Cross Forest Trust

Guest · Nov 12, 2007

Hello

I'm trying to setup a cross forest trust in W2K. I have name resolution
working both ways.

The distant domainB has AD integrated DNS enabled forwarding to our unix
name servers. It appears that this one was able to contact Domain A to
create the trust.

But when I try to complete the trust relationship on Domain A adding Domain
B it fails saying the domain cannot be contacted. Domain A is not using AD
integrated DNS only UNIX DNS.

Do I need to have AD integrated DNS setup on both sides?

I've tested accessing all the required ports using the portping util and
everything's successful.

Any Ideas why I can't establish the trust on the Domain A side to trust
Domain B?

Tesdall · Nov 13, 2007

Hello

I'm trying to setup a cross forest trust in W2K. I have name resolution
working both ways.

The distant domainB has AD integrated DNS enabled forwarding to our unix
name servers. It appears that this one was able to contact Domain A to
create the trust.

But when I try to complete the trust relationship on Domain A adding Domain
B it fails saying the domain cannot be contacted. Domain A is not using AD
integrated DNS only UNIX DNS.

Do I need to have AD integrated DNS setup on both sides?

I've tested accessing all the required ports using the portping util and
everything's successful.

Any Ideas why I can't establish the trust on the Domain A side to trust
Domain B?

I had some problems with Trusts, there are some things to try like
LMHOST and WINS.

shalabhsharma · Nov 13, 2007

forest trust in W2K

Hi Crisoft,
As far as i understant you are trying to create a forest level trust between two Windows 2000 Forests.

First and the fore most thing that needs to be configured when it comes to Windows 2000 and Windows NT4 trust is LMHOST !
In order to do so check this KB article out: -
http://support.microsoft.com/kb/180094
Make sure that the entry in the LMHOST file looks like
10.0.0.1 PDCNAME #PRE #DOM

OMAIN-NAME
10.0.0.1 "DOMAIN-NAME \0x1b" #PREAnd there is no # prefixed to any of lines and also there should 20 spaces between the " " quotation marks in the second line.
Also make sure that the LMHOST file has got no extension! like .txt. Use windows explorer to check that.

In Windows 2000 though we say that its been configured to use Kerberos but that is not exactly how it is. When the trust creation is initiated it uses Kerberos and then reverts back to NTLM, this the reason creating an LMHOST file is very important.

You need to make sure that these LMHOST entries are made on the PDC role holder DCs in both the domains!!

Once you have done that, here are few things that you need to check and ensure are configured correctly.
1. DNS,
i) Configure forwards are configured for each domain from both direction.
ii) Configure Zone delegation in both directions, and check zone forwarding is enabled or not.
One of the simple test is to try and ping the PDC role holder for each domain from the other domain by fully qualified name and also via netbios name. Eg - ping DCname.domainName.com and just DCname.

Once you are sure that the name resolution is working correctly.

Check the following registry entries on both the PDC role holder DCs of both the domains.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
and look for
lmcompatibilitylevel [REG_DWORD] = 0x0
restrictanonymous [REG_DWORD] = 0x0
Both these entries should be set to 0 on both the DCs. Values of these registry keys effects the communication between the domains and can be a potential reason for trust issues. If you find these values not set at 0. Then you need to check the default domain controller policy of domain as these values are configured there.
Check the article http://support.microsoft.com/kb/823659 to get it configured.

And then i am very sure that you will be able to create forest level trust.

If you face any other issues, or if this resolves your issue please let me.

Thanks,
Shalabh Sharma,
Ex-Microsoft Support - Active Directory

Paul Bergson [MVP-DS] · Nov 13, 2007

Name Resolution Tests
Windows 2003
Nbtstat -R - Purges and reloads the remote cache name
table
Nbtstat -c - Lists NBT's cache of remote [machine]
names and their IP addresses

If you would like to test connectivity to validate FRS communication (This
communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response
will provide the current version number

Are high ports open or have you limitied the range via a registry hack for
rpc if you have a firewall in the way this is a good chance where your
problem resides.

What about forest functional levels?

I have an article on trust troubleshooting between an NT4 and 2003 forest,
but a lot of the items are still the same.

