| Home | Forums | Reviews | Articles | Register |
 |
| Thread Tools | Rate Thread |
|
=?Utf-8?B?Q3Jpc29mdA==?=
Guest
Posts: n/a
|
Hello
I'm trying to setup a cross forest trust in W2K. I have name resolution working both ways. The distant domainB has AD integrated DNS enabled forwarding to our unix name servers. It appears that this one was able to contact Domain A to create the trust. But when I try to complete the trust relationship on Domain A adding Domain B it fails saying the domain cannot be contacted. Domain A is not using AD integrated DNS only UNIX DNS. Do I need to have AD integrated DNS setup on both sides? I've tested accessing all the required ports using the portping util and everything's successful. Any Ideas why I can't establish the trust on the Domain A side to trust Domain B? -- Thanks! Crisoft |
|
||
|
||||
|
|
|
| |
|
Tesdall
Guest
Posts: n/a
|
On Nov 12, 5:47 pm, Crisoft <ccisat1...@hotmail.com> wrote:
> Hello > > I'm trying to setup a cross forest trust in W2K. I have name resolution > working both ways. > > The distant domainB has AD integrated DNS enabled forwarding to our unix > name servers. It appears that this one was able to contact Domain A to > create the trust. > > But when I try to complete the trust relationship on Domain A adding Domain > B it fails saying the domain cannot be contacted. Domain A is not using AD > integrated DNS only UNIX DNS. > > Do I need to have AD integrated DNS setup on both sides? > > I've tested accessing all the required ports using the portping util and > everything's successful. > > Any Ideas why I can't establish the trust on the Domain A side to trust > Domain B? > > -- > Thanks! > > Crisoft I had some problems with Trusts, there are some things to try like LMHOST and WINS. |
|
||
|
|
||||
|
New Member
Join Date: Nov 2007
Posts: 5
|
Hi Crisoft,
As far as i understant you are trying to create a forest level trust between two Windows 2000 Forests. First and the fore most thing that needs to be configured when it comes to Windows 2000 and Windows NT4 trust is LMHOST ! In order to do so check this KB article out: - http://support.microsoft.com/kb/180094 Make sure that the entry in the LMHOST file looks like 10.0.0.1 PDCNAME #PRE #DOM  OMAIN-NAME10.0.0.1 "DOMAIN-NAME \0x1b" #PREAnd there is no # prefixed to any of lines and also there should 20 spaces between the " " quotation marks in the second line. Also make sure that the LMHOST file has got no extension! like .txt. Use windows explorer to check that. In Windows 2000 though we say that its been configured to use Kerberos but that is not exactly how it is. When the trust creation is initiated it uses Kerberos and then reverts back to NTLM, this the reason creating an LMHOST file is very important. You need to make sure that these LMHOST entries are made on the PDC role holder DCs in both the domains!! Once you have done that, here are few things that you need to check and ensure are configured correctly. 1. DNS, i) Configure forwards are configured for each domain from both direction. ii) Configure Zone delegation in both directions, and check zone forwarding is enabled or not. One of the simple test is to try and ping the PDC role holder for each domain from the other domain by fully qualified name and also via netbios name. Eg - ping DCname.domainName.com and just DCname. Once you are sure that the name resolution is working correctly. Check the following registry entries on both the PDC role holder DCs of both the domains. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA and look for lmcompatibilitylevel [REG_DWORD] = 0x0 restrictanonymous [REG_DWORD] = 0x0 Both these entries should be set to 0 on both the DCs. Values of these registry keys effects the communication between the domains and can be a potential reason for trust issues. If you find these values not set at 0. Then you need to check the default domain controller policy of domain as these values are configured there. Check the article http://support.microsoft.com/kb/823659 to get it configured. And then i am very sure that you will be able to create forest level trust. If you face any other issues, or if this resolves your issue please let me. Thanks, Shalabh Sharma, Ex-Microsoft Support - Active Directory |
|
||
|
|
||||
|
Paul Bergson [MVP-DS]
Guest
Posts: n/a
|
Name Resolution Tests
Windows 2003 Nbtstat -R - Purges and reloads the remote cache name table Nbtstat -c - Lists NBT's cache of remote [machine] names and their IP addresses If you would like to test connectivity to validate FRS communication (This communication is for Windows 2003 to Windows 2003 communications only) NTFRSUTL version server_name If the two can communicate through the firewall via FRS the response will provide the current version number Are high ports open or have you limitied the range via a registry hack for rpc if you have a firewall in the way this is a good chance where your problem resides. What about forest functional levels? I have an article on trust troubleshooting between an NT4 and 2003 forest, but a lot of the items are still the same. Check it out at: http://www.pbbergs.com/windows/artic...all_trust.html -- Paul Bergson MVP - Directory Services MCT, MCSE, MCSA, Security+, BS CSci 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Crisoft" <(E-Mail Removed)> wrote in message news:925A44DD-0B2E-4F93-9AAB-(E-Mail Removed)... > Hello > > I'm trying to setup a cross forest trust in W2K. I have name resolution > working both ways. > > The distant domainB has AD integrated DNS enabled forwarding to our unix > name servers. It appears that this one was able to contact Domain A to > create the trust. > > But when I try to complete the trust relationship on Domain A adding > Domain > B it fails saying the domain cannot be contacted. Domain A is not using > AD > integrated DNS only UNIX DNS. > > Do I need to have AD integrated DNS setup on both sides? > > I've tested accessing all the required ports using the portping util and > everything's successful. > > Any Ideas why I can't establish the trust on the Domain A side to trust > Domain B? > > > -- > Thanks! > > Crisoft > |
|
||
|
|
||||
|
=?Utf-8?B?Q3Jpc29mdA==?=
Guest
Posts: n/a
|
I've used portquery to test connectivity to ports and everything looks good.
