R
Rick Magoon
We're having issues creating trusts between two seperate forests with
same NetBIOS name between two domains living in seperate forests.
Original forest has one domain (represented as thisdomain.com). The
new forest we're migrating to has an empty root domain with a child
domain (represented as emptyroot.com and thisdomain.emptyroot.com).
The NetBIOS and domain name for "thisdomain" is identical in both
forests.
The design objective for the new forest is to protect our resources
with an empty root. All AD objects will be migrated from
thisdomain.com to thisdomain.emptyroot.com using Aelita EMM. In order
to accomplish such a task, we need a two-way NTLM based non-transitive
trust between thisdomain.com and thisdomain.emptyroot.com. The trusts
can be created from both DC's successfully. When verifying the
trusts, we receive "domain not found" and secure channel errors. It
then asks if a Kerberos realm should be created. I can provide the
exact error messages if needed.
We tried the following:
1: ensured PDC Emulator FSMO roles are operational
2: GC is placed seperately from Infrastructure Master
3: DNS configured with secondary zones to opposite domains with
forwarders
4: added LMHOSTS #PRE and #DOM entries
5: pointed both DC's to same WINS
6: configured two WINS with DC's pointed to opposite WINS server
7: tried disabling NetBIOS over TCP/IP. None of these solutions work
8: tried the Netdom utility to create the trust manually with no
success
Note: netdom will work creating the trusts if the netbios name is
different and the domain name the same.
I'm almost positive NetBIOS resolution with the NTLM authentication is
the culpret. Fooling NetBIOS and DNS to respond to opposite domain
does not work in any scenario. There's something else in the PDC
Emulator registry or authentication process that's preventing this
from happening.
We've spent many hours attempting to resolve this issue. Any help
would be greatly appreciated.
Thanks in advance.
Rick
same NetBIOS name between two domains living in seperate forests.
Original forest has one domain (represented as thisdomain.com). The
new forest we're migrating to has an empty root domain with a child
domain (represented as emptyroot.com and thisdomain.emptyroot.com).
The NetBIOS and domain name for "thisdomain" is identical in both
forests.
The design objective for the new forest is to protect our resources
with an empty root. All AD objects will be migrated from
thisdomain.com to thisdomain.emptyroot.com using Aelita EMM. In order
to accomplish such a task, we need a two-way NTLM based non-transitive
trust between thisdomain.com and thisdomain.emptyroot.com. The trusts
can be created from both DC's successfully. When verifying the
trusts, we receive "domain not found" and secure channel errors. It
then asks if a Kerberos realm should be created. I can provide the
exact error messages if needed.
We tried the following:
1: ensured PDC Emulator FSMO roles are operational
2: GC is placed seperately from Infrastructure Master
3: DNS configured with secondary zones to opposite domains with
forwarders
4: added LMHOSTS #PRE and #DOM entries
5: pointed both DC's to same WINS
6: configured two WINS with DC's pointed to opposite WINS server
7: tried disabling NetBIOS over TCP/IP. None of these solutions work
8: tried the Netdom utility to create the trust manually with no
success
Note: netdom will work creating the trusts if the netbios name is
different and the domain name the same.
I'm almost positive NetBIOS resolution with the NTLM authentication is
the culpret. Fooling NetBIOS and DNS to respond to opposite domain
does not work in any scenario. There's something else in the PDC
Emulator registry or authentication process that's preventing this
from happening.
We've spent many hours attempting to resolve this issue. Any help
would be greatly appreciated.
Thanks in advance.
Rick