Cross Forest Trust - The domain controllers required to find the selected objects in the following d

Discussion in 'Active Directory' started by BW, Feb 19, 2007.

  1. BW

    BW Guest

    I have established a cross forest trust between the cohovinyard and
    cohowinery forests in a lab. The cohovinyard forest has two domains: the
    cohovinyard.com forest root, and dom1.com domain. I can share files
    properly between the domains in the cohovinyard forest. I can also share
    files between the cohowinery forest and the cohovinyard.com domain. When I
    try to grant permissions to a share in the cohowinery.com forest to the non
    root domain in the cohovinyard.com forest (dom1.com), the cohowinery forest
    cannot locate the domain controllers in the dom1.com domain. There are only
    1 server each in the cohowinery and cohovinyard domains. There are two
    servers (both DCs and GCs) in the dom1.com domain. I checked replication
    and it seems to be working throughout the cohovinyard forest. I can't find
    any relevant error messages in the event logs. The only relevant google
    answer I found concerned a missing _msdcs zone when you started with 2000
    servers and upgraded to 2003 servers. I can't find any obviously missing
    records in the DNS zones. The _msdcs.cohovinyard.com zone is AD integrated
    and set for forest wide replication to all DNS servers in the cohovinyard
    forest. What is missing?
     
    BW, Feb 19, 2007
    #1
    1. Advertisements

  2. BW

    Jorge Silva Guest

    Hi
    Sounds like that domain and probably the other can't resolve the other
    domain DNS name, to test it try to create a Conditional Forwarding between
    the DNS in both domains/forests. Make sure that each existing DNS can
    resolve any exising DNS Name in both forests.



    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE
     
    Jorge Silva, Feb 19, 2007
    #2
    1. Advertisements

  3. BW

    BW Guest

    Do I need conditional forwarders for both the named domains and the _msdcs
    domains? I notice that for the forest root domain _msdcs is listed as a
    separate forward lookup zone but in the non forest root domain it is not.
     
    BW, Feb 23, 2007
    #3
  4. BW

    Jorge Silva Guest

    The _msdcs zone is only used whithin the same forest.

    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE
     
    Jorge Silva, Feb 23, 2007
    #4
  5. No, you don't need a different conditional forwarder for _msdcs as it's a
    child in the same namespace that you're already forwarding to, and the
    server you forward to holds a copy of the zone so will answer. If the
    server you forward to doesn't hold a copy of that zone, it has the necessary
    delegation and glue records so will still get you an answer.
     
    Paul Williams [MVP], Feb 23, 2007
    #5
  6. BW

    Jorge Silva Guest

    IMO: You should set replication scope of the _msdcs zone to the entire
    forest (that is what is set by default), this zone is very important to fin
    replication partners, sites, GCs, etc...

    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE
     
    Jorge Silva, Feb 23, 2007
    #6
  7. Yes, of course. No one is disputing that are they? But for a domain in an
    external forest you need to conditionally forward, or create a stub to the
    parent if you want to resolve that without a secondary zone.

    If you're referring to the point I made about not holding the zone that was
    clarification that resolution will still occur under these circumstances due
    to the delegation that is in place in the domain-name.com zone (that DCPROMO
    configured). It was to avoid someone being overly pedantic. : )
     
    Paul Williams [MVP], Feb 23, 2007
    #7
  8. BW

    Jorge Silva Guest

    No, No, you miss understood me, I was just stating that should be to forest
    scope nothing more.
    ;)
    --

    I hope that the information above helps you.
    Have a Nice day.
    Jorge Silva
    MCSE
     
    Jorge Silva, Feb 23, 2007
    #8
  9. Ah OK, yes, fine, valid point. I'm going to take a break now, try and get
    on with some actual work before I finish for the day ;-)
     
    Paul Williams [MVP], Feb 23, 2007
    #9
  10. BW

    BW Guest

    I finally found the answer. When I added the non root zone to the second
    forest, it added the domain suffix routing to the first forest trust but
    in "disabled" state. Changing that to "enabled" immediately fixed the
    problem. I only found it because the validate trust dialog pops up a
    warning if you use it after you add a new domain to a forest that has an
    existing trust. The DNS issues were a red herring. The DNS had been
    working fine to get the forest trust established in the first place.

    Thanks for the help!
     
    BW, Feb 26, 2007
    #10
  11. Thanks for following up. That'll help someone using Google Groups one
    day...
     
    Paul Williams [MVP], Feb 26, 2007
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.