Networks

General discussion

Gravatar
0 Votes
Locked

Domain Trusts - DNS Configuration

By dhammond ·
Trusts:

I have a windows 2000 Domain controller (forrest1)

I have a windows 2003 domain controller (forrest2)

they are both in their own forrests and are the only domain controllers in each.

Ok I want to trust the 2 but I cannot get DNS working properly.

I have setup forwarders on both machines to point to eachother but cannot resolve either DC's name

I have created a secondary forward lookup zone, as well as a reverse lookup zone on each of the DNS servers which then point to each other.

Should I make 1 server the primary DNS server - and then on my secondary server I remove all forwarders, and simply put the IP of the master DNS server?

I have little experience with active directory, and I really dont want to stuff anything up. It took me a while getting DNS working properly for the individual domains so I dont want to 'bork' it by fiddling too much!

Ive read a number of articles, guides etc and they all say use forwarders or create a secondry zone on each of the servers. Im obviously doing something wrong

Any help would be great as im struggling! If you need any more specific info let me know! I just didnt want to write an essay as it seems to put people off replying.

thanks
DNS Newbie

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by CG IT In reply to Domain Trusts - DNS Confi ...

trusts between domains are configured in Active Directory domains and trusts.

DNS handles name to IP address resolution for the DNS zone it's authorized for. You can have a zone encompass contiguous domain name space e.g. microsoft.com and devel.microsoft.com but the DNS zone can not be non contingous domain name space e.g. microsoft.com and msn.com each one of those domain names require a seperate DNS zone in DNS. one for microsoft.com and one for msn.com. You would have 2 SOA records, 2 foward lookup zones blah blah for the 2 seperate domain names. Then to establish trusts between domains you configure the trusts in Active Directory Domains and Trusts.

gravatar
Collapse -

by CG IT In reply to

The W2k Server is on it's own subnet. The W2003 Server on it's own subnet. The W2k server is a DC for the Single forest single domain and runs DNS and Active directory for that forest and single domain. The W2003 server is a DC for it's forest and single domain and runs DNS and Active directory. You then configure the trust relationships between the domains in Active Directory domains and trusts.

gravatar
Collapse -

by dhammond In reply to

thanks for the info!

"the DNS zone can not be non contingous domain name space e.g. microsoft.com and msn.com each one of those domain names require a seperate DNS zone in DNS. one for microsoft.com and one for msn.com. You would have 2 SOA records, 2 foward lookup zones blah blah for the 2 seperate domain names."

Ok, so on both my domain controllers, which are both in separate forrests, I need 2 zones. One for itself, and the other for the domain controller in the other forrest (secondary zone). Is that correct?

I have created both forward and reverse lookup zones for both DC's in both forrests. So in DNS I will have a total of 2 forward and 2 reverse zones per machine.

I have gone to the properties of each zone and added the secondary name server in the name server tab - as well as "allow zone transfers" ticked.

If I go into my event log on 1 machine I am getting this:
Zone transfer request for secondary zone myservers.local refused by master server at 192.168.1.3. Check the zone at the master server 192.168.1.3 to verify that zone transfer is enabled to this server.

Ive checked the dns server on 192.168.1.3 and Ive enabled zone transfers.

This is where I got stuck the other day. I dont think I should be touching Active directory domains and trusts before DNS is working nicely. any other ideas? Is what I have done correct thus far?>

gravatar
Collapse -

by CG IT In reply to Domain Trusts - DNS Confi ...

remember domains are security boundries. Child domains automatically establish trusts between other child domains and the root domain within the same forest But trusts are not automatically established between 2 seperate domains in 2 seperate forests.

gravatar
Collapse -

by CG IT In reply to

Bfilm is right in that the forest is the security boundry in that when you first create the first domain in Active Directory, your really creating a "forest" even if there is only 1 domain within the forest. That way there is scalibility where you can add domains [and if needed child domains] to the forest later on as the business grows or you need to seperate out functional business units to have its own domain [a security boundry within the forest]. Even though there is a transitive 2 way trust between the root and the child, you can filter user access to resources between domains within the forest.

gravatar
Collapse -

by dhammond In reply to
gravatar
Collapse -

by BFilmFan In reply to Domain Trusts - DNS Confi ...

Just in response to CGIT, in an Active Direcotry forest, the security boundary is the forest and not the domain.

"The forest represents the security boundary for Active Directory."

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6f8a7c80-45fc-4**6-80d9-16e6d46241f9.mspx

While a seeming quibble, this can cause some issues in environments where Everyone, Domain Users or Authenticate Users have been granted Read permissions to all objects and directories in the environment.

gravatar
Collapse -

by dhammond In reply to
gravatar
Collapse -

by dhammond In reply to Domain Trusts - DNS Confi ...

my windows 2003 DC is windows 2000 mixed mode.

does the functional level of the domain need to be raised to 2003 in this instance?

gravatar
Collapse -

by dhammond In reply to Domain Trusts - DNS Confi ...

there wont be any other DC's in the other forrest, and if there are they will be 2003..

Back to Networks Forum

Start or search

Related Discussions

Related Forums