Trust between forests

Hi all

I need help please, since I've never done before.

As I want to create trust between 2 different forests to be able to use ADMT.

Here is my situtation

The current network

Domain name: old.com
1 DC 2k3 at funtional level 2003 (DNS, DHCP, File server)
Subnet 192.168.0.0 / 24

The new domain

Domain name: new.com.local
1 DC 2k3 at functional level 2003 (DNS forwardLookup Zone is configured, NOT
reverseLookup zone yet)
Subnet 192.168.11.0 /24

Then I connected the new DC server physically to the existing network
(192.168.0.0/24) via a switch which I am not quite sure it is right thing to
do.

And I tried to set up the trust between 2 forests (2 domains). After
following the Wizard I got this message. “The name you specified is not a
valid Windows domain name. Is the specified name a Kerberos V5 realm?�
The same thing happens at the other DC. it does not seem to see each other.

Thanks a lot in advance.

Hello vdz,

Are both forests on forest functional level windows server 2003 or only the
domains? http://support.microsoft.com/kb/322692

Please post also an unedited ipconfig /all from both DC's.

Did you transfer the zones between the DNS servers?

Did you setup a forwarder so that DNS requests are sent to the proper DNS
server?


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi all
>
> I need help please, since I've never done before.
>
> As I want to create trust between 2 different forests to be able to
> use ADMT.
>
> Here is my situtation
>
> The current network
>
> Domain name: old.com
> 1 DC 2k3 at funtional level 2003 (DNS, DHCP, File server)
> Subnet 192.168.0.0 / 24
> The new domain
>
> Domain name: new.com.local
> 1 DC 2k3 at functional level 2003 (DNS forwardLookup Zone is
> configured, NOT
> reverseLookup zone yet)
> Subnet 192.168.11.0 /24
> Then I connected the new DC server physically to the existing network
> (192.168.0.0/24) via a switch which I am not quite sure it is right
> thing to do.
>
> And I tried to set up the trust between 2 forests (2 domains). After
> following the Wizard I got this message. “The name you specified is
> not a
> valid Windows domain name. Is the specified name a Kerberos V5 realm?�
> The same thing happens at the other DC. it does not seem to see each
> other.
> Thanks a lot in advance.
>

Dear Customer,

Thank you for posting in newsgroup.

According to the description, the issue seems to be related to trust
relationship. If I have any misunderstanding, please feel free to let me
know.

Before we move on, here are some questions that I want to confirm with you.

When you connected the new DC server physically to the existing network,
can you ping through the old DC from the new DC by IP address and by name?

Analysis and Suggestions:
=====================

This issue may be a network connective issue. Personally, I would like to
suggest that you make both the old and the new DC in the same subnet (ex.
192.168.0.0/24). Moreover, it is better to make the old DC as the DNS
forwarder of the new DC, and the new DC as the DNS forwards of the old DC.
Afterwards, please check if you can ping through the old domain (old.com)
from the new domain (new.com.local) and vice versa.

Hope it helps. I will wait for the reply.

David Shen
Microsoft Online Partner Support

Thank you David and Meinolf

it was only domain funtional level, I raised to Forest functional level now
(thanks for that Meinolf)

Then I followed David's suggestion, everything went well (thank you David)
until on the OLD DC, I validated the trust outgoing as well as incoming, I
got an error message:
"Windows cannot find a Domain Controller for the new.com.local domain.
Verify that a DC is available then try again"

However I am able to validate both trusts on the NEW DC.

Additional info.

I can ping IP address as well as by name on both DCs. But NSLOOKUP.

I gave user migration a go, hser is the result.

On the OLD DC I can see both Domains in Target and Source but I cannot see
any DC server available from drop-down list in Source box.

On the NEW DC, I can see both domains and DC servers available from
drop-down list.

Hopefully it is not too much confusing.