Check it out at:
http://www.pbbergs.com/windows/articles/firewall_trust.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Guest · Nov 14, 2007

I've used portquery to test connectivity to ports and everything looks good.
Are you supposed to be able to telnet into netbios ports 137,138? These
won't even answer on the localhost.

I noticed that when I ping the domain name that I'm trying to establish the
trust with it replies with the IP of the PDC which is the DC that I've opened
up the connection to use for creating the trust. Would that cause a problem?

Here's my port query.

=============================================

Starting portqry.exe -n ckent -e 135 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.5.18[1152]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[LRPC00000124.00000001]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.4.108[1029]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.5.18[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC00000124.00000001]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.4.108[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.5.18[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.4.108[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.5.18[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.4.108[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.5.18[1029]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[LRPC000004ec.00000001]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[LRPC000004ec.00000001]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.4.108[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.5.18[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC000004a0.00000001]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.4.108[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.5.18[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC000004a0.00000001]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.4.108[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.5.18[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC000004a0.00000001]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.4.108[1092]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.5.18[1092]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.4.108[1117]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.5.18[1117]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncalrpc:[LRPC0000063c.00000001]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncalrpc:[LRPC0000063c.00000001]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[DHCPSERVERLPC]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[DHCPSERVERLPC]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.4.108[1152]

Total endpoints found: 93

==== End of RPC Endpoint Mapper query response ====
portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 389 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:

currentdate: 11/14/2007 19:49:19 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820266
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========

UDP port 389 is LISTENING

portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 636 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3268 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3268 (unknown service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:

currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========
portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3269 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3269 (unknown service): LISTENING
portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 53 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 88 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 445 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 137 -p UDP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address 00d0b7886c92
UDP port: LISTENING
portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 138 -p UDP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 139 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 139 (netbios-ssn service): LISTENING
portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 42 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 42 (nameserver service): LISTENING
portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000.

Thanks!

Crisoft

Paul Bergson said:
Name Resolution Tests
Windows 2003
Nbtstat -R - Purges and reloads the remote cache name
table
Nbtstat -c - Lists NBT's cache of remote [machine]
names and their IP addresses

If you would like to test connectivity to validate FRS communication (This
communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response
will provide the current version number

Are high ports open or have you limitied the range via a registry hack for
rpc if you have a firewall in the way this is a good chance where your
problem resides.

What about forest functional levels?

I have an article on trust troubleshooting between an NT4 and 2003 forest,
but a lot of the items are still the same.

Check it out at:
http://www.pbbergs.com/windows/articles/firewall_trust.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Crisoft said:

Hello

I'm trying to setup a cross forest trust in W2K. I have name resolution
working both ways.

The distant domainB has AD integrated DNS enabled forwarding to our unix
name servers. It appears that this one was able to contact Domain A to
create the trust.

But when I try to complete the trust relationship on Domain A adding
Domain
B it fails saying the domain cannot be contacted. Domain A is not using
AD
integrated DNS only UNIX DNS.

Do I need to have AD integrated DNS setup on both sides?

I've tested accessing all the required ports using the portping util and
everything's successful.

Any Ideas why I can't establish the trust on the Domain A side to trust
Domain B?

Click to expand...

Paul Bergson [MVP-DS] · Nov 15, 2007

Pinging the domain name is going to resolve to a dc, this is expected. Do
an nslookup on your domain name and it should return all the dc's within
your domain.

If I recall correctly I don't believe 137 and 138 are needed, I believe 445
is what is used.

Are high ports available both ways?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Crisoft said:
I've used portquery to test connectivity to ports and everything looks
good.
Are you supposed to be able to telnet into netbios ports 137,138? These
won't even answer on the localhost.

I noticed that when I ping the domain name that I'm trying to establish
the
trust with it replies with the IP of the PDC which is the DC that I've
opened
up the connection to use for creating the trust. Would that cause a
problem?

Here's my port query.

