Setting Up Domain Trust Relationship

Discussion:

(too old to reply)

Mr. Smith

2007-06-14 16:28:28 UTC

Hello all and I would like to thank you for any assistance you may provide.

I have setup two active directory servers 'D1' and 'D2'. They are located
in different sites apart from each other. I have used routing and remote
access to create a persistent connection from 'D1' to 'D2'.

Now I am looking to make a trust relation between the domains so users from
'D1' and 'D2' can share printers, file shares, perhaps exchange..etc.

What I did in the DNS of 'D1' is add a DNS Record that is sure to point to
the 'D2' servers IP Address over the VPN Tunnel made in Routing and Remote
Access.

This is where I have an issue trying to create the trust. I get the error
message of:

The Local Security Authority is unable to obtain an RPC connection to the
domain controller %DC%. Please check that the name can be resolved and that
the server is available".

Now I am stuck and seeking help. Perhaps I did something "WRONG" on my
part, I am sure I may have.

Both Servers are Server 2003 and have been dcpromo 'ed to be their DC for
their domains forest.

Any further info that may assist me would be appreciated.

Herb Martin

2007-06-14 16:40:40 UTC

Permalink

That's not sufficient. You really need to be able to resolve ALL of the
records
of each DC/server in the resource domain (both if resources are on both
sides).

With 2003 Server this easily done with Conditional Forwarding where the
DNS server on one side, forward all requests for the "other domain" to the
DNS server having that zone.

You may also require NetBIOS to resolve (since EXTERNAL trusts were
designed to work for NT domains) so this will include a practical
requirement
for (a replicated set of) WINS Server(s) with every computer, especially
DCs, as WINS Clients.

Post by Mr. Smith
This is where I have an issue trying to create the trust. I get the error
The Local Security Authority is unable to obtain an RPC connection to the
domain controller %DC%. Please check that the name can be resolved and that
the server is available".
Now I am stuck and seeking help. Perhaps I did something "WRONG" on my
part, I am sure I may have.
Both Servers are Server 2003 and have been dcpromo 'ed to be their DC for
their domains forest.
Any further info that may assist me would be appreciated.

Mr. Smith

2007-06-14 17:13:09 UTC

Permalink

Would you mind stepping me through this?

I went back to my 'd1' server where I added the new zone for the 'd2' domain
and removed it.

Now I have added a forwarder IP of 10.0.100.1 (this is the IP Address of the
remote site's DNS (also the DC for that site) I Also preformed an ipconfig /
flushdns to clear any cached info in DNS on my 'D1' server.

My steps:

1. Opened the DNS console under Administrative Tools, right-click on
the DNS server node, select properties to open the Properties sheet for the
DNS server, and select the Forwarding tab.

2. On DNS domain: First, click the new button and type the name of the
domain you want your name server to conditionally forward to: domain2.com
for example. (new domain appears in the top list box) I will keep this
selected

3. Now I typed the IP Address of the conditional forwarded
(10.0.100.1) [Apply] and Clicked [OK]

When testing I can ping the remote systems FQDN's on that network. Example:
fileserver.domain2.com , sqldb.domain2.com and so on.

--- so far so good--- I am one step closer than I was before when going to
add the trust.
I have a question about trusts; External trust -vs- Forest trusts. I want
users to share resources such as file shares and printers. Will I have this
option if I was to choose external trust? Because there isn't a need to
allow users from one site to another to login to one another's systems

Mr. Smith

2007-06-14 17:34:18 UTC

Permalink

I moved on and ran into this error:

The verification of the incoming trust failed with the following error(s):
The trust password verification test was inconclusive.
A secure channel reset will be attempted.
The secure channel reset failed with error 1311: There are currently no
logon servers available to service the logon request.

The outgoing trust has been verified. It is in place and active.

Post by Mr. Smith
Would you mind stepping me through this?
I went back to my 'd1' server where I added the new zone for the 'd2'
domain and removed it.
Now I have added a forwarder IP of 10.0.100.1 (this is the IP Address of
the remote site's DNS (also the DC for that site) I Also preformed an
ipconfig / flushdns to clear any cached info in DNS on my 'D1' server.
1. Opened the DNS console under Administrative Tools, right-click
on the DNS server node, select properties to open the Properties sheet for
the DNS server, and select the Forwarding tab.
2. On DNS domain: First, click the new button and type the name of
domain2.com for example. (new domain appears in the top list box) I will
keep this selected
3. Now I typed the IP Address of the conditional forwarded
(10.0.100.1) [Apply] and Clicked [OK]
When testing I can ping the remote systems FQDN's on that network.
Example: fileserver.domain2.com , sqldb.domain2.com and so on.
--- so far so good--- I am one step closer than I was before when going
to add the trust.
I have a question about trusts; External trust -vs- Forest trusts. I want
users to share resources such as file shares and printers. Will I have
this option if I was to choose external trust? Because there isn't a need
to allow users from one site to another to login to one another's systems

Herb Martin

2007-06-14 21:24:09 UTC

Permalink

Right

Post by Mr. Smith
2. On DNS domain: First, click the new button and type the name of
domain2.com for example. (new domain appears in the top list box) I will
keep this selected

Right

Post by Mr. Smith
3. Now I typed the IP Address of the conditional forwarded
(10.0.100.1) [Apply] and Clicked [OK]

Or forwarders -- you can put any or all of the actual DNS servers for
this other zone/domain in there.