"David Shen [MSFT]" wrote:

> Dear Customer,
>
> Thank you for posting in newsgroup.
>
> According to the description, the issue seems to be related to trust
> relationship. If I have any misunderstanding, please feel free to let me
> know.
>
> Before we move on, here are some questions that I want to confirm with you.
>
> When you connected the new DC server physically to the existing network,
> can you ping through the old DC from the new DC by IP address and by name?
>
> Analysis and Suggestions:
> =====================
>
> This issue may be a network connective issue. Personally, I would like to
> suggest that you make both the old and the new DC in the same subnet (ex.
> 192.168.0.0/24). Moreover, it is better to make the old DC as the DNS
> forwarder of the new DC, and the new DC as the DNS forwards of the old DC.
> Afterwards, please check if you can ping through the old domain (old.com)
> from the new domain (new.com.local) and vice versa.
>
> Hope it helps. I will wait for the reply.
>
> David Shen
> Microsoft Online Partner Support
>
>

Hello vdz,

Please post also an unedited ipconfig /all from both DC's.

Did you transfer the zones between the DNS servers?

Did you setup a forwarder so that DNS requests are sent to the proper DNS
server?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Thank you David and Meinolf
>
> it was only domain funtional level, I raised to Forest functional
> level now (thanks for that Meinolf)
>
> Then I followed David's suggestion, everything went well (thank you
> David)
> until on the OLD DC, I validated the trust outgoing as well as
> incoming, I
> got an error message:
> "Windows cannot find a Domain Controller for the new.com.local domain.
> Verify that a DC is available then try again"
> However I am able to validate both trusts on the NEW DC.
>
> Additional info.
>
> I can ping IP address as well as by name on both DCs. But NSLOOKUP.
>
> I gave user migration a go, hser is the result.
>
> On the OLD DC I can see both Domains in Target and Source but I cannot
> see any DC server available from drop-down list in Source box.
>
> On the NEW DC, I can see both domains and DC servers available from
> drop-down list.
>
> Hopefully it is not too much confusing.
>
> "David Shen [MSFT]" wrote:
>
>> Dear Customer,
>>
>> Thank you for posting in newsgroup.
>>
>> According to the description, the issue seems to be related to trust
>> relationship. If I have any misunderstanding, please feel free to let
>> me know.
>>
>> Before we move on, here are some questions that I want to confirm
>> with you.
>>
>> When you connected the new DC server physically to the existing
>> network, can you ping through the old DC from the new DC by IP
>> address and by name?
>>
>> Analysis and Suggestions:
>> =====================
>> This issue may be a network connective issue. Personally, I would
>> like to suggest that you make both the old and the new DC in the same
>> subnet (ex. 192.168.0.0/24). Moreover, it is better to make the old
>> DC as the DNS forwarder of the new DC, and the new DC as the DNS
>> forwards of the old DC. Afterwards, please check if you can ping
>> through the old domain (old.com) from the new domain (new.com.local)
>> and vice versa.
>>
>> Hope it helps. I will wait for the reply.
>>
>> David Shen
>> Microsoft Online Partner Suppor

Hi Meinoff

Because I am at home now, I will post them once I got it copied at work.
By the way, thought I'd let you know that on the NEW DC (Target) I was able
to migrate a user sucessfully, however if I checked password migration
option, I can't go any further as well as SID history I got error message
access denied.

Regards,



"Meinolf Weber" wrote:

> Hello vdz,
>
> Please post also an unedited ipconfig /all from both DC's.
>
> Did you transfer the zones between the DNS servers?
>
> Did you setup a forwarder so that DNS requests are sent to the proper DNS
> server?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Thank you David and Meinolf
> >
> > it was only domain funtional level, I raised to Forest functional
> > level now (thanks for that Meinolf)
> >
> > Then I followed David's suggestion, everything went well (thank you
> > David)
> > until on the OLD DC, I validated the trust outgoing as well as
> > incoming, I
> > got an error message:
> > "Windows cannot find a Domain Controller for the new.com.local domain.
> > Verify that a DC is available then try again"
> > However I am able to validate both trusts on the NEW DC.
> >
> > Additional info.
> >
> > I can ping IP address as well as by name on both DCs. But NSLOOKUP.
> >
> > I gave user migration a go, hser is the result.
> >
> > On the OLD DC I can see both Domains in Target and Source but I cannot
> > see any DC server available from drop-down list in Source box.
> >
> > On the NEW DC, I can see both domains and DC servers available from
> > drop-down list.
> >
> > Hopefully it is not too much confusing.
> >
> > "David Shen [MSFT]" wrote:
> >
> >> Dear Customer,
> >>
> >> Thank you for posting in newsgroup.
> >>
> >> According to the description, the issue seems to be related to trust
> >> relationship. If I have any misunderstanding, please feel free to let
> >> me know.
> >>
> >> Before we move on, here are some questions that I want to confirm
> >> with you.
> >>
> >> When you connected the new DC server physically to the existing
> >> network, can you ping through the old DC from the new DC by IP
> >> address and by name?
> >>
> >> Analysis and Suggestions:
> >> =====================
> >> This issue may be a network connective issue. Personally, I would
> >> like to suggest that you make both the old and the new DC in the same
> >> subnet (ex. 192.168.0.0/24). Moreover, it is better to make the old
> >> DC as the DNS forwarder of the new DC, and the new DC as the DNS
> >> forwards of the old DC. Afterwards, please check if you can ping
> >> through the old domain (old.com) from the new domain (new.com.local)
> >> and vice versa.
> >>
> >> Hope it helps. I will wait for the reply.
> >>
> >> David Shen
> >> Microsoft Online Partner Support
>
>
>

