Multiple Domains in a Forest

N

Nathan Guidry

Situation: I have two domain controllers (tdc1 and tdc2) and two domains
(ms and ms2) in a forest, ms.com. tdc1 is a dc in the ms.com domain and
tdc2 is a dc in the ms2.com domain. Because they are dc in the same forest,
ms.com, the trust relation is created automatically. From tdc2, I created a
Domain Local Group and was able to add users from the ms.com domain.
However, when I try to do the reverse and add users from the ms2.com domain
to a domain local group in the ms.com domain, I get a "server is not
operational" error. I need to add the administrator account from the
ms2.com domain to the enterprise admins group, which is on the ms.com
domain.

Both dc have dns installed and configured the same way. What I've noticed
on the ms.com dc (tdc1) is that under AD sites\servers when it lists the
servers, it shows tdc1 being in the ms.com domain, but for tdc2 it has no
domain listed. However when I go to the ms2.com dc (tdc2) under AD
sites\servers, it lists tdc2 in the ms2.com domain and tdc1 in the ms.com
domain.

What am I missing??? Why does the domain name not show up for tdc2 in AD
sites on the tdc1 dc?
 
H

Herb Martin

Nathan Guidry said:
Situation: I have two domain controllers (tdc1 and tdc2) and two domains
(ms and ms2) in a forest, ms.com. tdc1 is a dc in the ms.com domain and
tdc2 is a dc in the ms2.com domain. Because they are dc in the same forest,
ms.com, the trust relation is created automatically. From tdc2, I created a
Domain Local Group and was able to add users from the ms.com domain.
However, when I try to do the reverse and add users from the ms2.com domain
to a domain local group in the ms.com domain, I get a "server is not
operational" error. I need to add the administrator account from the
ms2.com domain to the enterprise admins group, which is on the ms.com
domain.

Both dc have dns installed and configured the same way. What I've noticed
on the ms.com dc (tdc1) is that under AD sites\servers when it lists the
servers, it shows tdc1 being in the ms.com domain, but for tdc2 it has no
domain listed. However when I go to the ms2.com dc (tdc2) under AD
sites\servers, it lists tdc2 in the ms2.com domain and tdc1 in the ms.com
domain.
Click to expand...

Do these DCs have their full name set in "System Properties"?

Almost all such problems are DNS related.

Try running DCDiag on each DC, and save output to a file and
search for FAIL, WARN, ERROR.

Also insure that DCs and clients on ms2.com can resolve ALL DNS
names for both domains, and for ms1.com the same thing for ms2.com.
What am I missing??? Why does the domain name not show up for tdc2 in AD
sites on the tdc1 dc?
Click to expand...

Usually it's a missing common root or missing "cross secondaries" etc.

Since one of the domains cannot find the DNS for the other it works in
one direction only.
[/QUOTE]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

2 Forest in one network. Not able to connect domain 9
remove sub-domain on root domain 2
placing dc in different domain-site in Forest 3
Remove the Root Domain in the Forest 5
Multi forest and Citrix farm 1
Rebuild Forest Root Domain Controller 3
Questions on a perimeter network. 2
Forest Root DC Single Label host name 10

Top