Trust problem: DNS name resolution works, nltest /dsgetdc fails

Hello,

one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
The connection between the two locations is not limited, all traffic will be
forwarded to the remote location.
We want to establish a forest trust between both AD's.

Set up conditional forwarders in both AD-DNS which point to one of the
DNS-Servers of the remote AD. Then we could establish a two way forest trust
created from the 2003 AD, but if we try to verify this from the 2008R2 AD
this fails. If we try to establish the two way trust from the 2008R2 AD this
also fails (typed in the DNS name of the domain, then be requestet to select
the trust type "with windows domain" because the called name is no valid
windows domain name; after click to next the trust assistant stops: could not
find the domain).

Ping (from the 2008R2 location) to the domain fqdn or to the domain netbios
name of the 2003 AD is successful, this means the conditional dns forwarding
works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).

A colleague checks the DNS and SRV entries of the remote 2003 AD - these
"seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
(ping the domain name and the domain servers) but nltest and the trust agent
doesn't find the remote domain.

Any hints?

Regards,
Rainer

"Rainer" <> wrote in message
news:9AAF86A7-8381-44ED-844C-...
> Hello,
>
> one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
> The connection between the two locations is not limited, all traffic will
> be
> forwarded to the remote location.
> We want to establish a forest trust between both AD's.
>
> Set up conditional forwarders in both AD-DNS which point to one of the
> DNS-Servers of the remote AD. Then we could establish a two way forest
> trust
> created from the 2003 AD, but if we try to verify this from the 2008R2 AD
> this fails. If we try to establish the two way trust from the 2008R2 AD
> this
> also fails (typed in the DNS name of the domain, then be requestet to
> select
> the trust type "with windows domain" because the called name is no valid
> windows domain name; after click to next the trust assistant stops: could
> not
> find the domain).
>
> Ping (from the 2008R2 location) to the domain fqdn or to the domain
> netbios
> name of the 2003 AD is successful, this means the conditional dns
> forwarding
> works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
> name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).
>
> A colleague checks the DNS and SRV entries of the remote 2003 AD - these
> "seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
> (ping the domain name and the domain servers) but nltest and the trust
> agent
> doesn't find the remote domain.
>
> Any hints?
>
> Regards,
> Rainer


Did you select a Domain trust, or a Forest trust?

As for DNS resolution between both sides, you have conditional forwarding
setup, which is one way to do it. Did you set the conditional forwarder on
EACH of the DC/DNS servers?

Is one domain or the other possibly single label name?

Are any of the DCs multhomed and/or have RRAS installed?

Are there any ISP's DNS addresses in any of the DCs' IP properties?

Are there any firewall rules between the two locations? If you plan on
setting up firewall rules, 2003 and 2008 use of emepheral ports have been
changed. It is suggested to allow it wide open, no rules, otherwise expect
issues.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Ace,

thanks for your support. Here are the comments to your questions:

Did you select a Domain trust, or a Forest trust?
Forest Trust

As for DNS resolution between both sides, you have conditional forwarding
setup, which is one way to do it. Did you set the conditional forwarder on
EACH of the DC/DNS servers?
The forwarding is “stored in Active Directory� and set to “Replicate to all
DNS-servers in the organization�

Is one domain or the other possibly single label name?
No

Are any of the DCs multihomed and/or have RRAS installed?
No

Are there any ISP's DNS addresses in any of the DCs' IP properties?
No

Are there any firewall rules between the two locations? If you plan on
setting up firewall rules, 2003 and 2008 use of emepheral ports have been
changed. It is suggested to allow it wide open, no rules, otherwise expect
issues.
No firewall rules (all ports are opened)

Regards,
Rainer



"Ace Fekay [MVP-DS, MCT]" wrote:

> "Rainer" <> wrote in message
> news:9AAF86A7-8381-44ED-844C-...
> > Hello,
> >
> > one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
> > The connection between the two locations is not limited, all traffic will
> > be
> > forwarded to the remote location.
> > We want to establish a forest trust between both AD's.
> >
> > Set up conditional forwarders in both AD-DNS which point to one of the
> > DNS-Servers of the remote AD. Then we could establish a two way forest
> > trust
> > created from the 2003 AD, but if we try to verify this from the 2008R2 AD
> > this fails. If we try to establish the two way trust from the 2008R2 AD
> > this
> > also fails (typed in the DNS name of the domain, then be requestet to
> > select
> > the trust type "with windows domain" because the called name is no valid
> > windows domain name; after click to next the trust assistant stops: could
> > not
> > find the domain).
> >
> > Ping (from the 2008R2 location) to the domain fqdn or to the domain
> > netbios
> > name of the 2003 AD is successful, this means the conditional dns
> > forwarding
> > works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
> > name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).
> >
> > A colleague checks the DNS and SRV entries of the remote 2003 AD - these
> > "seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
> > (ping the domain name and the domain servers) but nltest and the trust
> > agent
> > doesn't find the remote domain.
> >
> > Any hints?
> >
> > Regards,
> > Rainer
>
>
> Did you select a Domain trust, or a Forest trust?
>
> As for DNS resolution between both sides, you have conditional forwarding
> setup, which is one way to do it. Did you set the conditional forwarder on
> EACH of the DC/DNS servers?
>
> Is one domain or the other possibly single label name?
>
> Are any of the DCs multhomed and/or have RRAS installed?
>
> Are there any ISP's DNS addresses in any of the DCs' IP properties?
>
> Are there any firewall rules between the two locations? If you plan on
> setting up firewall rules, 2003 and 2008 use of emepheral ports have been
> changed. It is suggested to allow it wide open, no rules, otherwise expect
> issues.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please
> contact Microsoft PSS directly. Please check http://support.microsoft.com
> for regional support phone numbers.
>
> .
>