Hello vdz,

Thanks for the reply. I agree with Meinolf.

According to the description, it seems that the trust relationship have
been established between the 2 domain. Also, it is better to setup a
forwarder so that DNS requests are sent to the other DNS server.

Suggestion:
=========

We don't need to run ADMT on both of the old DC and the new DC. We
recommend that you install the ADMT on the target domain controller and
it's better to use administrator credential of source domain to logon the
target domain from source domain controller. Afterwards, you may perform
the ADMT migration.

For your convenience, I have list the general steps to perform ADMT
migration as followed.

General Steps:
==================

1. As always, domain migrations are complicated tasks. Please perform
complete backup first for recovery purposes.

2. We are able to establish a trust relationship between the two root
domains in different forests, and then use ADMT with the following three
wizards to migrate the group accounts, user accounts, client computers and
file permissions:

Group Account Migration Wizard
User Account Migration Wizard
Computer Migration Wizard
Security Translation Wizard

3. It is recommended that we install ADMT on target domain's PDC Emulator.
And it is recommended that we use administrator credential of source domain
to logon the target domain from source domain controller.

4. ADMT checks its database file for information regarding the previously
migrated user objects and then determines how to migrate user profiles and
NTFS folders permissions when migrating computers. Therefore, it is better
to only install one ADMT host machine.

5. The account that runs ADMT must have administrator privileges on both
domains, and also need to be a member of the local administrators group
when migrating computer objects.

6. It is recommended to perform the migration in the following order:

Domain Global Group
Domain Local Group
User Account
Computer Account

7. Please migrate the groups and users separately (do not migrate the
associated group members when migrating the groups).

During the group migration, please use the following configurations

[Group Options]
Copy group members Not Checked
Fix membership of group Checked

During the user migration, please use the following configurations:

[User Options]
Migrate associated user groups Not Checked
Fix users'' group memberships Checked

Hope it helps.

David Shen
Microsoft Online Partner Support

Hello vdz,

See here for the SID migration:
http://support.microsoft.com/default...b;EN-US;893191

Forest to forest SID filtering enabled:
Netdom trust TrustingDomainName /domain:TrustedDomainName /EnableSIDHistory:yes
/usero:domainadministratorAcct
/passwordo:domainadminpwd