=============================================

Starting portqry.exe -n ckent -e 135 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.5.18[1152]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[LRPC00000124.00000001]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.4.108[1029]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.5.18[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC00000124.00000001]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.4.108[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.5.18[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.4.108[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.5.18[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.4.108[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.5.18[1029]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[LRPC000004ec.00000001]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[LRPC000004ec.00000001]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.4.108[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.5.18[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC000004a0.00000001]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.4.108[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.5.18[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC000004a0.00000001]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.4.108[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.5.18[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC000004a0.00000001]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.4.108[1092]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.5.18[1092]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.4.108[1117]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.5.18[1117]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncalrpc:[LRPC0000063c.00000001]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncalrpc:[LRPC0000063c.00000001]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[DHCPSERVERLPC]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[DHCPSERVERLPC]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.4.108[1152]

Total endpoints found: 93

==== End of RPC Endpoint Mapper query response ====
portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 389 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:

currentdate: 11/14/2007 19:49:19 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820266
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========

UDP port 389 is LISTENING

portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 636 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3268 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3268 (unknown service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:

currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:[email protected]
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========
portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3269 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3269 (unknown service): LISTENING
portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 53 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 88 -p BOTH ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 445 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 137 -p UDP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address 00d0b7886c92
UDP port: LISTENING
portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 138 -p UDP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 139 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 139 (netbios-ssn service): LISTENING
portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 42 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 42 (nameserver service): LISTENING
portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000.

Thanks!

Crisoft

Paul Bergson said:

Name Resolution Tests
Windows 2003
Nbtstat -R - Purges and reloads the remote cache name
table
Nbtstat -c - Lists NBT's cache of remote [machine]
names and their IP addresses

If you would like to test connectivity to validate FRS communication
(This
communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response
will provide the current version number

Are high ports open or have you limitied the range via a registry hack
for
rpc if you have a firewall in the way this is a good chance where your
problem resides.

What about forest functional levels?

I have an article on trust troubleshooting between an NT4 and 2003
forest,
but a lot of the items are still the same.

Check it out at:
http://www.pbbergs.com/windows/articles/firewall_trust.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Crisoft said:

Hello

I'm trying to setup a cross forest trust in W2K. I have name
resolution
working both ways.

The distant domainB has AD integrated DNS enabled forwarding to our
unix
name servers. It appears that this one was able to contact Domain A to
create the trust.

But when I try to complete the trust relationship on Domain A adding
Domain
B it fails saying the domain cannot be contacted. Domain A is not
using
AD
integrated DNS only UNIX DNS.

Do I need to have AD integrated DNS setup on both sides?

I've tested accessing all the required ports using the portping util
and
everything's successful.

Any Ideas why I can't establish the trust on the Domain A side to trust
Domain B?

Click to expand...

Click to expand...

Guest · Nov 15, 2007

So if I do an nsloookup from my domain trying to resolve for the domain I'm
trying to create the trust with should it resolve to thier DC's as well?

Would I need to do a zone transfer in DNS from thier windows DNS to our UNIX
dns?

--
Thanks!

Crisoft

Paul Bergson said:
Pinging the domain name is going to resolve to a dc, this is expected. Do
an nslookup on your domain name and it should return all the dc's within
your domain.

If I recall correctly I don't believe 137 and 138 are needed, I believe 445
is what is used.

Are high ports available both ways?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Crisoft said:

I've used portquery to test connectivity to ports and everything looks
good.
Are you supposed to be able to telnet into netbios ports 137,138? These
won't even answer on the localhost.

I noticed that when I ping the domain name that I'm trying to establish
the
trust with it replies with the IP of the PDC which is the DC that I've
opened
up the connection to use for creating the trust. Would that cause a
problem?

Here's my port query.

=============================================

Starting portqry.exe -n ckent -e 135 -p TCP ...

Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.5.18[1152]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[LRPC00000124.00000001]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.4.108[1029]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.5.18[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC00000124.00000001]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.4.108[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.5.18[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.4.108[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.5.18[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.4.108[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.5.18[1029]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[LRPC000004ec.00000001]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[LRPC000004ec.00000001]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.4.108[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.5.18[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC000004a0.00000001]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.4.108[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.5.18[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC000004a0.00000001]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.4.108[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.5.18[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC000004a0.00000001]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.4.108[1092]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.5.18[1092]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.4.108[1117]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.5.18[1117]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncalrpc:[LRPC0000063c.00000001]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncalrpc:[LRPC0000063c.00000001]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

Click to expand...

Ace Fekay [MVP] · Nov 16, 2007

In

Crisoft said:
So if I do an nsloookup from my domain trying to resolve for the
domain I'm trying to create the trust with should it resolve to thier
DC's as well?