Post by Mr. Smith
When testing I can ping the remote systems FQDN's on that network.
Example: fileserver.domain2.com , sqldb.domain2.com and so on.
--- so far so good--- I am one step closer than I was before when going
to add the trust.
I have a question about trusts; External trust -vs- Forest trusts. I want
users to share resources such as file shares and printers. Will I have
this option if I was to choose external trust? Because there isn't a need
to allow users from one site to another to login to one another's systems

The trusts are equal ONCE established with a couple of caveats:

1) External trusts are non-transitive but this only affects people with
more than two domains (more than one domain in either forest).

2) Forest trusts can be 1 or 2 way (it's a property) but external trusts
are always one way even though you can setup one in each direction

3) Forest trusts REQUIRE that BOTH forests be in Windows 2003
Forest Functional Level (all 2003 DCs in both domains and change
the domain modes and forest levels.)

My belief is you now need WINS Server(s) and every computer a WINS
client. Since you will likely setup a WINS Server in each location (these
are NOT AD Sites) then you will need to replicate them.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

Ryan Hanisco

2007-06-14 22:08:00 UTC

Permalink

Mr. Smith,

For a trust to work, you need to make sure that the domains can see each
other, rather than just the domain controllers. You can verify this by
pinging the domain using the FQDN. So make sure that you can ping the DC and
then ping just the domain as MyDomain.local or whatever your full domain name
is. You will generally get a response from the PDCe in the other domain. If
you are not getting this, you will need to either reconfigure your DNS --
there are a number of ways to do that.

From there you should be able to create the trust. Of course, a trust over
a VPN tunnel can be a bit tricky depending upon the type of tunnel and any
potential traffic filters you may have on there.

Remember that you can also create trusts with the NETDOM utility. This will
give you more options and can give you better feedback if there are problems
setting it up.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.

Post by Mr. Smith
Hello all and I would like to thank you for any assistance you may provide.
I have setup two active directory servers 'D1' and 'D2'. They are located
in different sites apart from each other. I have used routing and remote
access to create a persistent connection from 'D1' to 'D2'.
Now I am looking to make a trust relation between the domains so users from
'D1' and 'D2' can share printers, file shares, perhaps exchange..etc.
What I did in the DNS of 'D1' is add a DNS Record that is sure to point to
the 'D2' servers IP Address over the VPN Tunnel made in Routing and Remote
Access.
This is where I have an issue trying to create the trust. I get the error
The Local Security Authority is unable to obtain an RPC connection to the
domain controller %DC%. Please check that the name can be resolved and that
the server is available".
Now I am stuck and seeking help. Perhaps I did something "WRONG" on my
part, I am sure I may have.
Both Servers are Server 2003 and have been dcpromo 'ed to be their DC for
their domains forest.
Any further info that may assist me would be appreciated.

Mr. Smith

2007-06-16 02:24:42 UTC

Permalink

SQL 2000? Mere install or creating of the database and setting up
procedures etc?

(A): I will be installing the SQL Server, creating the database, populating
the database to support client software they have. For the most part I will
be restoring a database that they use to use remotely so that I can run on
their local network. Doing such I will be setting up their backup scheme
for the database, and also replicating all the data in the Primary Database
to a second server to be used as a failover / backup system in light of
system shutdown (raid issues or just OS update that require system to be
offline for any period of time) or failure.

Exchange: setting up just the server, or also setting up public folders and
customizing user accounts etc?

(A): I will be deploying their exchange server, setting up their public
folders and user account, along with setting up messaging rules / security
and of course mx records etc.

AD: Will you be adding all the users and computer accounts and if there are
more than a few how will you do this?

(A): All users / computer / printers will be part of the AD. | In this
particular office there are 40 workstations and I will have a RIS server to
install the workstations.

Do you know about the details of these services, including (for example) the
things you can do with Group Policy as setting up Automatic Updates or
software installs or do you just know how to "put in the CD and install the
OS"?

(A): See above regarding the OS installs | Office applications will be all
deployed. And yes I will and can use GP to do much of this for me.

There is a big difference between a consultant who can talk to the client
and either advice them or decide for them which features need to be
implemented.

How good are you?
(A): Well I have done this for my company on a grander scale, but never had
the need to outsource myself to do on a contract base.

System Info For Each Of The 5 Servers:

System Manufacturer Intel Corporation
System Model SE7505VB2
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3056 Mhz
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3056 Mhz
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3056 Mhz
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3056 Mhz
BIOS Version/Date Phoenix Technologies LTD
SE7505VB20.86B.037.P11.0409072218, 9/7/2004
SMBIOS Version 2.31
Total Physical Memory 2,048.00 MB

Server 1: AD: DNS: DHCP: WINS: (RAID5)

Server 2: SQL2000 (RAID5)

Server 3: FILE SERVER / PRINT SVR (RAID5)

Server 4: EXCHNAGE (RAID5)

Server 5: BACKUP SERVER: RIS SERVER: (RAID 1)

There are other servers these are *linux* bases and will be used later |
and are outside of what I am to be doing