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi Meinoff
>
> Because I am at home now, I will post them once I got it copied at
> work.
> By the way, thought I'd let you know that on the NEW DC (Target) I was
> able
> to migrate a user sucessfully, however if I checked password migration
> option, I can't go any further as well as SID history I got error
> message
> access denied.
> Regards,
>
> "Meinolf Weber" wrote:
>
>> Hello vdz,
>>
>> Please post also an unedited ipconfig /all from both DC's.
>>
>> Did you transfer the zones between the DNS servers?
>>
>> Did you setup a forwarder so that DNS requests are sent to the proper
>> DNS server?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Thank you David and Meinolf
>>>
>>> it was only domain funtional level, I raised to Forest functional
>>> level now (thanks for that Meinolf)
>>>
>>> Then I followed David's suggestion, everything went well (thank you
>>> David)
>>> until on the OLD DC, I validated the trust outgoing as well as
>>> incoming, I
>>> got an error message:
>>> "Windows cannot find a Domain Controller for the new.com.local
>>> domain.
>>> Verify that a DC is available then try again"
>>> However I am able to validate both trusts on the NEW DC.
>>> Additional info.
>>>
>>> I can ping IP address as well as by name on both DCs. But NSLOOKUP.
>>>
>>> I gave user migration a go, hser is the result.
>>>
>>> On the OLD DC I can see both Domains in Target and Source but I
>>> cannot see any DC server available from drop-down list in Source
>>> box.
>>>
>>> On the NEW DC, I can see both domains and DC servers available from
>>> drop-down list.
>>>
>>> Hopefully it is not too much confusing.
>>>
>>> "David Shen [MSFT]" wrote:
>>>
>>>> Dear Customer,
>>>>
>>>> Thank you for posting in newsgroup.
>>>>
>>>> According to the description, the issue seems to be related to
>>>> trust relationship. If I have any misunderstanding, please feel
>>>> free to let me know.
>>>>
>>>> Before we move on, here are some questions that I want to confirm
>>>> with you.
>>>>
>>>> When you connected the new DC server physically to the existing
>>>> network, can you ping through the old DC from the new DC by IP
>>>> address and by name?
>>>>
>>>> Analysis and Suggestions:
>>>> =====================
>>>> This issue may be a network connective issue. Personally, I would
>>>> like to suggest that you make both the old and the new DC in the
>>>> same
>>>> subnet (ex. 192.168.0.0/24). Moreover, it is better to make the old
>>>> DC as the DNS forwarder of the new DC, and the new DC as the DNS
>>>> forwards of the old DC. Afterwards, please check if you can ping
>>>> through the old domain (old.com) from the new domain
>>>> (new.com.local)
>>>> and vice versa.
>>>> Hope it helps. I will wait for the reply.
>>>>
>>>> David Shen
>>>> Microsoft Online Partner Suppor

Thanks David and Meinolf

I did setup Forwarder on each DC (pointing each other).

"Did you transfer the zones between the DNS servers?"
I did not get this question, is it about zone transfer between primary and
secondary
zones?

Thanks again


"David Shen [MSFT]" wrote:

> Hello vdz,
>
> Thanks for the reply. I agree with Meinolf.
>
> According to the description, it seems that the trust relationship have
> been established between the 2 domain. Also, it is better to setup a
> forwarder so that DNS requests are sent to the other DNS server.
>
> Suggestion:
> =========
>
> We don't need to run ADMT on both of the old DC and the new DC. We
> recommend that you install the ADMT on the target domain controller and
> it's better to use administrator credential of source domain to logon the
> target domain from source domain controller. Afterwards, you may perform
> the ADMT migration.
>
> For your convenience, I have list the general steps to perform ADMT
> migration as followed.
>
> General Steps:
> ==================
>
> 1. As always, domain migrations are complicated tasks. Please perform
> complete backup first for recovery purposes.
>
> 2. We are able to establish a trust relationship between the two root
> domains in different forests, and then use ADMT with the following three
> wizards to migrate the group accounts, user accounts, client computers and
> file permissions:
>
> Group Account Migration Wizard
> User Account Migration Wizard
> Computer Migration Wizard
> Security Translation Wizard
>
> 3. It is recommended that we install ADMT on target domain's PDC Emulator.
> And it is recommended that we use administrator credential of source domain
> to logon the target domain from source domain controller.
>
> 4. ADMT checks its database file for information regarding the previously
> migrated user objects and then determines how to migrate user profiles and
> NTFS folders permissions when migrating computers. Therefore, it is better
> to only install one ADMT host machine.
>
> 5. The account that runs ADMT must have administrator privileges on both
> domains, and also need to be a member of the local administrators group
> when migrating computer objects.
>
> 6. It is recommended to perform the migration in the following order:
>
> Domain Global Group
> Domain Local Group
> User Account
> Computer Account
>
> 7. Please migrate the groups and users separately (do not migrate the
> associated group members when migrating the groups).
>
> During the group migration, please use the following configurations
>
> [Group Options]
> Copy group members Not Checked
> Fix membership of group Checked
>
> During the user migration, please use the following configurations:
>
> [User Options]
> Migrate associated user groups Not Checked
> Fix users'' group memberships Checked
>
> Hope it helps.
>
> David Shen
> Microsoft Online Partner Support
>
>

Thank you Meinolf

Here is the ipconfig /all of 2 DCs, to avoid confusion I just changed the
real domain to old and new domain.

