempted, VLAN1(10.0.0.X\24)DomainA ----Router-----VLAN2(10.0.0.X\24)DomainB. Blew Up!!!