Question

Locked

Windows 2003 AD Trust Issue

By cflath ·
Hello,
I have two forests set up on a network, one forest is located in the DMZ(Domain B) and one on the internal network(Domain A). I have a one-way, non-transitive trust set up, with Domain A trusting, and Domain B trusted. My end goal is to have users login on systems in Domain B using their Domain A credentials.

If my understanding is correct, users on domain B should be able to select domain A at the login and use their domain A credentials. Domain A definately comes up as an option to log in. Here's where it seems to get sticky.. from the actual computer, I can successfully login using my domain A credentials. With a remote desktop session, my login fails, saying it is unable to contact the domain server.. I can login using my Domain B credentials without issue via remote desktop.

It seems like the systems in Domain B on the DMZ attempt to go directly to Domain A's PDC instead of going through the Domain B PDC and using the trust? I'm guessing I have something misconfigured, any help would be greatly appreciated.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Do you have conditional forwarding setup properly in DNS?

by ManiacMan In reply to Windows 2003 AD Trust Iss ...

That's most likely where your problem is because you need to properly forward DNS requests to the appropriate DNS server on the other domain when the login process searches for DNS SRV resource records of the other domain and vice versa. This is a common mistake most people make and overlook when setting up trusts in Windows 2003 AD.

If this addresses your issue, please be sure to give me a thumbs up. Thanks.

Collapse -

DNS

by cflath In reply to Do you have conditional f ...

Ok, I have been suspecting something related to DNS, but am uncertain if everything is set up correctly. Here is one question I have: The servers on Domain A and Domain B share the same DNS servers - is this going to cause a problem?
Also, I do not use Windows DNS servers, I use Linux/BIND.

DOMAIN A
_ldap._tcp.domainA.com. SRV 0 0 389 ads.domainA.com.
_kerberos._tcp.domainA.com. 600 IN SRV 0 100 88 ads.domainA.com.
_ldap._tcp.dc._msdcs.domainA.com. 600 IN SRV 0 0 389 ads.domainA.com.
_ldap._tcp.dc._msdcs.domainA.com. 600 IN SRV 0 0 389 bdc.domainA.com.
_kerberos._tcp.dc._msdcs.domainA.com. 600 IN SRV 0 100 88 ads.domainA.com.
_kpasswd._udp.domainA.com. 600 IN SRV 0 100 464 ads.domainA.com.
_kerberos._udp.domainA.com. 600 IN SRV 0 100 88 ads.domainA.com.
_gc._tcp.Default-First-Site-Name._sites.domainA.com 600 IN SRV 0 100 3268 ads.domainA.com.
_gc._tcp.domainA.com. 600 IN SRV 0 100 3268 ads.domainA.com.
_kerberos._tcp.Default-First-Site-Name._sites.domainA.com 600 IN SRV 0 100 88 ads.domainA.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domainA.com. 600 IN SRV 0 100 389 ads.domainA.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domainA.com 600 IN SRV 0 100 88 ads.domainA.com.
yabadabadoo._msdcs.domainA.com. 600 IN CNAME ads.domainA.com.
yabadabadoo2._msdcs.domainA.com. 600 IN CNAME bdc.domainA.com.
gc._msdcs.domainA.com. 600 IN A x.x.x.x
_ldap._tcp.yabadabadoo3.domains._msdcs.domainA.com. 600 IN SRV 0 100 389 ads.domainA.com.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domainA.com. 600 IN SRV 0 100 3268 ads.domainA.com.
_ldap._tcp.gc._msdcs.domainA.com. 600 IN SRV 0 100 3268 ads.domainA.com.
_ldap._tcp.pdc._msdcs.domainA.com. 600 IN SRV 0 100 389 ads.domainA.com.
_ldap._tcp.Default-First-Site-Name._sites.domainA.com. 600 IN SRV 0 100 389 ads.domainA.com.
_ldap._tcp.domainA.com. 600 IN SRV 0 100 389 ads.domainA.com.


DOMAIN B
_ldap._tcp.domainB.com. SRV 0 0 389 tdc.domainB.com.
_kerberos._tcp.domainB.com. 600 IN SRV 0 100 88 tdc.domainB.com.
_ldap._tcp.dc._msdcs.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.
_kerberos._tcp.dc._msdcs.domainB.com. 600 IN SRV 0 100 88 tdc.domainB.com.
_kpasswd._udp.domainB.com. 600 IN SRV 0 100 464 tdc.domainB.com.
_kpasswd._tcp.domainB.com. 600 IN SRV 0 100 464 tdc.domainB.com.
_kerberos._udp.domainB.com. 600 IN SRV 0 100 88 tdc.domainB.com.
_gc._tcp.Default-First-Site-Name._sites.domainB.com. 600 IN SRV 0 100 3268 tdc.domainB.com.
_gc._tcp.domainB.com. 600 IN SRV 0 100 3268 tdc.domainB.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domainB.com. 600 IN SRV 0 100 88 tdc.domainB.com.
_kerberos._tcp.Default-First-Site-Name._sites.domainB.com. 600 IN SRV 0 100 88 tdc.domainB.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.
yabadabadoo._msdcs.domainB.com. 600 IN CNAME tdc.domainB.com.
gc._msdcs.domainB.com. 600 IN A dmz.dmz.dmz.dmz
_ldap._tcp.yabadabadoo2.domains._msdcs.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domainB.com. 600 IN SRV 0 100 3268 tdc.domainB.com.
_ldap._tcp.gc._msdcs.domainB.com. 600 IN SRV 0 100 3268 tdc.domainB.com.
_ldap._tcp.pdc._msdcs.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.
_ldap._tcp.Default-First-Site-Name._sites.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.
_ldap._tcp.domainB.com. 600 IN SRV 0 100 389 tdc.domainB.com.

Collapse -

shouldn't be a problem

by CG IT In reply to DNS

you don't need 2 DNS servers for 2 forests and each domain within each forest provided that you have properly configured DNS service and zones for the 2 forests/domains.

The problem you might have is are both forests/domains on the same subnet?

Collapse -

DNS

by cflath In reply to shouldn't be a problem

The two domains are on seperate subnets. This is my first experience with Trusts of any sort, do I have all of the appropriate DNS entries - do I need to add something to tell the systems on Domain B that they should be using the Domain B domain server to reach Domain A?

Collapse -

Your problem is DNS because it's hosted on Unix and may not support SRV rec

by ManiacMan In reply to DNS

Does your Unix server suport SRV resource records? What version of BIND is it? The version will determine if it support SRV records or not. You'd have much less problems if DNS was hosted on Windows instead.

Collapse -

DNS

by cflath In reply to Your problem is DNS becau ...

I use BIND 9, and it definately supports SRV records. Switching DNS to Windows is not an option, there has to be a large number of people out there running *nix based DNS in Active Directory environments with Trusts.

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums