Trust Problem

Guest · May 21, 2004

I have two separate forests (which happen to be on the same subnet), consisting of one DC in each forest in a test situation. The DCs are running DNS of course. I am trying to setup a trust between the two domains (in separate forests), but it fails with the error that the "domain can't be found" in reference to the other domain (in the other forest). Having DCs (by machine name) from forest #1 in the DNS of forest #2 (and vice versa) doesn't seem to help either

Can someone offer some advice to help the domains find one another when trying to establish a trust

Simon Geary · May 22, 2004

Try creating a secondary zone for the other forest in the DNS of both DC's.
So in forest 1 you create a secondary zone for the forest 2 domain.
In Forest 2 you create a secondary zone for the forest 1 domain.

Much the same effect can be had by zone delegations but in a test
environment creating a secondary zone is probably quicker.

rsmith said:
I have two separate forests (which happen to be on the same subnet),

consisting of one DC in each forest in a test situation. The DCs are
running DNS of course. I am trying to setup a trust between the two domains
(in separate forests), but it fails with the error that the "domain can't be
found" in reference to the other domain (in the other forest). Having DCs
(by machine name) from forest #1 in the DNS of forest #2 (and vice versa)
doesn't seem to help either.

Guest · May 24, 2004

That was the ticket Simon - thanks. The secondary Zone worked fine. What would be the best solution if one of the domains were in a DMZ and you didn't want a secondary zone setup containing internal DNS information

Simon Geary · May 24, 2004

A zone delegation could be used here but as the DNS server will be in a DMZ
this would still expose the internal IP address of the internal DNS server
although it still exposes less information than a secondary zone. It's
generally considered to be a security risk to have any domain controllers in
a DMZ for reasons such as these. I would review your AD architecture if at
all possible although zone delegations could still be used if there is no
alternative.

rsmith said:
That was the ticket Simon - thanks. The secondary Zone worked fine. What

would be the best solution if one of the domains were in a DMZ and you
didn't want a secondary zone setup containing internal DNS information?

Controlling Trust Traffic	1	Mar 5, 2010
Multi forest and Citrix farm	1	Aug 25, 2016
Problem setting up Forest Trust - Win2003 Forests	1	Jun 21, 2006
W2K>>trust>>NT4=failed to authenticate	2	Sep 23, 2004
Further question regarding transitive nature of forest trusts	2	Mar 13, 2007
Trust between 2000 and 2003 domain	19	Jan 31, 2007
Trust errors of DC unavailable	5	Mar 24, 2006
Trust	1	Dec 29, 2005

Trust Problem

Guest

Simon Geary

Guest

Simon Geary

Ask a Question

Similar Threads