Are you supposed to be able to telnet into netbios ports 137,138? These won't even answer on the localhost. I noticed that when I ping the domain name that I'm trying to establish the trust with it replies with the IP of the PDC which is the DC that I've opened up the connection to use for creating the trust. Would that cause a problem? Here's my port query. ============================================= Starting portqry.exe -n ckent -e 135 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 135 (epmap service): LISTENING Using ephemeral source port Querying Endpoint Mapper Database... Server's response: UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp:192.168.5.18[1152] UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface ncalrpc:[LRPC00000124.00000001] UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface ncalrpc:[LRPC00000124.00000001] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncalrpc:[LRPC00000124.00000001] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:192.168.4.108[1026] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:192.168.5.18[1026] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncalrpc:[NTDS_LPC] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncadg_ip_udp:192.168.4.108[1028] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncadg_ip_udp:192.168.5.18[1028] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:192.168.4.108[1029] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:192.168.5.18[1029] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncalrpc:[LRPC00000124.00000001] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_ip_tcp:192.168.4.108[1026] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_ip_tcp:192.168.5.18[1026] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncalrpc:[NTDS_LPC] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncadg_ip_udp:192.168.4.108[1028] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncadg_ip_udp:192.168.5.18[1028] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_http:192.168.4.108[1029] UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface ncacn_http:192.168.5.18[1029] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncalrpc:[LRPC00000124.00000001] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_ip_tcp:192.168.4.108[1026] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_ip_tcp:192.168.5.18[1026] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncalrpc:[NTDS_LPC] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncadg_ip_udp:192.168.4.108[1028] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncadg_ip_udp:192.168.5.18[1028] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_http:192.168.4.108[1029] UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface ncacn_http:192.168.5.18[1029] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_np:\\\\CKENT[\\PIPE\\lsass] UUID: 12345678-1234-abcd-ef00-01234567cffb ncalrpc:[LRPC00000124.00000001] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_ip_tcp:192.168.4.108[1026] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_ip_tcp:192.168.5.18[1026] UUID: 12345678-1234-abcd-ef00-01234567cffb ncalrpc:[NTDS_LPC] UUID: 12345678-1234-abcd-ef00-01234567cffb ncadg_ip_udp:192.168.4.108[1028] UUID: 12345678-1234-abcd-ef00-01234567cffb ncadg_ip_udp:192.168.5.18[1028] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_http:192.168.4.108[1029] UUID: 12345678-1234-abcd-ef00-01234567cffb ncacn_http:192.168.5.18[1029] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b ncalrpc:[LRPC000004ec.00000001] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b ncacn_ip_tcp:192.168.4.108[1079] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b ncacn_ip_tcp:192.168.5.18[1079] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b ncacn_np:\\\\CKENT[\\PIPE\\atsvc] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f ncalrpc:[LRPC000004ec.00000001] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f ncacn_ip_tcp:192.168.4.108[1079] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f ncacn_ip_tcp:192.168.5.18[1079] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f ncacn_np:\\\\CKENT[\\PIPE\\atsvc] UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service ncacn_ip_tcp:192.168.4.108[1082] UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service ncacn_ip_tcp:192.168.5.18[1082] UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service ncalrpc:[LRPC000004a0.00000001] UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API ncacn_ip_tcp:192.168.4.108[1082] UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API ncacn_ip_tcp:192.168.5.18[1082] UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API ncalrpc:[LRPC000004a0.00000001] UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE ncacn_ip_tcp:192.168.4.108[1082] UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE ncacn_ip_tcp:192.168.5.18[1082] UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE ncalrpc:[LRPC000004a0.00000001] UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f ncacn_ip_tcp:192.168.4.108[1092] UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f ncacn_ip_tcp:192.168.5.18[1092] UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport ncacn_ip_tcp:192.168.4.108[1117] UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport ncacn_ip_tcp:192.168.5.18[1117] UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe ncacn_ip_tcp:192.168.4.108[1127] UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe ncacn_ip_tcp:192.168.5.18[1127] UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe ncalrpc:[LRPC0000063c.00000001] UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 ncacn_ip_tcp:192.168.4.108[1127] UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 ncacn_ip_tcp:192.168.5.18[1127] UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 ncalrpc:[LRPC0000063c.00000001] UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncalrpc:[LRPC000006e4.00000001] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.4.108[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.5.18[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncalrpc:[LRPC000006e4.00000001] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.4.108[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.5.18[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncalrpc:[LRPC000006e4.00000001] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.4.108[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.5.18[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncalrpc:[LRPC000006e4.00000001] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.4.108[1135] UUID: 