Create a trust between two forrests - one not named properly

[Leythos]

I have two forests that were created when we had no plans on connecting
the remote offices:

Forest1 locA.company.lan
Forest2 companyloc (notice no .lan or anything)

I have all the trusts working for the other remote offices (locB,
locC,...)

I can't seem to get a trust working between locA.company.lan and
companloc - it always fails.

I have secondary DNS working between the forests, but I can't create a
trust between the improperly named forest.

Any ideas?

Thanks.

 

[Tim Hines [MSFT]]

What error do you receive when you attempt to create the trust? It could be
a DNS resolution problem because there are name registration problems with
single label DNS domain names.

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Leythos]

What error do you receive when you attempt to create the trust? It could be
a DNS resolution problem because there are name registration problems with
single label DNS domain names.

I can ping the server (DNS server) in the single name domain from the
one I'm trying to trust with it.

In fact, when I setup the secondary DNS on locA.company.lan to pull a
copy from locBcompany it worked fine - I can see all the systems in
locBcompany in the DNS manager on locA.company.lan just fine.

The GUI for the trusts, from locA.company.lan, only gives an error
stating that the function can not be completed and does not create the
trust (I didn't look in the event log).

I'll see if I can get more info and post it.

 

[Tim Hines [MSFT]]

There won't be an event in the evt log. You will get an error when creating
a trust. That is the error that I am looking for. A typical one is "the
specified domain does not exist or could not be contacted"

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Leythos]

There won't be an event in the evt log. You will get an error when creating
a trust. That is the error that I am looking for. A typical one is "the
specified domain does not exist or could not be contacted"

Ok, I open the AD D&T, right click the W2003 domain name, Properties,
Trusts, NEW Trust, Wizard opens, Next, Trust Name (single domain name
entered 'locBcompany'), Select "Trust with a Windows Domain", enter
'locBcompany', click NEXT, get "Cannot continue. The new trust wizard
can not continue because the specified domain can not be located. Either
the domain does not exist, or network or other problems are preventing
connection"

Now, if I ping S2KSRV001.LOCBCOMPANY, it resolves and I get good ping
times. So, DNS is working, and I can even see the LOCBCOMPANY systems in
the DNS Forward and Reverse lookup Zones.

 

[Tim Hines [MSFT]]

Being able to ping a DC is not a good test of DNS resolution. When clients
look for DCs they search for SRV records in DNS. The same concept applies
to WINS resolution being able to ping by host name doesn't guarantee that
name resolution is completely working. The client looks for a 0x1b record
in the winds database to determine which servers are GCs. Verify that ldap
SRV records are available for the DCs.

The following links discuss name resolution in AD

247811 How Domain Controllers Are Located in Windows
http://support.microsoft.com/?id=247811

Name resolution in AD
http://www.microsoft.com/resources/...000/server/reskit/en-us/distsys/wsrvdsys.mspx


--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Leythos]

Being able to ping a DC is not a good test of DNS resolution. When clients
look for DCs they search for SRV records in DNS. The same concept applies
to WINS resolution being able to ping by host name doesn't guarantee that
name resolution is completely working. The client looks for a 0x1b record
in the winds database to determine which servers are GCs. Verify that ldap
SRV records are available for the DCs.

The following links discuss name resolution in AD

247811 How Domain Controllers Are Located in Windows
http://support.microsoft.com/?id=247811

Name resolution in AD
http://www.microsoft.com/resources/...000/server/reskit/en-us/distsys/wsrvdsys.mspx

Thanks, I'm reading them now.

 

[Leythos]

Being able to ping a DC is not a good test of DNS resolution. When clients
look for DCs they search for SRV records in DNS. The same concept applies
to WINS resolution being able to ping by host name doesn't guarantee that
name resolution is completely working. The client looks for a 0x1b record
in the winds database to determine which servers are GCs. Verify that ldap
SRV records are available for the DCs.

The following links discuss name resolution in AD

247811 How Domain Controllers Are Located in Windows
http://support.microsoft.com/?id=247811

Name resolution in AD
http://www.microsoft.com/resources/...000/server/reskit/en-us/distsys/wsrvdsys.mspx

As a side note, I would have expected that if I can setup secondary DNS
pulls from the other server that they should be able to communicate with
each other. Maybe I should re-read what I just typed.