General discussion


Domain Trusts - DNS Configuration

By dhammond ·

I have a windows 2000 Domain controller (forrest1)

I have a windows 2003 domain controller (forrest2)

they are both in their own forrests and are the only domain controllers in each.

Ok I want to trust the 2 but I cannot get DNS working properly.

I have setup forwarders on both machines to point to eachother but cannot resolve either DC's name

I have created a secondary forward lookup zone, as well as a reverse lookup zone on each of the DNS servers which then point to each other.

Should I make 1 server the primary DNS server - and then on my secondary server I remove all forwarders, and simply put the IP of the master DNS server?

I have little experience with active directory, and I really dont want to stuff anything up. It took me a while getting DNS working properly for the individual domains so I dont want to 'bork' it by fiddling too much!

Ive read a number of articles, guides etc and they all say use forwarders or create a secondry zone on each of the servers. Im obviously doing something wrong

Any help would be great as im struggling! If you need any more specific info let me know! I just didnt want to write an essay as it seems to put people off replying.

DNS Newbie

This conversation is currently closed to new comments.

24 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Domain Trusts - DNS Confi ...

no not 2 zones on each DC. 1 zone on the DC for which it is authoritative for the domain it's responsible for.

think of it this way, company A is your W2K network and has a DC and runs Active Directory. Therefore it has DNS running. The domain namespace for company A is <yourdomain>.com. In DNS you have an SOA record for the zone <yourdomain>.com that says <yourdomain>.com is IP address of the DC.

Company B is your W2003 network and has a DC and Runs Active Directory. Therefore it has DNS running. the domain namespace of <otherdomain>.com. In DNS, you have an SOA record for the zone <otherdomain>.com and says <otherdomain>.com IP address of the DC.

They are 2 seperate companies. Each it's own Domain [seperate forest] and runs Active Directory. Neither trust each other inherently. <yourdomain>.com does not trust <otherdomain>.com because they are 2 seperate entities [companies/domains/]in seperate forests [completely seperate from each other].

To establish trust between the domains, [companies/forests] you have to configure the trust relationship between the 2 in Active Directory domains and trusts.

Because your running a DC for a Active Directory domain, DNS is an intergral part of Active Directory [Active Directory requires DNS to function properly]. Had you not created a DC and installed Active Directory on the comps that run DNS rather just created a DNS server to handle name resolutions, you can create different zones for different name spaces and provide name to ip resolution services. You would not get the error message that the master [domain and Active Directory] rejects the zone transfer because that is not it's purpose. A DNS server only provides name to IP resolution but if it resides on a DC for a domain and that DC runs Active Directory, the DNS sever is part of that domain because it's intergrated into the domain controller and Active Directory.

Collapse -

by CG IT In reply to

here's an idea. Get 2 routers. put your W2K domain behind 1. put your W2003 domain behind another. The routers will block each domain from accessing each other. That is what 2 domains [single forest, single domain] do. Each domain must run its own DNS because it runs Active Directory and Active Directory requires DNS to function.

Now to get both domains to talk to each other and allow users in one domain to access resources in the other domain you have to create a trust between the 2. You do that in Active Directory domains and trusts.

Hople this clarifies DNS, Active Directory, Domains and trusts between domains [forests [single forest, single domain].

Collapse -

by dhammond In reply to

Ok, I think I understand the concepts, and thank you for explaining them, but im still having some problems.

When I attempt to trust the domains, using active directory domain and trusts, I get an error saying the domain controller can not be found. This led me to believe it was a DNS issue. On domain1, I cant resolve domain2's computer name via a ping command. On domain2, I cant resolve domain1's name. This seems normal, as they are both running their own DNS zones for their own domains and wouldnt have entries for eachother.

Ok, how do I trust two domains/forrests/entities if they dont know each other exists? How is active directory domains and trusts able to find the secondary domain/forrest using a name? They both have their own zone, for their own domain, which is entirely independant of one another.

This line on thinking led me to believe it was a DNS issue. I thought if each domain controller had a copy of one anothers dns zone then they would be able to resolve one another. Or alternatively, I could setup a DNS forward, or even add an entry into the host file with a static entry like:
dc1 - 192.x.x.x

then when I run active directory domains and trusts, add the domains name, it will look in its own dns zone (or hosts file) and know where to find it.

So - in short, how do I setup DNS so that each domain can see one another?

Or am I still completely off the mark??


Collapse -

by dhammond In reply to Domain Trusts - DNS Confi ...

this is how I asked the question on another forum, which is explained a little easier I think:

I have 2 forrests - lets call them forrest1 and forrest2

I have 2 domain controllers - dc1 and dc2

In forrest1, I have dc1, which is a windows 2000 domain controller. It is the only server in the forrest. It is running in "mixed mode"

In forrest2, I have dc2, which is a windows 2003 domain controller. It is the only server in the forrest. It is running "windows 2000 mixed mode"

I wish to trust these 2 forrests using a 2 way transistive trust. In order to do so, I must have dns configured so that name resolution works across the forrests (ie I can ping a netbios name from dc1 to dc2 and resolve it to an IP)

OK, ive read loads of guides, and searched the knowledge base articles and to be honest, I am more confused now than I was to begin with!