906b0ce0-c70b-1067-b317-00dd010662da ncacn_ip_tcp:192.168.5.18[1135] UUID: 6bffd098-a112-3610-9833-46c3f874532d ncacn_ip_tcp:192.168.4.108[1150] UUID: 6bffd098-a112-3610-9833-46c3f874532d ncacn_ip_tcp:192.168.5.18[1150] UUID: 6bffd098-a112-3610-9833-46c3f874532d ncalrpc:[DHCPSERVERLPC] UUID: 5b821720-f63b-11d0-aad2-00c04fc324db ncacn_ip_tcp:192.168.4.108[1150] UUID: 5b821720-f63b-11d0-aad2-00c04fc324db ncacn_ip_tcp:192.168.5.18[1150] UUID: 5b821720-f63b-11d0-aad2-00c04fc324db ncalrpc:[DHCPSERVERLPC] UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp:192.168.4.108[1152] Total endpoints found: 93 ==== End of RPC Endpoint Mapper query response ==== portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 389 -p BOTH ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 389 (ldap service): LISTENING Using ephemeral source port Sending LDAP query to TCP port 389... LDAP query response: currentdate: 11/14/2007 19:49:19 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com dsServiceName: CN=NTDS Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com defaultNamingContext: DC=mysa,DC=mysahome,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 12820266 supportedSASLMechanisms: GSSAPI dnsHostName: CKENT.mysa.mysahome.com ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM serverName: CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 (unknown service): LISTENING or FILTERED Using ephemeral source port Sending LDAP query to UDP port 389... LDAP query response: currentdate: 11/14/2007 19:49:22 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com dsServiceName: CN=NTDS Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com defaultNamingContext: DC=mysa,DC=mysahome,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 12820269 supportedSASLMechanisms: GSSAPI dnsHostName: CKENT.mysa.mysahome.com ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM serverName: CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 is LISTENING portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 636 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 636 (ldaps service): LISTENING portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 3268 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 3268 (unknown service): LISTENING Using ephemeral source port Sending LDAP query to TCP port 3268... LDAP query response: currentdate: 11/14/2007 19:49:22 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com dsServiceName: CN=NTDS Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com defaultNamingContext: DC=mysa,DC=mysahome,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 12820269 supportedSASLMechanisms: GSSAPI dnsHostName: CKENT.mysa.mysahome.com ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM serverName: CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 3269 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 3269 (unknown service): LISTENING portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 53 -p BOTH ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 53 (domain service): LISTENING UDP port 53 (domain service): LISTENING portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 88 -p BOTH ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 88 (kerberos service): LISTENING UDP port 88 (kerberos service): LISTENING or FILTERED portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002. ============================================= Starting portqry.exe -n ckent -e 445 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 445 (microsoft-ds service): LISTENING portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 137 -p UDP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... UDP port 137 (netbios-ns service): LISTENING or FILTERED Using ephemeral source port Attempting NETBIOS adapter status query to UDP port 137... Server's response: MAC address 00d0b7886c92 UDP port: LISTENING portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 138 -p UDP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... UDP port 138 (netbios-dgm service): LISTENING or FILTERED portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002. ============================================= Starting portqry.exe -n ckent -e 139 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 139 (netbios-ssn service): LISTENING portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000. ============================================= Starting portqry.exe -n ckent -e 42 -p TCP ... Querying target system called: ckent Attempting to resolve name to IP address... Name resolved to 192.168.5.18 querying... TCP port 42 (nameserver service): LISTENING portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000. Thanks! Crisoft "Paul Bergson [MVP-DS]" wrote: > Name Resolution Tests > Windows 2003 > Nbtstat -R - Purges and reloads the remote cache name > table > Nbtstat -c - Lists NBT's cache of remote [machine] > names and their IP addresses > > If you would like to test connectivity to validate FRS communication (This > communication is for Windows 2003 to Windows 2003 communications only) > NTFRSUTL version server_name > If the two can communicate through the firewall via FRS the response > will provide the current version number > > Are high ports open or have you limitied the range via a registry hack for > rpc if you have a firewall in the way this is a good chance where your > problem resides. > > What about forest functional levels? > > I have an article on trust troubleshooting between an NT4 and 2003 forest, > but a lot of the items are still the same. > > Check it out at: > http://www.pbbergs.com/windows/artic...all_trust.html > > -- > Paul Bergson > MVP - Directory Services > MCT, MCSE, MCSA, Security+, BS CSci > 2003, 2000 (Early Achiever), NT > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Crisoft" <(E-Mail Removed)> wrote in message > news:925A44DD-0B2E-4F93-9AAB-(E-Mail Removed)... > > Hello > > > > I'm trying to setup a cross forest trust in W2K. I have name resolution > > working both ways. > > > > The distant domainB has AD integrated DNS enabled forwarding to our unix > > name servers. It appears that this one was able to contact Domain A to > > create the trust. > > > > But when I try to complete the trust relationship on Domain A adding > > Domain > > B it fails saying the domain cannot be contacted. Domain A is not using > > AD > > integrated DNS only UNIX DNS. > > > > Do I need to have AD integrated DNS setup on both sides? > > > > I've tested accessing all the required ports using the portping util and > > everything's successful. > > > > Any Ideas why I can't establish the trust on the Domain A side to trust > > Domain B? > > > > > > -- > > Thanks! > > > > Crisoft > > > > > |
