Connecting two Windows 2000 forests together

G

Guest

Hi,

I'm the network admin at a school and we have just set up a test environment
with some old servers in a new active directory forest. Although the test lab
is on the same switch as the main network, it is is on a different VLAN with
a different IP address range. What I am trying to do is let users in the test
lab access the Internet via the ISA 2000 server in the main network.

I have set up a trust between my two forests (both Windows 2000 AD). The lab
trusts the main network and the main network has the labs network in its list
of domains trusted by itself. I set up the trusts through Active Directory
Domains and Trusts.

I have used the main network's WINS servers for the lab network.

The part I am having difficulty is allowing the lab users access to the ISA
server. When I try to add groups from the labs domain I can't. I think the
problem is DNS related. The main network has it's own DNS servers, as does
the labs network. My question is, after creating the trusts through Active
Directory Domains and Trusts what else do I need to do?

From the DC in the lab AD I can ping the domain controllers on the main
network by IP address and host name. Ping by FQDN doesn't work. Could I maybe
use the DNS server from the main network as my secondary DNS server on my
servers/clients in the Lab network?

Any help would be much appreciated.

Thanks,
Steven.
 
H

Herb Martin

smc2005 said:
Hi,

I'm the network admin at a school and we have just set up a test environment
with some old servers in a new active directory forest. Although the test lab
is on the same switch as the main network, it is is on a different VLAN with
a different IP address range. What I am trying to do is let users in the test
lab access the Internet via the ISA 2000 server in the main network.

Except for the (perhaps) permissions on ISA this is unrelated
to the Forests.
I have set up a trust between my two forests (both Windows 2000 AD).

No. You have set up a trust (to or from) one of the domains
in the forest from/to a domain in the other forest. (Even if you
only have one domain in each forest the trusts are between
domain and have a direction.)

The lab
trusts the main network and the main network has the labs network in its list
of domains trusted by itself. I set up the trusts through Active Directory
Domains and Trusts.

I have used the main network's WINS servers for the lab network.

You really shouldn't mix the terms 'Domain', 'Forest', and 'Network'.

It is difficult to follow your scenario and likely leads to your
own confusion -- we all tend to be victims of our own
language.
The part I am having difficulty is allowing the lab users access to the ISA
server. When I try to add groups from the labs domain I can't.

That is because Lab --trusts-> Domain.

Users are always on the TRUSTED side. Resources on the
TRUSTING side. Since ISA is a resource, it must trust the
user (Lab in your request) side for this to be possible.
I think the
problem is DNS related.

Nope, it is a basic trust problem. Your trust is backwards
(for this job although you might need the other trust for some
other resource sharing.)
The main network has it's own DNS servers, as does
the labs network. My question is, after creating the trusts through Active
Directory Domains and Trusts what else do I need to do?

You said you created ONE trust -- external trusts are
always ONE WAY.

From the DC in the lab AD I can ping the domain controllers on the main
network by IP address and host name.
Ping by FQDN doesn't work.

Likely because you don't have the DNS setup correctly
on the DNS server or even on the clients.

This IS likely a DNS problem. It works for simple names
due to broadcasts or due to WINS.


Could I maybe
use the DNS server from the main network as my secondary DNS server on my
servers/clients in the Lab network?

Sure. "Cross secondaries" (DNS servers in one area/domain
holding secondaries for another area/domain are a frequent
solution to the "multiple name trees" problem.)

Here are the basics of DNS for AD:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top