Ok, so I have created a new zone on each DNS server.

On dc1, I have created a new forward lookup zone for dc2
On dc2, I have created a new forward lookup zone for dc1

(ive also created reverse lookup zones although I doubt theyre needed?)

On dc2 (the windows 2003 box) the DC1 secondary zone appears to be ok. I have also allowed zone transfers for its own zone to dc1.

On dc1 (the windows 2000 box) the dc2 zone has a yellow error, when I go to the event log it says that zone transfers are not allowed - please enable them

Ive enabled zone transfers on both secondary zones. Ive tried manually updated them via the GUI by "transfer from master"

So I have forward lookup zones created on both DC's - yet I am still unable to resolve any names over the network (ie dns isnt working!)

I know very little about DNS. So if any of you are able to give me some tips id be a happy man!

If you need any other info, let me know!


Collapse -

by CG IT In reply to Domain Trusts - DNS Confi ...

connectivity is seperate from DNS, Active Directory, domains and the lot. Ping is a TCP/IP tool used to check connectivity. If you can not ping you don't have connectivity and you have to start checking NICs, then cables, then addressing. Chances are the connectivity problem is in addressing e.g. address, subnet mask, gateway. The "how" you connect "things together.

Direct computer to computer hookups via a NIC require xover cables. If you have a switch and connect both to a switch, for both to be able to talk to each other, they must both be on the same subnet. If a router is in the mix, you need different subnets because a router will read a packet and first determine if it's destined for it's subnet. If not then it fowards the packet to the next router which in turn does the same thing. If there isn't a next router and the packet isn't for it's subnet, it will drop the packet.

Since you mention fowarders, fowarders is a DNS function in that if the DNS server can not resolve the name to IP address, it will foward to query to other DNS servers to find out if any other DNS server knows who is address umpity ump assuming the DNS server is connected to the internet. [Windows will install a default set of internet authoritative DNS servers]. If fowarders are enabled in DNS but you don't have internet connectivity, the query will come back negative. no one knows who is umpity ump [name] = IP address. So you have to add in your name servers [both DNS servers ] in the fowarders list. That way fowarders will foward the DNS query to you name server of the other domain.

Collapse -

by CG IT In reply to

If you had internet access for both networks, both with have different public IP addresses [e.g. both have their own access via ISP then internet DNS servers [the fowarders name servers listed by default during install] would resolve the DNS query. e.g. If domain A wants to find Domain B. Domain A would send out a DNS query Who is Domain B. That query would go out internet wide and the internet DNS servers would put out an internet wide Who is Domain B. Domain B DNS server [which is connected to the internet ] would respond I Am and my address is umpity ump. That would then be fowarded back to domain A DNS and resolve the query Domain B is IP address umpity ump. All info destined for domain B is then sent to domain Bs IP address.

Collapse -

by CG IT In reply to

need to clarify fowarders for ya. In closed networks [one not connected to the internet] and you have seperate forests [single forest, single domain] for Domain A, have to add Domain Bs DNS into the fowarders of Domain A DNs server. You also have to add Domain As DNS into the fowarders of Domain Bs DNS. That way queries not resolved by Domain As DNS get fowarderd to Domain Bs DNS server and vice versa.

Collapse -

by CG IT In reply to

However, to do all that you must have connectivity between the domains for DNS to foward a query it can not resolve [the "how" the 2 domains are connected together].

Collapse -

by CG IT In reply to

One more comment: DNS, Active Directory, Domains are logical structures.

Networking is a physical structure. Though there are times that both resemble each other, they are not the same. An example is a site. Sites do not have to be a child domain of a root domain. they do not have to have DCs or Global Catalogs. However users at a site belong to a domain [which encompasses sites] and will use another sites DC to log on [provided they have a fast WAN link which has low utilization]. Sites without DCs or global catalog servers often times have a low # of users [and computers] and no servers.

Collapse -

by CG IT In reply to

The physical structure of networking would show the site and site links [the "How things are connected"] The logical structure would show that users at the site are in a domain/child domain, use DC # whatever for log on, have GPO # applied to OUs [if child domain then the child inherits the parent settings, have access to resources through their respective domain provided they are given permission, blah blah blah. If you create a trust between forests, and you cant child domain in forest A to have access to child domain C in forest B, you have to create that trust then assign permissions to the resources you want the user to access. You can create a one way non transitive trust between child domain A in one forest to child domain C in another forest. Not all domains have the trust e.g. if child domain A in forest A trusts child domain C in Forest B, that does not mean Child domain B in forest A trusts child domain C in forest B.

Back to Networks Forum
24 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next

Related Discussions

Related Forums