|
||
|
|
||||
|
Paul Bergson [MVP-DS]
Guest
Posts: n/a
|
Pinging the domain name is going to resolve to a dc, this is expected. Do
an nslookup on your domain name and it should return all the dc's within your domain. If I recall correctly I don't believe 137 and 138 are needed, I believe 445 is what is used. Are high ports available both ways? -- Paul Bergson MVP - Directory Services MCT, MCSE, MCSA, Security+, BS CSci 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Crisoft" <(E-Mail Removed)> wrote in message news:09B9EF85-8B99-485C-A6E3-(E-Mail Removed)... > I've used portquery to test connectivity to ports and everything looks > good. > Are you supposed to be able to telnet into netbios ports 137,138? These > won't even answer on the localhost. > > I noticed that when I ping the domain name that I'm trying to establish > the > trust with it replies with the IP of the PDC which is the DC that I've > opened > up the connection to use for creating the trust. Would that cause a > problem? > > Here's my port query. > > ============================================= > > Starting portqry.exe -n ckent -e 135 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 135 (epmap service): LISTENING > > Using ephemeral source port > Querying Endpoint Mapper Database... > Server's response: > > UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > ncacn_ip_tcp:192.168.5.18[1152] > > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface > ncalrpc:[LRPC00000124.00000001] > > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface > ncalrpc:[LRPC00000124.00000001] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncalrpc:[LRPC00000124.00000001] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_ip_tcp:192.168.4.108[1026] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_ip_tcp:192.168.5.18[1026] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncalrpc:[NTDS_LPC] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncadg_ip_udp:192.168.4.108[1028] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncadg_ip_udp:192.168.5.18[1028] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_http:192.168.4.108[1029] > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > ncacn_http:192.168.5.18[1029] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncalrpc:[LRPC00000124.00000001] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_ip_tcp:192.168.4.108[1026] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_ip_tcp:192.168.5.18[1026] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncalrpc:[NTDS_LPC] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncadg_ip_udp:192.168.4.108[1028] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncadg_ip_udp:192.168.5.18[1028] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_http:192.168.4.108[1029] > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > ncacn_http:192.168.5.18[1029] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncalrpc:[LRPC00000124.00000001] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_ip_tcp:192.168.4.108[1026] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_ip_tcp:192.168.5.18[1026] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncalrpc:[NTDS_LPC] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncadg_ip_udp:192.168.4.108[1028] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncadg_ip_udp:192.168.5.18[1028] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_http:192.168.4.108[1029] > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > ncacn_http:192.168.5.18[1029] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncalrpc:[LRPC00000124.00000001] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_ip_tcp:192.168.4.108[1026] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_ip_tcp:192.168.5.18[1026] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncalrpc:[NTDS_LPC] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncadg_ip_udp:192.168.4.108[1028] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncadg_ip_udp:192.168.5.18[1028] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_http:192.168.4.108[1029] > > UUID: 12345678-1234-abcd-ef00-01234567cffb > ncacn_http:192.168.5.18[1029] > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > ncalrpc:[LRPC000004ec.00000001] > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > ncacn_ip_tcp:192.168.4.108[1079] > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > ncacn_ip_tcp:192.168.5.18[1079] > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > ncacn_np:\\\\CKENT[\\PIPE\\atsvc] > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > ncalrpc:[LRPC000004ec.00000001] > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > ncacn_ip_tcp:192.168.4.108[1079] > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > ncacn_ip_tcp:192.168.5.18[1079] > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > ncacn_np:\\\\CKENT[\\PIPE\\atsvc] > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > ncacn_ip_tcp:192.168.4.108[1082] > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > ncacn_ip_tcp:192.168.5.18[1082] > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > ncalrpc:[LRPC000004a0.00000001] > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > ncacn_ip_tcp:192.168.4.108[1082] > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > ncacn_ip_tcp:192.168.5.18[1082] > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > ncalrpc:[LRPC000004a0.00000001] > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > ncacn_ip_tcp:192.168.4.108[1082] > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > ncacn_ip_tcp:192.168.5.18[1082] > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > ncalrpc:[LRPC000004a0.00000001] > > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f > ncacn_ip_tcp:192.168.4.108[1092] > > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f > ncacn_ip_tcp:192.168.5.18[1092] > > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport > ncacn_ip_tcp:192.168.4.108[1117] > > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport > ncacn_ip_tcp:192.168.5.18[1117] > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > ncacn_ip_tcp:192.168.4.108[1127] > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > ncacn_ip_tcp:192.168.5.18[1127] > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > ncalrpc:[LRPC0000063c.00000001] > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > ncacn_ip_tcp:192.168.4.108[1127] > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > ncacn_ip_tcp:192.168.5.18[1127] > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > ncalrpc:[LRPC0000063c.00000001] > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncalrpc:[LRPC000006e4.00000001] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.4.108[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.5.18[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncalrpc:[LRPC000006e4.00000001] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.4.108[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.5.18[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncalrpc:[LRPC000006e4.00000001] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.4.108[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.5.18[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncalrpc:[LRPC000006e4.00000001] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.4.108[1135] > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > ncacn_ip_tcp:192.168.5.18[1135] > > UUID: 6bffd098-a112-3610-9833-46c3f874532d > ncacn_ip_tcp:192.168.4.108[1150] > > UUID: 6bffd098-a112-3610-9833-46c3f874532d > ncacn_ip_tcp:192.168.5.18[1150] > > UUID: 6bffd098-a112-3610-9833-46c3f874532d > ncalrpc:[DHCPSERVERLPC] > > UUID: 5b821720-f63b-11d0-aad2-00c04fc324db > ncacn_ip_tcp:192.168.4.108[1150] > > UUID: 5b821720-f63b-11d0-aad2-00c04fc324db > ncacn_ip_tcp:192.168.5.18[1150] > > UUID: 5b821720-f63b-11d0-aad2-00c04fc324db > ncalrpc:[DHCPSERVERLPC] > > UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > ncacn_ip_tcp:192.168.4.108[1152] > > Total endpoints found: 93 > > > > ==== End of RPC Endpoint Mapper query response ==== > portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 389 -p BOTH ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 389 (ldap service): LISTENING > > Using ephemeral source port > Sending LDAP query to TCP port 389... > > LDAP query response: > > > currentdate: 11/14/2007 19:49:19 (unadjusted GMT) > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > dsServiceName: CN=NTDS > Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > defaultNamingContext: DC=mysa,DC=mysahome,DC=com > schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com > rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com > supportedControl: 1.2.840.113556.1.4.319 > supportedLDAPVersion: 3 > supportedLDAPPolicies: MaxPoolThreads > highestCommittedUSN: 12820266 > supportedSASLMechanisms: GSSAPI > dnsHostName: CKENT.mysa.mysahome.com > ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM > serverName: > CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > > > ======== End of LDAP query response ======== > > UDP port 389 (unknown service): LISTENING or FILTERED > > Using ephemeral source port > Sending LDAP query to UDP port 389... > > LDAP query response: > > > currentdate: 11/14/2007 19:49:22 (unadjusted GMT) > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > dsServiceName: CN=NTDS > Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > defaultNamingContext: DC=mysa,DC=mysahome,DC=com > schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com > rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com > supportedControl: 1.2.840.113556.1.4.319 > supportedLDAPVersion: 3 > supportedLDAPPolicies: MaxPoolThreads > highestCommittedUSN: 12820269 > supportedSASLMechanisms: GSSAPI > dnsHostName: CKENT.mysa.mysahome.com > ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM > serverName: > CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > > > ======== End of LDAP query response ======== > > UDP port 389 is LISTENING > > portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 636 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 636 (ldaps service): LISTENING > portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 3268 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 3268 (unknown service): LISTENING > > Using ephemeral source port > Sending LDAP query to TCP port 3268... > > LDAP query response: > > > currentdate: 11/14/2007 19:49:22 (unadjusted GMT) > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > dsServiceName: CN=NTDS > Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > defaultNamingContext: DC=mysa,DC=mysahome,DC=com > schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com > configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com > rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com > supportedControl: 1.2.840.113556.1.4.319 > supportedLDAPVersion: 3 > supportedLDAPPolicies: MaxPoolThreads > highestCommittedUSN: 12820269 > supportedSASLMechanisms: GSSAPI > dnsHostName: CKENT.mysa.mysahome.com > ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM > serverName: > CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > > > ======== End of LDAP query response ======== > portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 3269 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 3269 (unknown service): LISTENING > portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 53 -p BOTH ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 53 (domain service): LISTENING > > UDP port 53 (domain service): LISTENING > portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 88 -p BOTH ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 88 (kerberos service): LISTENING > > UDP port 88 (kerberos service): LISTENING or FILTERED > portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002. > ============================================= > > Starting portqry.exe -n ckent -e 445 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 445 (microsoft-ds service): LISTENING > portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 137 -p UDP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > > Name resolved to 192.168.5.18 > > querying... > > UDP port 137 (netbios-ns service): LISTENING or FILTERED > > Using ephemeral source port > Attempting NETBIOS adapter status query to UDP port 137... > > Server's response: MAC address 00d0b7886c92 > UDP port: LISTENING > portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 138 -p UDP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > > Name resolved to 192.168.5.18 > > querying... > > UDP port 138 (netbios-dgm service): LISTENING or FILTERED > portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002. > ============================================= > > Starting portqry.exe -n ckent -e 139 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 139 (netbios-ssn service): LISTENING > portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000. > ============================================= > > Starting portqry.exe -n ckent -e 42 -p TCP ... > > > Querying target system called: > > ckent > > Attempting to