win2003 external trust problem between domains in different forests

[Pat Wisch]

Hi,

Where I work, we have two separate Win2003 forests. Each forest has
its own DNS, and the DNS's do not know about each other. In other
words, without HOSTS or LMHOSTS files, you can't resolve computer
names from forests to forest.

We are in the process of migrating from domain A in forest A (our
forest) to forest B (their forest).

We have a domain in their forest (domain B). As part of the
migration, we want to set up a two way external trust between domain A
and domain B.

It's difficult to get assistance from the Admins of forest B, so what
we did was set up name resolution using HOSTS and LMHOSTS files on the
domain controllers for domain A and domain B. The HOSTS files contain
entries so the domain controllers can all resolve each other, and we
set up the LMHOSTS files according to KB314108. The LMHOSTS files
have entries similar to the following:
10.0.0.1 PDCNAME #PRE #DOMOMAIN_NAME
10.0.0.1 "DOMAIN_NAME \0x1b" #PRE

We were successfully able to create a two way external trust between
domain A and domain B.

When logged on to a domain controller in domain A, we can successfully
allow users from domain B to access resources in domain A. For
example, logged on to a domain controller in domain A, I open the
properties for a domain local group, click add members, set the
location to domain B, click the advanced button, then click Find Now,
and I see a list of users and groups from domain B.

When logged in to a domain controller in domain B however, we can NOT
allow users from domain A to access resources in domain B. For
example, logged on to a domain controller in domain B, I open the
properties for a domain local group, click add members, set the
location to domain A, click the advanced button, then click Find Now,
we get the following message:
The following error prevented the display of any items: The server is
not operational.

I have done some searching and found some other people with problems
similar to this, and one of the things they all are requested to check
is whether secondary DNS zones have been created in each DNS that
refer to the other domains.

Short of doing this, is there any way we can resolve this issue? and
why can we allow access to resources in one direction, but not the
other?

Thanks for any help you can provide.

 

[Mike Shepperd]

I've always believed that you need DNS working for it to function, but I
haven't tried using detailed HOSTS files...

If you analyze the network traffic, that would likely point you in the right
direction. Start an analyzer like ethereal on the DC in Domain B when you
reproduce the problem. When you see the error, stop the capture and review
the traffic.

You should see what connections are actually made and what fails. Find out
what it's looking for, or what machine it's trying to contact.

I believe that the problem is that you're only resolving hostnames, not the
FQDN of the Active Directory specific DNS entries. Look in your DNS under
the _MSDCS folder and you'll see that there are DC specific entries that
you're not likely to have (and are not likely to work) in the HOSTS or
LMHOSTS.

Secondary zones has always been the way to go.

Good luck and post back if you need help with further analysis.

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

 

[Paul Bergson [MVP-DS]]

Setup an External Forest Trust with secondary DNS servers. If both forests
trust one another why would you not set up a secondary DNS domain of each
other?

http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.