Trust Problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have two separate forests (which happen to be on the same subnet), consisting of one DC in each forest in a test situation. The DCs are running DNS of course. I am trying to setup a trust between the two domains (in separate forests), but it fails with the error that the "domain can't be found" in reference to the other domain (in the other forest). Having DCs (by machine name) from forest #1 in the DNS of forest #2 (and vice versa) doesn't seem to help either

Can someone offer some advice to help the domains find one another when trying to establish a trust
 
Try creating a secondary zone for the other forest in the DNS of both DC's.
So in forest 1 you create a secondary zone for the forest 2 domain.
In Forest 2 you create a secondary zone for the forest 1 domain.

Much the same effect can be had by zone delegations but in a test
environment creating a secondary zone is probably quicker.

rsmith said:
I have two separate forests (which happen to be on the same subnet),
Click to expand...
consisting of one DC in each forest in a test situation. The DCs are
running DNS of course. I am trying to setup a trust between the two domains
(in separate forests), but it fails with the error that the "domain can't be
found" in reference to the other domain (in the other forest). Having DCs
(by machine name) from forest #1 in the DNS of forest #2 (and vice versa)
doesn't seem to help either.
 
That was the ticket Simon - thanks. The secondary Zone worked fine. What would be the best solution if one of the domains were in a DMZ and you didn't want a secondary zone setup containing internal DNS information
 
A zone delegation could be used here but as the DNS server will be in a DMZ
this would still expose the internal IP address of the internal DNS server
although it still exposes less information than a secondary zone. It's
generally considered to be a security risk to have any domain controllers in
a DMZ for reasons such as these. I would review your AD architecture if at
all possible although zone delegations could still be used if there is no
alternative.

rsmith said:
That was the ticket Simon - thanks. The secondary Zone worked fine. What
Click to expand...
would be the best solution if one of the domains were in a DMZ and you
didn't want a secondary zone setup containing internal DNS information?
 
Back
Top