General discussion

Locked

Domain Trusts - DNS Configuration

By dhammond ·
Trusts:

I have a windows 2000 Domain controller (forrest1)

I have a windows 2003 domain controller (forrest2)

they are both in their own forrests and are the only domain controllers in each.

Ok I want to trust the 2 but I cannot get DNS working properly.

I have setup forwarders on both machines to point to eachother but cannot resolve either DC's name

I have created a secondary forward lookup zone, as well as a reverse lookup zone on each of the DNS servers which then point to each other.

Should I make 1 server the primary DNS server - and then on my secondary server I remove all forwarders, and simply put the IP of the master DNS server?

I have little experience with active directory, and I really dont want to stuff anything up. It took me a while getting DNS working properly for the individual domains so I dont want to 'bork' it by fiddling too much!

Ive read a number of articles, guides etc and they all say use forwarders or create a secondry zone on each of the servers. Im obviously doing something wrong

Any help would be great as im struggling! If you need any more specific info let me know! I just didnt want to write an essay as it seems to put people off replying.

thanks
DNS Newbie

This conversation is currently closed to new comments.

24 total posts (Page 3 of 3)   Prev   01 | 02 | 03
Thread display: Collapse - | Expand +

All Comments

Collapse -

by dhammond In reply to

Thanks!

Both domains are internal (ie domain.local) so I think I need the forwarders!

I will remove the secondary DNS zones from each machine and just add forwarders for each. I did originally try this but still couldnt resolve names to IP's on the other sites. Ill give it another shot and see how I go.

But before I start active directory domains and trusts, I should be able to resolve dns queries across sites shouldnt I?

I seem to remember trying forwarders to no avail, but ill give it another shot!

thanks again cgit

Collapse -

by dhammond In reply to

this is why I created secondary zones:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/69cacd89-d5dc-4559-9de7-f5e279e60372.mspx

Ensure that Domain Name System (DNS) is properly set up.

If there is a root DNS server that can be made the root DNS server for both of the forest DNS namespaces, then make it the root server by ensuring that the root zone contains delegations for each of the DNS namespaces. Also, update the root hints of all DNS servers with the new root DNS server.

If there is no shared root DNS server, and the root DNS servers for each forest DNS namespace are running a member of the Windows Server 2003 family, then configure DNS conditional forwarders in each DNS namespace to route queries for names in the other namespace.

If there is no shared root DNS server, and the root DNS servers for each forest DNS namespace are not running a member of the Windows Server 2003 family, then configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace.


as im running a windows 2000 domain controller thats why I thought I needed secondary zones and not forwarders, but ill try forwarders again!

Collapse -

by CG IT In reply to Domain Trusts - DNS Confi ...

you want to forward queries that can't be resolved by DNS to go to other DNS servers. In your case DNS on domain A sends unresolved queries about domain B to DNS on Domain B.

That requires connectivity over TCP/IP port 53. DNS uses that port for communications. there fore if you ping a DNS server IP address and you can reach it there is connectivity over TCP/IP through port 53.

Collapse -

by BFilmFan In reply to Domain Trusts - DNS Confi ...

Your basic issue here is that you cannot have a transitive trust between a Windows 2000 forest and a Windows 2003 forest in mixed mode.

You can only set up an external trust.

When both forests have reached Windows 2003 Full Funcitonal Mode, then you can establish trusts which lead to federated forests.

Secondary zones are on the servers is also not going to work.

Your only choice is to have a forwarder configured on each SOA DNS server, which would be the 2 DC's.

And honestly, a great deal of AD is nothing but understanding DNS.

Back to Networks Forum
24 total posts (Page 3 of 3)   Prev   01 | 02 | 03

Related Discussions

Related Forums