I have a windows 2000 Domain controller (forrest1)
I have a windows 2003 domain controller (forrest2)
they are both in their own forrests and are the only domain controllers in each.
Ok I want to trust the 2 but I cannot get DNS working properly.
I have setup forwarders on both machines to point to eachother but cannot resolve either DC's name
I have created a secondary forward lookup zone, as well as a reverse lookup zone on each of the DNS servers which then point to each other.
Should I make 1 server the primary DNS server - and then on my secondary server I remove all forwarders, and simply put the IP of the master DNS server?
I have little experience with active directory, and I really dont want to stuff anything up. It took me a while getting DNS working properly for the individual domains so I dont want to 'bork' it by fiddling too much!
Ive read a number of articles, guides etc and they all say use forwarders or create a secondry zone on each of the servers. Im obviously doing something wrong
Any help would be great as im struggling! If you need any more specific info let me know! I just didnt want to write an essay as it seems to put people off replying.
thanks DNS Newbie
This conversation is currently closed to new comments.
trusts between domains are configured in Active Directory domains and trusts.
DNS handles name to IP address resolution for the DNS zone it's authorized for. You can have a zone encompass contiguous domain name space e.g. microsoft.com and devel.microsoft.com but the DNS zone can not be non contingous domain name space e.g. microsoft.com and msn.com each one of those domain names require a seperate DNS zone in DNS. one for microsoft.com and one for msn.com. You would have 2 SOA records, 2 foward lookup zones blah blah for the 2 seperate domain names. Then to establish trusts between domains you configure the trusts in Active Directory Domains and Trusts.
The W2k Server is on it's own subnet. The W2003 Server on it's own subnet. The W2k server is a DC for the Single forest single domain and runs DNS and Active directory for that forest and single domain. The W2003 server is a DC for it's forest and single domain and runs DNS and Active directory. You then configure the trust relationships between the domains in Active Directory domains and trusts.
"the DNS zone can not be non contingous domain name space e.g. microsoft.com and msn.com each one of those domain names require a seperate DNS zone in DNS. one for microsoft.com and one for msn.com. You would have 2 SOA records, 2 foward lookup zones blah blah for the 2 seperate domain names."
Ok, so on both my domain controllers, which are both in separate forrests, I need 2 zones. One for itself, and the other for the domain controller in the other forrest (secondary zone). Is that correct?
I have created both forward and reverse lookup zones for both DC's in both forrests. So in DNS I will have a total of 2 forward and 2 reverse zones per machine.
I have gone to the properties of each zone and added the secondary name server in the name server tab - as well as "allow zone transfers" ticked.
If I go into my event log on 1 machine I am getting this: Zone transfer request for secondary zone myservers.local refused by master server at 192.168.1.3. Check the zone at the master server 192.168.1.3 to verify that zone transfer is enabled to this server.
Ive checked the dns server on 192.168.1.3 and Ive enabled zone transfers.
This is where I got stuck the other day. I dont think I should be touching Active directory domains and trusts before DNS is working nicely. any other ideas? Is what I have done correct thus far?>
remember domains are security boundries. Child domains automatically establish trusts between other child domains and the root domain within the same forest But trusts are not automatically established between 2 seperate domains in 2 seperate forests.
Bfilm is right in that the forest is the security boundry in that when you first create the first domain in Active Directory, your really creating a "forest" even if there is only 1 domain within the forest. That way there is scalibility where you can add domains [and if needed child domains] to the forest later on as the business grows or you need to seperate out functional business units to have its own domain [a security boundry within the forest]. Even though there is a transitive 2 way trust between the root and the child, you can filter user access to resources between domains within the forest.
While a seeming quibble, this can cause some issues in environments where Everyone, Domain Users or Authenticate Users have been granted Read permissions to all objects and directories in the environment.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Domain Trusts - DNS Configuration
I have a windows 2000 Domain controller (forrest1)
I have a windows 2003 domain controller (forrest2)
they are both in their own forrests and are the only domain controllers in each.
Ok I want to trust the 2 but I cannot get DNS working properly.
I have setup forwarders on both machines to point to eachother but cannot resolve either DC's name
I have created a secondary forward lookup zone, as well as a reverse lookup zone on each of the DNS servers which then point to each other.
Should I make 1 server the primary DNS server - and then on my secondary server I remove all forwarders, and simply put the IP of the master DNS server?
I have little experience with active directory, and I really dont want to stuff anything up. It took me a while getting DNS working properly for the individual domains so I dont want to 'bork' it by fiddling too much!
Ive read a number of articles, guides etc and they all say use forwarders or create a secondry zone on each of the servers. Im obviously doing something wrong
Any help would be great as im struggling! If you need any more specific info let me know! I just didnt want to write an essay as it seems to put people off replying.
thanks
DNS Newbie