Any hints to my last response ?


"Rainer" wrote:

> Ace,
>
> thanks for your support. Here are the comments to your questions:
>
> Did you select a Domain trust, or a Forest trust?
> Forest Trust
>
> As for DNS resolution between both sides, you have conditional forwarding
> setup, which is one way to do it. Did you set the conditional forwarder on
> EACH of the DC/DNS servers?
> The forwarding is “stored in Active Directory� and set to “Replicate to all
> DNS-servers in the organization�
>
> Is one domain or the other possibly single label name?
> No
>
> Are any of the DCs multihomed and/or have RRAS installed?
> No
>
> Are there any ISP's DNS addresses in any of the DCs' IP properties?
> No
>
> Are there any firewall rules between the two locations? If you plan on
> setting up firewall rules, 2003 and 2008 use of emepheral ports have been
> changed. It is suggested to allow it wide open, no rules, otherwise expect
> issues.
> No firewall rules (all ports are opened)
>
> Regards,
> Rainer
>
>
>
> "Ace Fekay [MVP-DS, MCT]" wrote:
>
> > "Rainer" <> wrote in message
> > news:9AAF86A7-8381-44ED-844C-...
> > > Hello,
> > >
> > > one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
> > > The connection between the two locations is not limited, all traffic will
> > > be
> > > forwarded to the remote location.
> > > We want to establish a forest trust between both AD's.
> > >
> > > Set up conditional forwarders in both AD-DNS which point to one of the
> > > DNS-Servers of the remote AD. Then we could establish a two way forest
> > > trust
> > > created from the 2003 AD, but if we try to verify this from the 2008R2 AD
> > > this fails. If we try to establish the two way trust from the 2008R2 AD
> > > this
> > > also fails (typed in the DNS name of the domain, then be requestet to
> > > select
> > > the trust type "with windows domain" because the called name is no valid
> > > windows domain name; after click to next the trust assistant stops: could
> > > not
> > > find the domain).
> > >
> > > Ping (from the 2008R2 location) to the domain fqdn or to the domain
> > > netbios
> > > name of the 2003 AD is successful, this means the conditional dns
> > > forwarding
> > > works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
> > > name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).
> > >
> > > A colleague checks the DNS and SRV entries of the remote 2003 AD - these
> > > "seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
> > > (ping the domain name and the domain servers) but nltest and the trust
> > > agent
> > > doesn't find the remote domain.
> > >
> > > Any hints?
> > >
> > > Regards,
> > > Rainer
> >
> >
> > Did you select a Domain trust, or a Forest trust?
> >
> > As for DNS resolution between both sides, you have conditional forwarding
> > setup, which is one way to do it. Did you set the conditional forwarder on
> > EACH of the DC/DNS servers?
> >
> > Is one domain or the other possibly single label name?
> >
> > Are any of the DCs multhomed and/or have RRAS installed?
> >
> > Are there any ISP's DNS addresses in any of the DCs' IP properties?
> >
> > Are there any firewall rules between the two locations? If you plan on
> > setting up firewall rules, 2003 and 2008 use of emepheral ports have been
> > changed. It is suggested to allow it wide open, no rules, otherwise expect
> > issues.
> >
> > --
> > Ace
> >
> > This posting is provided "AS-IS" with no warranties or guarantees and
> > confers no rights.
> >
> > Please reply back to the newsgroup or forum for collaboration benefit among
> > responding engineers, and to help others benefit from your resolution.
> >
> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> > MCSA 2003/2000, MCSA Messaging 2003
> > Microsoft Certified Trainer
> > Microsoft MVP - Directory Services
> >
> > If you feel this is an urgent issue and require immediate assistance, please
> > contact Microsoft PSS directly. Please check http://support.microsoft.com
> > for regional support phone numbers.
> >
> > .
> >

"Rainer" <> wrote in message news:487193E7-7635-468A-A5DC-...
I am sorry, I missed your response.

Reading back in your original post, and your response, I assume that the Forwarder(s) used on the 2008 side (since you set them to be AD Integrated in 2008), are correctly pointing to the 2003 DNS server(s) of the 2003 domain you are trying to setup the trust.

I noticed you said when you ping by NetBIOS name, it returns a ping. DNS is not used for NetBIOS names, unless you mean you had set a Search Suffix for the other domain, and it is resolving by suffixing the NetBIOS name to the search suffix of the other domain's domain name, or you have WINS in place and have a replication partner to the other domain's WINS server?

If nltest is failing from the 2008 side testing communications to the 2003 side, that will point to a DNS misconfig, as far as I can tell.

To test it further, and just for testing, if you remove the Conditional Forwarder and create secondary zones for the 2003 domain name on all of the 2008 DCs, making sure that the zones transfer, then does nltest and the trust work? This step is to try to eliminate whether DNS rsolution is a factor here.

Just conjecturing - It could also be based on the DNS names and their namespaces. If the DNS domain name such as child.domain.local, yet you have a forwarder for domain.local, and there is no domain.local zone created, then resolution won't work because it was configured as a separate namespace.

Can you describe the namespaces on both sides?

Ace


> Any hints to my last response ?
>
>
> "Rainer" wrote:
>
>> Ace,
>>
>> thanks for your support. Here are the comments to your questions:
>>
>> Did you select a Domain trust, or a Forest trust?
>> Forest Trust
>>
>> As for DNS resolution between both sides, you have conditional forwarding
>> setup, which is one way to do it. Did you set the conditional forwarder on
>> EACH of the DC/DNS servers?
>> The forwarding is “stored in Active Directory� and set to “Replicate to all
>> DNS-servers in the organization�
>>
>> Is one domain or the other possibly single label name?
>> No
>>
>> Are any of the DCs multihomed and/or have RRAS installed?
>> No
>>
>> Are there any ISP's DNS addresses in any of the DCs' IP properties?
>> No
>>
>> Are there any firewall rules between the two locations? If you plan on
>> setting up firewall rules, 2003 and 2008 use of emepheral ports have been
>> changed. It is suggested to allow it wide open, no rules, otherwise expect
>> issues.
>> No firewall rules (all ports are opened)
>>
>> Regards,
>> Rainer
>>
>>
>>
>> "Ace Fekay [MVP-DS, MCT]" wrote:
>>
>> > "Rainer" <> wrote in message
>> > news:9AAF86A7-8381-44ED-844C-...
>> > > Hello,
>> > >
>> > > one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
>> > > The connection between the two locations is not limited, all traffic will
>> > > be
>> > > forwarded to the remote location.
>> > > We want to establish a forest trust between both AD's.
>> > >
>> > > Set up conditional forwarders in both AD-DNS which point to one of the
>> > > DNS-Servers of the remote AD. Then we could establish a two way forest
>> > > trust
>> > > created from the 2003 AD, but if we try to verify this from the 2008R2 AD
>> > > this fails. If we try to establish the two way trust from the 2008R2 AD
>> > > this
>> > > also fails (typed in the DNS name of the domain, then be requestet to
>> > > select
>> > > the trust type "with windows domain" because the called name is no valid
>> > > windows domain name; after click to next the trust assistant stops: could
>> > > not
>> > > find the domain).
>> > >
>> > > Ping (from the 2008R2 location) to the domain fqdn or to the domain
>> > > netbios
>> > > name of the 2003 AD is successful, this means the conditional dns
>> > > forwarding
>> > > works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
>> > > name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).
>> > >
>> > > A colleague checks the DNS and SRV entries of the remote 2003 AD - these
>> > > "seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
>> > > (ping the domain name and the domain servers) but nltest and the trust
>> > > agent
>> > > doesn't find the remote domain.
>> > >
>> > > Any hints?
>> > >
>> > > Regards,
>> > > Rainer
>> >
>> >
>> > Did you select a Domain trust, or a Forest trust?
>> >
>> > As for DNS resolution between both sides, you have conditional forwarding
>> > setup, which is one way to do it. Did you set the conditional forwarder on
>> > EACH of the DC/DNS servers?
>> >
>> > Is one domain or the other possibly single label name?
>> >
>> > Are any of the DCs multhomed and/or have RRAS installed?
>> >
>> > Are there any ISP's DNS addresses in any of the DCs' IP properties?
>> >
>> > Are there any firewall rules between the two locations? If you plan on
>> > setting up firewall rules, 2003 and 2008 use of emepheral ports have been
>> > changed. It is suggested to allow it wide open, no rules, otherwise expect
>> > issues.
>> >
>> > --
>> > Ace
>> >
>> > This posting is provided "AS-IS" with no warranties or guarantees and
>> > confers no rights.
>> >
>> > Please reply back to the newsgroup or forum for collaboration benefit among
>> > responding engineers, and to help others benefit from your resolution.
>> >
>> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
>> > MCSA 2003/2000, MCSA Messaging 2003
>> > Microsoft Certified Trainer
>> > Microsoft MVP - Directory Services
>> >
>> > If you feel this is an urgent issue and require immediate assistance, please
>> > contact Microsoft PSS directly. Please check http://support.microsoft.com
>> > for regional support phone numbers.
>> >
>> > .
>> >