resolve name to IP address... > > Name resolved to 192.168.5.18 > > querying... > > TCP port 42 (nameserver service): LISTENING > portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000. > > > Thanks! > > Crisoft > > > > "Paul Bergson [MVP-DS]" wrote: > >> Name Resolution Tests >> Windows 2003 >> Nbtstat -R - Purges and reloads the remote cache name >> table >> Nbtstat -c - Lists NBT's cache of remote [machine] >> names and their IP addresses >> >> If you would like to test connectivity to validate FRS communication >> (This >> communication is for Windows 2003 to Windows 2003 communications only) >> NTFRSUTL version server_name >> If the two can communicate through the firewall via FRS the response >> will provide the current version number >> >> Are high ports open or have you limitied the range via a registry hack >> for >> rpc if you have a firewall in the way this is a good chance where your >> problem resides. >> >> What about forest functional levels? >> >> I have an article on trust troubleshooting between an NT4 and 2003 >> forest, >> but a lot of the items are still the same. >> >> Check it out at: >> http://www.pbbergs.com/windows/artic...all_trust.html >> >> -- >> Paul Bergson >> MVP - Directory Services >> MCT, MCSE, MCSA, Security+, BS CSci >> 2003, 2000 (Early Achiever), NT >> >> http://www.pbbergs.com >> >> Please no e-mails, any questions should be posted in the NewsGroup >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "Crisoft" <(E-Mail Removed)> wrote in message >> news:925A44DD-0B2E-4F93-9AAB-(E-Mail Removed)... >> > Hello >> > >> > I'm trying to setup a cross forest trust in W2K. I have name >> > resolution >> > working both ways. >> > >> > The distant domainB has AD integrated DNS enabled forwarding to our >> > unix >> > name servers. It appears that this one was able to contact Domain A to >> > create the trust. >> > >> > But when I try to complete the trust relationship on Domain A adding >> > Domain >> > B it fails saying the domain cannot be contacted. Domain A is not >> > using >> > AD >> > integrated DNS only UNIX DNS. >> > >> > Do I need to have AD integrated DNS setup on both sides? >> > >> > I've tested accessing all the required ports using the portping util >> > and >> > everything's successful. >> > >> > Any Ideas why I can't establish the trust on the Domain A side to trust >> > Domain B? >> > >> > >> > -- >> > Thanks! >> > >> > Crisoft >> > >> >> >> |
|
||
|
|
||||
|
=?Utf-8?B?Q3Jpc29mdA==?=
Guest
Posts: n/a
|
So if I do an nsloookup from my domain trying to resolve for the domain I'm
trying to create the trust with should it resolve to thier DC's as well? Would I need to do a zone transfer in DNS from thier windows DNS to our UNIX dns? -- Thanks! Crisoft "Paul Bergson [MVP-DS]" wrote: > Pinging the domain name is going to resolve to a dc, this is expected. Do > an nslookup on your domain name and it should return all the dc's within > your domain. > > If I recall correctly I don't believe 137 and 138 are needed, I believe 445 > is what is used. > > Are high ports available both ways? > > -- > Paul Bergson > MVP - Directory Services > MCT, MCSE, MCSA, Security+, BS CSci > 2003, 2000 (Early Achiever), NT > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Crisoft" <(E-Mail Removed)> wrote in message > news:09B9EF85-8B99-485C-A6E3-(E-Mail Removed)... > > I've used portquery to test connectivity to ports and everything looks > > good. > > Are you supposed to be able to telnet into netbios ports 137,138? These > > won't even answer on the localhost. > > > > I noticed that when I ping the domain name that I'm trying to establish > > the > > trust with it replies with the IP of the PDC which is the DC that I've > > opened > > up the connection to use for creating the trust. Would that cause a > > problem? > > > > Here's my port query. > > > > ============================================= > > > > Starting portqry.exe -n ckent -e 135 -p TCP ... > > > > > > Querying target system called: > > > > ckent > > > > Attempting to resolve name to IP address... > > > > Name resolved to 192.168.5.18 > > > > querying... > > > > TCP port 135 (epmap service): LISTENING > > > > Using ephemeral source port > > Querying Endpoint Mapper Database... > > Server's response: > > > > UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 > > ncacn_ip_tcp:192.168.5.18[1152] > > > > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_ip_tcp:192.168.4.108[1026] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_ip_tcp:192.168.5.18[1026] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncalrpc:[NTDS_LPC] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncadg_ip_udp:192.168.4.108[1028] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncadg_ip_udp:192.168.5.18[1028] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_http:192.168.4.108[1029] > > > > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface > > ncacn_http:192.168.5.18[1029] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_ip_tcp:192.168.4.108[1026] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_ip_tcp:192.168.5.18[1026] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncalrpc:[NTDS_LPC] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncadg_ip_udp:192.168.4.108[1028] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncadg_ip_udp:192.168.5.18[1028] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_http:192.168.4.108[1029] > > > > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface > > ncacn_http:192.168.5.18[1029] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_ip_tcp:192.168.4.108[1026] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_ip_tcp:192.168.5.18[1026] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncalrpc:[NTDS_LPC] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncadg_ip_udp:192.168.4.108[1028] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncadg_ip_udp:192.168.5.18[1028] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_http:192.168.4.108[1029] > > > > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface > > ncacn_http:192.168.5.18[1029] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_np:\\\\CKENT[\\PIPE\\lsass] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncalrpc:[LRPC00000124.00000001] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_ip_tcp:192.168.4.108[1026] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_ip_tcp:192.168.5.18[1026] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncalrpc:[NTDS_LPC] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncadg_ip_udp:192.168.4.108[1028] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncadg_ip_udp:192.168.5.18[1028] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_http:192.168.4.108[1029] > > > > UUID: 