I need help creating forest trusts

[Ace Fekay [MVP]]

I'm hitting new heights! I got DomainB to trust DomainA (in both

windows ... trusting and trusted in AD Domains & Trusts on DomainB
PDC.)

However, when I go to DomainA and try to establlish the two way trust
I get an error when I hit VERIFY:
-----------------------------------------
"Information from the PDC for DomainB cannot be obtained because: The
RPC server is unavailable.

Make sure that the PDC is operating properly and then try again."
-----------------------------------------

I also tried to set up a secondary DNS zone on both (read somewhere
that this will help speed up both sides, too.) I was able to set up
the secondary zone on DomainB (for DomainA) but when I tried to set up
the secondary DNS zone on DomainA for DomainB I get an error (big red
X) as follows:
-----------------------------------------
The DNS server encountered an error while attempting to load the zone.
The transfer of the data from the master server failed.

Plese correct the problem then either press F5, or on the Action menu,
Click Refresh.
-----------------------------------------

Naturally there's a problem here somewhere but how can I tell? I check
both PDC's and the RPC service is running on both servers. I ran
DCDiag /Fix and NetDiag /Fix on both servers and they're both fine.

What can I run to see why DNS won't transfer? Do you think this is the
same problem of the trusts?

-Fran-

Hi Fran,

Is there a firewall or something controlling traffic between the domains?

Ace

 

[Fran]

No, These DC's are behind the same firewall and they're on the same
subnet so all the traffic is unfiltered.

 

[Ace Fekay [MVP]]

No, These DC's are behind the same firewall and they're on the same

subnet so all the traffic is unfiltered.

Is there a security policy defined on DomainA preventing communication?
(IPSec, or a stronger security policy?)

Ace

 

[Fran]

Is there a security policy defined on DomainA preventing communication?

(IPSec, or a stronger security policy?)

Ace

No, the only policies that are on DomainA are default policies. None
have been created (and this is a Windows 2000 server network.)

 

[Ace Fekay [MVP]]

In

No, the only policies that are on DomainA are default policies. None
have been created (and this is a Windows 2000 server network.)

Any services turned off or disabled such as NetBIOS, or such?

Other than that, I can't think of anything else that would block NetBIOS
communication between the two domains especially if they are on the same
subnet. Maybe someone else can hopefully respond if I missed something.

Ace

 

[Fran]

You got me thinking to check the services. I looked at DNS on both
sides. On DomainB I was able to set up a secondary zone for DomainA
but on DomainA I could not set up a Secondary Zone for DomainB. I
delved into the DNS settings on DomainB and found that the security
had been set not to allow zone transfers. I unchecked that, went to
DomainA's DC and created a secondary zone for DomainB (finally) and
then when I tried to create a two way trust it was able to verify and
create it! FINALLY!

I really have to thank you for all your help, Ace! I don't think I
would have gotten this resolved without your assistance. Now I have to
get the Universal Group stuff down and start setting up membership
usage.

-Fran-

 

[Ace Fekay [MVP]]

You got me thinking to check the services. I looked at DNS on both

sides. On DomainB I was able to set up a secondary zone for DomainA
but on DomainA I could not set up a Secondary Zone for DomainB. I
delved into the DNS settings on DomainB and found that the security
had been set not to allow zone transfers. I unchecked that, went to
DomainA's DC and created a secondary zone for DomainB (finally) and
then when I tried to create a two way trust it was able to verify and
create it! FINALLY!

I really have to thank you for all your help, Ace! I don't think I
would have gotten this resolved without your assistance. Now I have to
get the Universal Group stuff down and start setting up membership
usage.

-Fran-

Wow, DNS did it? Hmm. NetBIOS is for external type trusts, but forest trusts
in Win2003 are DNS based.

Either way, I am really glad you finally got it working. No prob for the
help, I tried my best, and whether I actually came up with the solution or
not, I am glad you did.



Ace