DNS-One Way Trust-questions....

[ECathell]

Hello all.

I have 2 separate domains being utilized where I work. One is the administration/corporate domain. The other is a resource domain.

Admin domain is MO.net
Resource domain is MT.net

MT trusts MO, MO does not trust MT. <this may be part of my issue....

Active directory/Windows authentication between MO>MT works fine.

DNS resolution between MO>MT does not. I am only the admin for the MT domain...MO is handled by a separate IT department.

I want to enable MO to resolve names on our network carteblanche...If I make changes to my dns(such as alias' for our webservices) I dont want to have to have MO put in the alias' on their site, simply have them resolved on our domain...right now name resolution is sporadic at best...

 

[Herb Martin]

Hello all.

I have 2 separate domains being utilized where I work. One is the
administration/corporate domain. The > other is a resource domain.

Admin domain is MO.net
Resource domain is MT.net

MT trusts MO, MO does not trust MT. <this may be part of my issue....

Not if you have used the terms correctly. Normally the domain with
RESOURCES (to be shared or manged) must TRUST the domain
with USERS (who will be granted privileges.)

Active directory/Windows authentication between MO>MT works fine.

If this is not the same forest (which is implied by a one-way trust since
forest domains have automatic two-way trusts) the generally you need
NETBIOS name resolution to work.

DNS resolution between MO>MT does not.
I am only the admin for the MT domain...
MO is handled by a separate IT department.

Generally they must cooperate with you -- as they did for the
trust -- in setting up name resolution.

Unless you are on a SINGLE subnet you will need WINS servers
for NetBIOS resolution to work.

And you will need ALL DCs (at least) to be WINS clients if you
use WINS server, plus if you have more than one WINS server
they must be set to replicate.

I want to enable MO to resolve names on our network
carteblanche...If I make changes to my dns(such as alias'
for our webservices) I dont want to have to have MO put
in the alias' on their site, simply have them resolved on our
domain...right now name resolution is sporadic at best...

Then for DNS THEY (on MO) must arrange for their DNS
servers to resolve your zone(s).

In practice this means one of the following:

1) A common root (almost always impractical)

2) Cross secondary (they hold a secondary for your zone)
-- which is usually the only practical solution if they
use Win2000 (not Win2003)

3) Cross stub zone (pretty much like #2 but requires Win2003)

4) Conditional Forwarding -- also requires Win2003 on their
side to enable this.

(Technically there is a fifth choice in Win2003 but it only works
for a single forest so this doesn't seem to fit your situation: AD-DNS
replication forest wide.)

 

[ECathell]

Thanks very much for the informative reply.

They do have 2003;we have 2000

We are on different subnets 10.100.0.0/16 10.99.0.0/16 etc...

I 'believe' they have wins since they have 3 subnets as well...

What other information do you need?

Hello all.

I have 2 separate domains being utilized where I work. One is the
administration/corporate domain. The > other is a resource domain.

Admin domain is MO.net
Resource domain is MT.net

MT trusts MO, MO does not trust MT. <this may be part of my issue....

Not if you have used the terms correctly. Normally the domain with
RESOURCES (to be shared or manged) must TRUST the domain
with USERS (who will be granted privileges.)

Active directory/Windows authentication between MO>MT works fine.

If this is not the same forest (which is implied by a one-way trust since
forest domains have automatic two-way trusts) the generally you need
NETBIOS name resolution to work.

DNS resolution between MO>MT does not.
I am only the admin for the MT domain...
MO is handled by a separate IT department.

Generally they must cooperate with you -- as they did for the
trust -- in setting up name resolution.

Unless you are on a SINGLE subnet you will need WINS servers
for NetBIOS resolution to work.

And you will need ALL DCs (at least) to be WINS clients if you
use WINS server, plus if you have more than one WINS server
they must be set to replicate.

I want to enable MO to resolve names on our network
carteblanche...If I make changes to my dns(such as alias'
for our webservices) I dont want to have to have MO put
in the alias' on their site, simply have them resolved on our
domain...right now name resolution is sporadic at best...

Then for DNS THEY (on MO) must arrange for their DNS
servers to resolve your zone(s).

In practice this means one of the following:

1) A common root (almost always impractical)

2) Cross secondary (they hold a secondary for your zone)
-- which is usually the only practical solution if they
use Win2000 (not Win2003)

3) Cross stub zone (pretty much like #2 but requires Win2003)

4) Conditional Forwarding -- also requires Win2003 on their
side to enable this.

(Technically there is a fifth choice in Win2003 but it only works
for a single forest so this doesn't seem to fit your situation: AD-DNS
replication forest wide.)



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

Thanks very much for the informative reply.
They do have 2003;we have 2000
We are on different subnets 10.100.0.0/16 10.99.0.0/16 etc...
I 'believe' they have wins since they have 3 subnets as well...
What other information do you need?

Any remaining problems you have -- or questions.

Nothing above changes my answer, quoted below in this message
and elsewhere in this thread.

Does it make sense?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Hello all.

I have 2 separate domains being utilized where I work. One is the
administration/corporate domain. The > other is a resource domain.

Admin domain is MO.net
Resource domain is MT.net

MT trusts MO, MO does not trust MT. <this may be part of my issue....

Not if you have used the terms correctly. Normally the domain with
RESOURCES (to be shared or manged) must TRUST the domain
with USERS (who will be granted privileges.)

Active directory/Windows authentication between MO>MT works fine.

If this is not the same forest (which is implied by a one-way trust since
forest domains have automatic two-way trusts) the generally you need
NETBIOS name resolution to work.

DNS resolution between MO>MT does not.
I am only the admin for the MT domain...
MO is handled by a separate IT department.

Generally they must cooperate with you -- as they did for the
trust -- in setting up name resolution.

Unless you are on a SINGLE subnet you will need WINS servers
for NetBIOS resolution to work.

And you will need ALL DCs (at least) to be WINS clients if you
use WINS server, plus if you have more than one WINS server
they must be set to replicate.

I want to enable MO to resolve names on our network
carteblanche...If I make changes to my dns(such as alias'
for our webservices) I dont want to have to have MO put
in the alias' on their site, simply have them resolved on our
domain...right now name resolution is sporadic at best...

Then for DNS THEY (on MO) must arrange for their DNS
servers to resolve your zone(s).

In practice this means one of the following:

1) A common root (almost always impractical)

2) Cross secondary (they hold a secondary for your zone)
-- which is usually the only practical solution if they
use Win2000 (not Win2003)

3) Cross stub zone (pretty much like #2 but requires Win2003)

4) Conditional Forwarding -- also requires Win2003 on their
side to enable this.

(Technically there is a fifth choice in Win2003 but it only works
for a single forest so this doesn't seem to fit your situation: AD-DNS
replication forest wide.)



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]