Unable to create a transitive trust between domains

[dpresley]

I have 2 win2k advanced server boxes.. each on their own domain. I am unable to create a trust with them. When ever i try to create a trust from the AD domains and trusts console, it says cant contact the domain "insertnamehere", YET browsing thru the network shows the other computer up.. I can ping them... i can even browse them, just cant get the friggin thing to create the trust.

On a side note, i had originally intended to make the second domain an additional DC in the domain, but during dcpromo, it gave me the error "cant find domain "insertnamehere" !!!! wth!

Any help or advice would be greatly appreciated.
Thanks!

Dave Presley
Psuedo Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

 

[dpresley]

Bet i just figured it out....

When i created the DC and domain, i have myself with "administrator" rights...

Have to be a "Domain Admin" ????



DUH


Dave Presley
Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

MCP

 

[dpresley]

Okay.. so that wasnt it. Administrators by default are already included in the DomainAdmins group.
SOooo.. Still looking for any thoughts or advice.



Dave Presley
Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

MCP

 

[redwhip]

When you setup a trust the domains need to be able to find each others SRV records in DNS.
They can do this by using DNS forwarders to resolve any SRV records they can't find locally.

 

[vbrocks]

You have to add the servers manually to each others dns database, goto dns, right click on server, select add host, and enter the other servers info ....

 

[vbrocks]

Sorry, previous post entry should have read ...

You have to add the servers manually to each others dns database, goto dns, right click on server, select forwarders tab, enable forwarders and enter the other servers info ....

Tried to do from memory, but memory not so good...

 

[dpresley]

So instead of putting the internet service providers DNS in the forwarders place... put each others DNS info in?
kk.. sounds like a plan... I wont be able to test that out till monday but i'll post with the results.
THANKS!



Dave Presley
Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

MCP

 

[xmsre]

If They're in the same forest, you already have transitive trust. The only thing you could additionally create would be a shortcut trust.

If you had two forests, you cannot create a transitive trust between two forests in windows 2000. That feature is first available in windows 2003. All you get between domains is different forests in W2K is downlevel NTLM trust.

 

[dpresley]

No.. two separate domains on the same physical network. (not that THAT matters)
Ima try putting their respective dns numbers as forwarders... See if that works.. You can put more than one dns number as a forwarding number yes?

Dave Presley
Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

MCP

 

[vbrocks]

Yes ....

 

[xmsre]

I wouldn't make them each other's forwarders, just create a standard secondary zone on each for the other's primary.

 

[dpresley]

Xmsre but thats for DC's and zones in a single domain isnt it?

Dave Presley
Network & Systems Administrator
Premier, Air Academy & Thomas Jefferson High Schools
dpresley@qwest.net

MCP

 

[xmsre]

A stanard secondary does not rely on AD, or the windows platform; domains don't make any difference. You'll rely on zone transfers or notifys.

 

[redwhip]

I made this work recently just by using forwarders. I had to make the other domain's DNS server the 1st forwarder in the list to make the trust. After the trust was created I moved it down the list and the trust still worked.