Domain trust

By flrd_snwmn ·
I'm trying to setup a forest trust across a VPN. I'm linking 2 site (same company) in 2 different states. Both domain controllers are also DNS servers. Both are Windows 2003 with the forest set to the 2003 level. The VPN is up and running and both servers have secondary DNS for the other domain controller and can see the other's network.
Every time I try to setup the trust I get an error saying it can't be done on this server. This happens from either end of the VPN. There is no ports being blocked on the VPN. Also the admin account is the same on both ends. I'm wondering if the domain names are the problem. Our south server is ABC.LOCAL and our north server is ABC.NORTH
As I said everything else works but the share. Any ideas? I've run out.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Example for VPN. connection.....

For example, let's suppose that you have two Windows 2000 servers, connected to the Internet by DSL access router/firewalls. Your servers don't need to push high-volume, latency-sensitive traffic between them. Your objective for the VPN is simply to stop eavesdropping over the Internet, but you're not terribly worried about robust security.

In this case, you could configure the Windows server at office A to accept incoming VPN connections, choosing PPTP as the type of VPN connection required. Configure the Windows server at office B to initiate outbound PPTP VPN connections to the public-facing IP address of the DSL access router at office A. Configure your access router/firewall with a one-to-one (static NAT) mapping so that incoming PPTP and GRE are forwarded to the WIndows server inside office A's private network. Configure both servers with accounts to be used by this VPN connection for authentication. To learn more about exactly how to set up a PPTP VPN between Windows servers, consult Microsoft's website. Consult your router/firewall manual to learn how to map incoming VPN connections to your office A server.

There are many possible variations on this simple scenario:

# If you want more robust security, try using IPsec (or L2TP over IPsec) instead of PPTP. Set-up will be more complicated, but your tunnel will be much stronger.
# If you want to avoid getting VPN traffic through your access router/firewall, your server in office B could be configured to dial your server in office A. However, your bandwidth will be limited and you'll need analog phones lines for use by both servers.
# If your servers run another operating system, you may need to use a different kind of VPN -- IPsec is supported by most new OS's, but set-up can be harder to get just right if the two servers run different OS's.
# If your router/firewalls have built-in VPN capabilities, you might find it easier to configure a site-to-site VPN tunnel between them and forget about configuring your servers for VPN.
# Finally, if your servers require low-latency, high-quality connectivity, a best-effort tunnel over the Internet may not do the trick at all, no matter what kind of VPN you use.

Please post back if you have any more problems or questions.
If this info is useful, please mark it helpful. Thanks

Collapse -

VPN is working

by flrd_snwmn In reply to Example for VPN. connecti ...

I'm sorry I didn't make it clear. The VPN is setup and working. It's a site to site VPN with IPsec enabled. The problem is the trust between the 2 domains does not want to work.I keep getting the error: "The trust can not be setup from this domain." We are setup to the net on both sides through fiberoptic connections.

Collapse -

you might have to do this manually

by CG IT In reply to VPN is working

depends on how you setup the domains.

From Active Directory Domains and Trusts, you manually create a 1 way explicit trust from ABC.Local to ABC.North. Then, you create a 1 way trust from ABC.North to ABC.Local.

If then you try to establish the trust you get an Secure Channel error, then Keberos might not be working correctly and you have to establish communications with each domains DCs and DNS. Check your keberos requirments.

Collapse -

Cannot Continue

by flrd_snwmn In reply to Domain trust

Thanks for the help so far but nothing works.
I'm still getting:

The operation failed. The error is: This
operation can not be performed on the current

Am I missing something on the domain
properties? Ihave the root hints and the
forwards set just to be safe I'm not missing
a setting.

Collapse -

are you using netdom?

by CG IT In reply to Cannot Continue

are you using the W2003 version?

do both servers have the same netbios name by any chance?

Do you use the FQDN for both ? Might try the FQDN for both domains.

here is the syntax for netdom

netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*

Related Discussions

Related Forums