There are several critical prerequisites in the process of configuring a forest level trust in Active Directory. When it comes to Domain Name Server (DNS) configurations, there are two choices when working with forest trusts: configuring a DNS server that is authoritative for both the root domains involved in the forest trust, and adding more hardware. The simpler, more economic choice is configuring a DNS server — here's how.
Forest trusts allow organizations to share resources without requiring additional login credentials or work-to-access resources on Windows Server 2003 systems in other forests.
There are several critical prerequisites in the process of configuring a forest level trust in Active Directory. When it comes to Domain Name Server (DNS) configurations, there are two choices when working with forest trusts:
- Configuring a DNS server that is authoritative for both root domains involved in the forest trust. This requires the creation of a new DNS server to provide authoritative DNS resources for both partnering domains.
- Adding more hardware. This requires deciding where the server will go and dealing with the cost. It works, but the simpler, more economic choice is the first one.
Remember that DNS forwarders are not dependent on forest level trusts, but forest level trusts are dependent on DNS forwarders because the systems in one forest need access to resources in other forests. They pass requests onto DNS servers within their forest/domain and that server can then point them to the trusted forest.
How to configure a DNS forwarder
DNS forwarders are necessary to get forest level trust relationships working properly. Users can forward DNS between the two forests in the trust relationship in order to speed up lookups between the organizations and to allow them to act as one. This way, any domain on one side of the trust may access any resource on the other. A DNS forwarder is a server that receives requests for lookup from another server. For example, your company's DNS server may have no idea who www.google.com actually is because it is not on your network. The request is sent to a forwarder on the Internet to resolve the name.
Follow these steps to configure a DNS forwarder:
- Open the DNS snap-in on the DNS server for your forest (go to Start | Administrative Tools | DNS). In this example, let's call the DNS server at the fictitious company Spacely Sprockets.
- In the console tree pane, open the Properties sheet for the DNS server you want to configure by right-clicking the server name and selecting Properties.
- Click the Forwarders tab.
- Specify the domain names that require queries to be forwarded by clicking the New button and entering the DNS name for the domain. In this case, enter the domain for the fictitious partner company Cogswell Cogs.
- Enter the IP address(es) of the DNS server(s) you wish to forward requests to.
- Click Add.
- Click OK to close the Forwarders tab.
You will need to configure both root DNS servers to forward requests for the domain on the other end of the trust. For example, the Spacely Sprockets DNS server would forward requests for all things Cogswell Cogs, and the DNS server at Cogswell Cogs would do the same for resources at Spacely Sprockets.
Now that the DNS configuration is complete, all you need to do is create the forest trust between Spacely Sprockets and Cogswell Cogs. Next week, I'll take a look at the steps needed to get this relationship off the ground.
Miss a column?
Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.
Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!