12345678-1234-abcd-ef00-01234567cffb > > ncacn_http:192.168.5.18[1029] > > > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > > ncalrpc:[LRPC000004ec.00000001] > > > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > > ncacn_ip_tcp:192.168.4.108[1079] > > > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > > ncacn_ip_tcp:192.168.5.18[1079] > > > > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b > > ncacn_np:\\\\CKENT[\\PIPE\\atsvc] > > > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > > ncalrpc:[LRPC000004ec.00000001] > > > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > > ncacn_ip_tcp:192.168.4.108[1079] > > > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > > ncacn_ip_tcp:192.168.5.18[1079] > > > > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f > > ncacn_np:\\\\CKENT[\\PIPE\\atsvc] > > > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > > ncacn_ip_tcp:192.168.4.108[1082] > > > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > > ncacn_ip_tcp:192.168.5.18[1082] > > > > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service > > ncalrpc:[LRPC000004a0.00000001] > > > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > > ncacn_ip_tcp:192.168.4.108[1082] > > > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > > ncacn_ip_tcp:192.168.5.18[1082] > > > > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API > > ncalrpc:[LRPC000004a0.00000001] > > > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > > ncacn_ip_tcp:192.168.4.108[1082] > > > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > > ncacn_ip_tcp:192.168.5.18[1082] > > > > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE > > ncalrpc:[LRPC000004a0.00000001] > > > > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f > > ncacn_ip_tcp:192.168.4.108[1092] > > > > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f > > ncacn_ip_tcp:192.168.5.18[1092] > > > > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport > > ncacn_ip_tcp:192.168.4.108[1117] > > > > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport > > ncacn_ip_tcp:192.168.5.18[1117] > > > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > > ncacn_ip_tcp:192.168.4.108[1127] > > > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > > ncacn_ip_tcp:192.168.5.18[1127] > > > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > > ncalrpc:[LRPC0000063c.00000001] > > > > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe > > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] > > > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > > ncacn_ip_tcp:192.168.4.108[1127] > > > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > > ncacn_ip_tcp:192.168.5.18[1127] > > > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > > ncalrpc:[LRPC0000063c.00000001] > > > > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45 > > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncalrpc:[LRPC000006e4.00000001] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncacn_ip_tcp:192.168.4.108[1135] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncacn_ip_tcp:192.168.5.18[1135] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncalrpc:[LRPC000006e4.00000001] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncacn_ip_tcp:192.168.4.108[1135] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncacn_ip_tcp:192.168.5.18[1135] > > > > UUID: 906b0ce0-c70b-1067-b317-00dd010662da > > ncalrpc:[LRPC000006e4.00000001] > > |
|
||
|
|
||||
|
Ace Fekay [MVP]
Guest
Posts: n/a
|
In news:524CFF07-29CA-4101-8F73-(E-Mail Removed),
Crisoft <(E-Mail Removed)> typed: > So if I do an nsloookup from my domain trying to resolve for the > domain I'm trying to create the trust with should it resolve to thier > DC's as well? > > Would I need to do a zone transfer in DNS from thier windows DNS to > our UNIX dns? If I may jump in, and I hope Paul doesn't mind, first I would like to say that Windows 2000 does not support cross-forest trusts. I think Paul overlooked you are talking about a Windows 2000 domain here. The only type of trusts it supports are inherited transient trusts that exist intra-forest between trees and domains and external one-way trusts between domains of different forests or realms, such as Unix realms, etc. DNS in such external one-way trusts are not required. Nslookup tests to determine hostname resolution will not help you in your scenario. Trust authentication in such a scenario is based on NTLM authentication, which is based on NetBIOS resolution. This will mean you need to be able to resolve NetBIOS names as well as allow all traffic between locations. I would either use WINS, which is easier, or lmhosts files, as Paul's link clearly shows how to create one. But I think you would need to use the lmhosts file first to create the trust, then establish WINS partnerships after that. As far as ports, I think it is challenging discern the specific ports required for domain communication because there are numerous ports required (about 30), as Paul's links indicate, including the all-opening UDP greater than 1023 for the ephemeral response ports. As for DNS, you asked about making the zone AD Integrated. That wouldn't apply to a UNIX Bind server. FYI, making a zone AD Integrated is just stipulating where you are storing the zone. Primary and secondaries are text files stored in system32\dns folder. AD Integrated zones are stored in the actual physical AD database and replicates to all DCs during the normal AD replication process. Windows 2003 offers additional AD integrated zone features, but since you have 2000, I won't go further about it's features. So the answer to this is no, AD integration is not necessary, unless you want to reap the features and better secure your zone data by choosing AD integrated zones. The only reason I can see to zone transfer between them and your system is for DNS host name resolution between your systems. Is this a requirement? -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer Infinite Diversities in Infinite Combinations |
|
||
|
|
||||
|
=?Utf-8?B?Q3Jpc29mdA==?=
Guest
Posts: n/a
|
Thanks for everyone's help I really appreciate it. I was able to setup my
