Setting up a Trust Relationship

[LeeLee]

I'm trying to setup a trust relationship between our
system and another system that is in our forest but on a
separate domain, and when trying trying to setup the trust
I'm receiving an error message saying "domain cannot be
contacted." However, I can ping the site and trace route
it but still get no connection when trying to setup the
trust relationships. Any ideas??

 

[ptwilliams]

The DNS SRV record that tells you where to locate a DC and GC cannot be
found. You will need to access the other domain's DNS, and the other domain
yours. This is usually achieved through DNS servers hosting secondary zones
of those DNS zones in the other domain.

However, are you sure there's not a trust in place already? All domains in
a forest trust one another. Although, perhaps they cannot because of the
lacking DNS info.?

--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________

 

[LeeLee]

It's in place on the other end (server), however, not on
my end. I am able to ping and trace route the server but
not able to connect when setting up trust. However, when
pinging the host name I get a different IP address ... but
the corret IP address was enter, and yet when I ping I
still get the old IP address, which I'm sure this is one
of my problems.

 

[Herb Martin]

It's in place on the other end (server), however, not on
my end. I am able to ping and trace route the server but
not able to connect when setting up trust. However, when
pinging the host name I get a different IP address ... but
the corret IP address was enter, and yet when I ping I
still get the old IP address, which I'm sure this is one
of my problems.

As "pt" pointed out there is already an effective trust
between every domain in the same forest -- so unless
you are trying to establish a "shortcut trust" to improve
performance or WAN utilization then you don't need
(or want) another trust.

This is a sign however, in almost every case, that you
have a NAME RESOLUTION problem.

DNS is the usual culprit, but with "manual trusts" NetBIOS
and the WINS servers (or lack of them, or failure for them
to replicate) are frequently at fault.

Run DCDiag on every DC and send the output to text files;
search the files for FAIL, WARN, or ERROR and fix, or
report these here.

All of your DNS zones supporting AD domains must be
"dynamic". All of your DNS servers used by clients must
use the same "common root" and be properly delegated so
that every DNS child zone can be found (or you must
artificially arrange this by holding "extra secondaries or
stubs (WIn2003 only)" on every DNS server.)

All clients must be configured to use ONLY the internal
DNS server (set) -- which are able to resolve from ANYWHERE
in the forest tree or trees.

DCs are DNS clients too -- see previous paragraph -- as are
DNS servers and other servers.

If you need "Internet" resolution, then (some of) your internal
DNS servers must forward outside to your ISP or Firewall
DNS or perform the actual recursion physically.

Clients, including servers, must NOT be set to a mixture of
internal and external DNS.[/QUOTE]

 

[LeeLee]

Thanks guy - you have been helpful.

-----Original Message-----


As "pt" pointed out there is already an effective trust
between every domain in the same forest -- so unless
you are trying to establish a "shortcut trust" to improve
performance or WAN utilization then you don't need
(or want) another trust.

This is a sign however, in almost every case, that you
have a NAME RESOLUTION problem.

DNS is the usual culprit, but with "manual trusts" NetBIOS
and the WINS servers (or lack of them, or failure for them
to replicate) are frequently at fault.

Run DCDiag on every DC and send the output to text files;
search the files for FAIL, WARN, or ERROR and fix, or
report these here.

All of your DNS zones supporting AD domains must be
"dynamic". All of your DNS servers used by clients must
use the same "common root" and be properly delegated so
that every DNS child zone can be found (or you must
artificially arrange this by holding "extra secondaries or
stubs (WIn2003 only)" on every DNS server.)

All clients must be configured to use ONLY the internal
DNS server (set) -- which are able to resolve from ANYWHERE
in the forest tree or trees.

DCs are DNS clients too -- see previous paragraph -- as are
DNS servers and other servers.

If you need "Internet" resolution, then (some of) your internal
DNS servers must forward outside to your ISP or Firewall
DNS or perform the actual recursion physically.

Clients, including servers, must NOT be set to a mixture of
internal and external DNS.
--
Herb Martin




.