The NEW DC


C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : wct01
Primary Dns Suffix . . . . . . . : new.net.au.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : new.net.au.local
net.au.local
au.local

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit
Server Ad
apter #2
Physical Address. . . . . . . . . : 00-1E-0B-DA-60-1C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.154
DNS Servers . . . . . . . . . . . : 192.168.0.2

The OLD DC


C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : VBS01
Primary Dns Suffix . . . . . . . : old.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : old.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network
Connection w
ith I/O Acceleration
Physical Address. . . . . . . . . : 00-16-E6-8E-D8-9E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.154
DNS Servers . . . . . . . . . . . : 192.168.0.1

To Meinolf

Thank you for your link. I will try it.

To David

Thanks a lot for your precise insutruction. but I can not add the
administrator of the sourse to the target forest. Is there any prerequiste
tasks for this?

Thank all


"Meinolf Weber" wrote:

> Hello vdz,
>
> See here for the SID migration:
> http://support.microsoft.com/default...b;EN-US;893191
>
> Forest to forest SID filtering enabled:
> Netdom trust TrustingDomainName /domain:TrustedDomainName /EnableSIDHistory:yes
> /usero:domainadministratorAcct
> /passwordo:domainadminpwd
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi Meinoff
> >
> > Because I am at home now, I will post them once I got it copied at
> > work.
> > By the way, thought I'd let you know that on the NEW DC (Target) I was
> > able
> > to migrate a user sucessfully, however if I checked password migration
> > option, I can't go any further as well as SID history I got error
> > message
> > access denied.
> > Regards,
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello vdz,
> >>
> >> Please post also an unedited ipconfig /all from both DC's.
> >>
> >> Did you transfer the zones between the DNS servers?
> >>
> >> Did you setup a forwarder so that DNS requests are sent to the proper
> >> DNS server?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Thank you David and Meinolf
> >>>
> >>> it was only domain funtional level, I raised to Forest functional
> >>> level now (thanks for that Meinolf)
> >>>
> >>> Then I followed David's suggestion, everything went well (thank you
> >>> David)
> >>> until on the OLD DC, I validated the trust outgoing as well as
> >>> incoming, I
> >>> got an error message:
> >>> "Windows cannot find a Domain Controller for the new.com.local
> >>> domain.
> >>> Verify that a DC is available then try again"
> >>> However I am able to validate both trusts on the NEW DC.
> >>> Additional info.
> >>>
> >>> I can ping IP address as well as by name on both DCs. But NSLOOKUP.
> >>>
> >>> I gave user migration a go, hser is the result.
> >>>
> >>> On the OLD DC I can see both Domains in Target and Source but I
> >>> cannot see any DC server available from drop-down list in Source
> >>> box.
> >>>
> >>> On the NEW DC, I can see both domains and DC servers available from
> >>> drop-down list.
> >>>
> >>> Hopefully it is not too much confusing.
> >>>
> >>> "David Shen [MSFT]" wrote:
> >>>
> >>>> Dear Customer,
> >>>>
> >>>> Thank you for posting in newsgroup.
> >>>>
> >>>> According to the description, the issue seems to be related to
> >>>> trust relationship. If I have any misunderstanding, please feel
> >>>> free to let me know.
> >>>>
> >>>> Before we move on, here are some questions that I want to confirm
> >>>> with you.
> >>>>
> >>>> When you connected the new DC server physically to the existing
> >>>> network, can you ping through the old DC from the new DC by IP
> >>>> address and by name?
> >>>>
> >>>> Analysis and Suggestions:
> >>>> =====================
> >>>> This issue may be a network connective issue. Personally, I would
> >>>> like to suggest that you make both the old and the new DC in the
> >>>> same
> >>>> subnet (ex. 192.168.0.0/24). Moreover, it is better to make the old
> >>>> DC as the DNS forwarder of the new DC, and the new DC as the DNS
> >>>> forwards of the old DC. Afterwards, please check if you can ping
> >>>> through the old domain (old.com) from the new domain
> >>>> (new.com.local)
> >>>> and vice versa.
> >>>> Hope it helps. I will wait for the reply.
> >>>>
> >>>> David Shen
> >>>> Microsoft Online Partner Support
>
>
>