Would I need to do a zone transfer in DNS from thier windows DNS to
our UNIX dns?

If I may jump in, and I hope Paul doesn't mind, first I would like to say
that Windows 2000 does not support cross-forest trusts. I think Paul
overlooked you are talking about a Windows 2000 domain here. The only type
of trusts it supports are inherited transient trusts that exist intra-forest
between trees and domains and external one-way trusts between domains of
different forests or realms, such as Unix realms, etc.

DNS in such external one-way trusts are not required. Nslookup tests to
determine hostname resolution will not help you in your scenario. Trust
authentication in such a scenario is based on NTLM authentication, which is
based on NetBIOS resolution. This will mean you need to be able to resolve
NetBIOS names as well as allow all traffic between locations. I would either
use WINS, which is easier, or lmhosts files, as Paul's link clearly shows
how to create one. But I think you would need to use the lmhosts file first
to create the trust, then establish WINS partnerships after that.

As far as ports, I think it is challenging discern the specific ports
required for domain communication because there are numerous ports required
(about 30), as Paul's links indicate, including the all-opening UDP greater
than 1023 for the ephemeral response ports.

As for DNS, you asked about making the zone AD Integrated. That wouldn't
apply to a UNIX Bind server. FYI, making a zone AD Integrated is just
stipulating where you are storing the zone. Primary and secondaries are text
files stored in system32\dns folder. AD Integrated zones are stored in the
actual physical AD database and replicates to all DCs during the normal AD
replication process. Windows 2003 offers additional AD integrated zone
features, but since you have 2000, I won't go further about it's features.
So the answer to this is no, AD integration is not necessary, unless you
want to reap the features and better secure your zone data by choosing AD
integrated zones.

The only reason I can see to zone transfer between them and your system is
for DNS host name resolution between your systems. Is this a requirement?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Guest · Nov 16, 2007

Thanks for everyone's help I really appreciate it. I was able to setup my
external cross forest trust after doing a zone transfer in DNS. I had to
setup AD DNS as a slave to my UNIX DNS and transfer the zone.

Now it's time to migrate Exchange mailboxes over into our ORG. Can you
point me to any good white papers?
--
Thanks!

Crisoft

Guest · Nov 16, 2007

Thanks for everyone's help I really appreciate it. I was able to setup my
external cross forest trust after doing a zone transfer in DNS. I had setup
AD DNS as slave a to my UNIX DNS and transfer the zone.

Now it's time to migrate Exchange mailboxes over into our ORG. Can you
point me to any good white papers?
--
Thanks!

Crisoft

Paul Bergson [MVP-DS] · Nov 16, 2007

Doy...

Thanks Ace I wasn't even paying attention to the o/s. With 2000 o/s it is
domain to domain one way trusts (non-transititive) only. Two - one way
trusts need to be setup if you need to share resources both ways.

Check my LMHost builder link, it should help.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Ace Fekay [MVP] · Nov 17, 2007

In

Paul Bergson said:
Doy...

Thanks Ace I wasn't even paying attention to the o/s. With 2000 o/s
it is domain to domain one way trusts (non-transititive) only. Two -
one way trusts need to be setup if you need to share resources both
ways.
Check my LMHost builder link, it should help.

I was checking that out. I like the way you addressed numerous config
settings required in a trust. It's amazing the complexity involved in
creating a trust.

Cheers!

Ace

Ace Fekay [MVP] · Nov 17, 2007

In

Crisoft said:
Thanks for everyone's help I really appreciate it. I was able to
setup my external cross forest trust after doing a zone transfer in
DNS. I had to setup AD DNS as a slave to my UNIX DNS and transfer
the zone.

Now it's time to migrate Exchange mailboxes over into our ORG. Can
you point me to any good white papers?

Crisoft,

Good to hear you got it working. As I mentioned, forest trusts do not exist
with Windows 2000, however they do in 2003.

But it is great you got it working. :-)

Ace

Cross Forest Trust

Guest

Tesdall

shalabhsharma

Paul Bergson [MVP-DS]

Guest

Paul Bergson [MVP-DS]

Guest

Ace Fekay [MVP]

Guest

Guest

Paul Bergson [MVP-DS]

Ace Fekay [MVP]

Ace Fekay [MVP]