one way trust between two forests

[brea]

Hello,

I need to setup a one-way trust between x.com and y.com.

Currently while attempting to setup the trust I am getting DNS errors related to the domains not being able to contact eachother. I have found some articles related to DNS needing to have the srv records for the y.com domain and vice versa but cannot find anything that shows me how to set this up.

Any help would be appreciated.

 

[brea]

Let me add a little to this in case it makes a difference.

one of the domains is not a domain that we manage but have access to for setting up the trust. it is actually.

our domain = x.com
remote = y.local

I followed the steps to setup the trust and on x.com it tells me that the domain could not be contacted.

on y.local I am told that there is a security database error for the account on x.com when I try to verify the trust.

 

[itsp1965]

I have run into this a few times. Try adding a DNS server from the forest you want to trust in the root hints tab of your DNS server and do the same on a DNS server in the other forest. From there you shoul dbe able to establish the trust.

Hope this helps

 

[brea]

I can't do that unfortunately. The Forrest where I would need to add this is a single Domain Controller and the group that set it up has it setup as a root server.

I am doing some research on how to reverse that, if possible, but I have to be extremely careful as to not break anything since this is a production network with important things relying on this DC.

 

[Rossbird]

I happened to do this recently and here is how I did it:

1)Go to C:\Windows\system32\drivers\etc on your DC and remove the file extension from the lmhosts file (.sam)

2)Open the lmhosts file and enter the following:
X.X.X.X "DOMAIN \0x1B" #PRE
X.X.X.X server #PRE #DOMOMAIN

Where X.X.X.X is the IP of the domain you are trusting or having trust you.
Where DOMAIN is the domain you are trusting or having trust you.
Where server is the WINS name of the DC you are trust or having trust you.

3)Save the file

4)Go to Network Connections > Your Adapter > Properties > Internet Protocol Properties > Advanced > WINS. Make sure Enable LMHOSTS lookup is checked and click Import LMHOSTS.

5)Make sure firewalls allow the standard Microsoft ports between the DCs

6)Try to create the trust

No restart is required to activate the LMHOST file. Clicking the Import LMHOSTS button should refresh it.

Hope this helps.

 

[Rossbird]

I forgot to mention one other thing that is very important. When you enter X.X.X.X "DOMAIN \0x1B" #PRE in the LMHOSTS file, make sure the number of spaces between the quotes equals 15. For example, DOMAIN is 6 chars long, \0x1B is 5 chars long, so the number of spaces should be 4 (15-11).

X.X.X.X "DOMAIN \0x1B" #PRE

 

[Andreh]

Are these 2 forests in remote geographic locations? Is there a link between them that is not over the internet or are they connected to the internet and that is the only way communication will occur?

Are the IP address ranges of the 2 forests different?

On the trust side of things, is it a local to remote or remote to local (Are the resources local or remote you wish to access)?

If there is a link between the 2 forests then I would add the remote DNS servers in the local DNS server forwarder IPs, and the local DNS server IPs in the remote DNS server forwarders IPs.

Rossbird does make a good suggestion though as LmHost is a good last resort.

Good Luck


"Assumption is the mother of all f#%kups!