external cross forest trust after doing a zone transfer in DNS. I had to setup AD DNS as a slave to my UNIX DNS and transfer the zone. Now it's time to migrate Exchange mailboxes over into our ORG. Can you point me to any good white papers? -- Thanks! Crisoft "Ace Fekay [MVP]" wrote: > In news:524CFF07-29CA-4101-8F73-(E-Mail Removed), > Crisoft <(E-Mail Removed)> typed: > > So if I do an nsloookup from my domain trying to resolve for the > > domain I'm trying to create the trust with should it resolve to thier > > DC's as well? > > > > Would I need to do a zone transfer in DNS from thier windows DNS to > > our UNIX dns? > > If I may jump in, and I hope Paul doesn't mind, first I would like to say > that Windows 2000 does not support cross-forest trusts. I think Paul > overlooked you are talking about a Windows 2000 domain here. The only type > of trusts it supports are inherited transient trusts that exist intra-forest > between trees and domains and external one-way trusts between domains of > different forests or realms, such as Unix realms, etc. > > DNS in such external one-way trusts are not required. Nslookup tests to > determine hostname resolution will not help you in your scenario. Trust > authentication in such a scenario is based on NTLM authentication, which is > based on NetBIOS resolution. This will mean you need to be able to resolve > NetBIOS names as well as allow all traffic between locations. I would either > use WINS, which is easier, or lmhosts files, as Paul's link clearly shows > how to create one. But I think you would need to use the lmhosts file first > to create the trust, then establish WINS partnerships after that. > > As far as ports, I think it is challenging discern the specific ports > required for domain communication because there are numerous ports required > (about 30), as Paul's links indicate, including the all-opening UDP greater > than 1023 for the ephemeral response ports. > > As for DNS, you asked about making the zone AD Integrated. That wouldn't > apply to a UNIX Bind server. FYI, making a zone AD Integrated is just > stipulating where you are storing the zone. Primary and secondaries are text > files stored in system32\dns folder. AD Integrated zones are stored in the > actual physical AD database and replicates to all DCs during the normal AD > replication process. Windows 2003 offers additional AD integrated zone > features, but since you have 2000, I won't go further about it's features. > So the answer to this is no, AD integration is not necessary, unless you > want to reap the features and better secure your zone data by choosing AD > integrated zones. > > The only reason I can see to zone transfer between them and your system is > for DNS host name resolution between your systems. Is this a requirement? > > -- > Regards, > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, > MVP Microsoft MVP - Directory Services > Microsoft Certified Trainer > > Infinite Diversities in Infinite Combinations > > > > |
|
||
|
|
||||
|
=?Utf-8?B?Q3Jpc29mdA==?=
Guest
Posts: n/a
|
Thanks for everyone's help I really appreciate it. I was able to setup my
external cross forest trust after doing a zone transfer in DNS. I had setup AD DNS as slave a to my UNIX DNS and transfer the zone. Now it's time to migrate Exchange mailboxes over into our ORG. Can you point me to any good white papers? -- Thanks! Crisoft "Ace Fekay [MVP]" wrote: > In news:524CFF07-29CA-4101-8F73-(E-Mail Removed), > Crisoft <(E-Mail Removed)> typed: > > So if I do an nsloookup from my domain trying to resolve for the > > domain I'm trying to create the trust with should it resolve to thier > > DC's as well? > > > > Would I need to do a zone transfer in DNS from thier windows DNS to > > our UNIX dns? > > If I may jump in, and I hope Paul doesn't mind, first I would like to say > that Windows 2000 does not support cross-forest trusts. I think Paul > overlooked you are talking about a Windows 2000 domain here. The only type > of trusts it supports are inherited transient trusts that exist intra-forest > between trees and domains and external one-way trusts between domains of > different forests or realms, such as Unix realms, etc. > > DNS in such external one-way trusts are not required. Nslookup tests to > determine hostname resolution will not help you in your scenario. Trust > authentication in such a scenario is based on NTLM authentication, which is > based on NetBIOS resolution. This will mean you need to be able to resolve > NetBIOS names as well as allow all traffic between locations. I would either > use WINS, which is easier, or lmhosts files, as Paul's link clearly shows > how to create one. But I think you would need to use the lmhosts file first > to create the trust, then establish WINS partnerships after that. > > As far as ports, I think it is challenging discern the specific ports > required for domain communication because there are numerous ports required > (about 30), as Paul's links indicate, including the all-opening UDP greater > than 1023 for the ephemeral response ports. > > As for DNS, you asked about making the zone AD Integrated. That wouldn't > apply to a UNIX Bind server. FYI, making a zone AD Integrated is just > stipulating where you are storing the zone. Primary and secondaries are text > files stored in system32\dns folder. AD Integrated zones are stored in the > actual physical AD database and replicates to all DCs during the normal AD > replication process. Windows 2003 offers additional AD integrated zone > features, but since you have 2000, I won't go further about it's features. > So the answer to this is no, AD integration is not necessary, unless you > want to reap the features and better secure your zone data by choosing AD > integrated zones. > > The only reason I can see to zone transfer between them and your system is > for DNS host name resolution between your systems. Is this a requirement? > > -- > Regards, > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, > MVP Microsoft MVP - Directory Services > Microsoft Certified Trainer > > Infinite Diversities in Infinite Combinations > > > > |
|
||
|
|
||||
|
|
|
| |
|
| Thread Tools | |
| Rate This Thread | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Forest trust. | =?Utf-8?B?U2hhaGlu?= | Microsoft Windows 2000 Networking | 1 | 29th Nov 2005 03:01 PM |
| Windows 2000 cross forest trust setup | =?Utf-8?B?QXJjb20=?= | Microsoft Windows 2000 Networking | 3 | 22nd Apr 2005 10:32 AM |
| Trust Between 2003 forest and 2000 forest | Raj | Microsoft Windows 2000 Active Directory | 2 | 1st Oct 2004 11:42 PM |
| forest trust v. forest tree | jb | Microsoft Windows 2000 Active Directory | 1 | 15th Jul 2004 10:51 PM |
| Re: Forest Trust | Ace Fekay [MVP] | Microsoft Windows 2000 Active Directory | 0 | 22nd Jul 2003 03:47 AM |
Powered by vBulletin®. Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2010, Crawlability, Inc. |
