Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

# 105283 1-Jul-2012 09:54
Send private message

attempting to setup a lab with a one way trust. Each segment has operational domains. They are connected via two way route rule on the router for all ports. Each of the DCs can ping one another but the wizard stops with a very uninformative "cannot continue". I've reviewed the windows events and nothing is recorded there, I was wondering if there is a log file somewhere I can review?

both domains are 2008. both have forward and reverse DNS entries for each other. Based on the Microsoft article conditional forwarders are not used for 2008.


Filter this topic showing only the reply marked as answer Create new topic
Amanzi
921 posts

Ultimate Geek
+1 received by user: 110

Trusted
Subscriber

  # 649016 1-Jul-2012 13:12
Send private message

Try using the Portqry.exe tool (or PortqryUI.exe) to verify that all required ports are open - it will also test LDAP connectivity.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 649050 1-Jul-2012 14:03
Send private message

Queries returned success with the expected LDAP details being returned. I wonder if there is an outbound or inbound rule that is not normally needed for internal domain controllers that I need to open to initiate the trust?MS material doesn't state that any additional networking is needed, but you never know.

My gut tells me there is a DNS trick I don't know about. The MS material says the DNS is important, but for disconnected DNS servers in Server 2008 it indicates no additional DNS changes need to be made?

edit: kerberos is returning 0x00000002 which I ignored as I'm not using Kerberos, but then noticed 138 and 42 are also retuning 0x00000002, more research me thinks...

 
 
 
 




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 649058 1-Jul-2012 14:20
Send private message

Turned the windows firewalls off at both ends and no change, so I don't think it's network

dan

1038 posts

Uber Geek
+1 received by user: 96

Lifetime subscriber

  # 649069 1-Jul-2012 14:41
Send private message

have u made sure both domains can resolve either other correctly dns wise? if you nslookup the second domain from the first, and vise versa. does it resolve correctly? if not, but you can ping it etc, id add it manually into the hosts file and retry..

its usually the simple things like this really



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 649074 1-Jul-2012 14:52
Send private message

nslookup resolves source and target domain root from both sides of planned trust. i've added forward and reverse lookup zones both segments on both domains DNS.

dan

1038 posts

Uber Geek
+1 received by user: 96

Lifetime subscriber

  # 649076 1-Jul-2012 14:55
Send private message

does it resolve the full name of the domain controller as well,  i.e machinename.domain.local as well as domain.local ?





1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 649081 1-Jul-2012 15:13
Send private message

it didn't, so i've added the dns entries on both sides to they do, but still not progress. The wizard is so frustrating as you have to restart the wizard each time to test.

 
 
 
 




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 649083 1-Jul-2012 15:17
Send private message

ran DCDIAG and all passed, that's it for today, burned 6 hours on this, I'll have another go next weekend.

3085 posts

Uber Geek
+1 received by user: 500

Trusted
Subscriber

  # 649311 1-Jul-2012 23:53
Send private message

And does DomainDnsZones.domain.local resolve on both sides too? I've discovered trying to investigate issues with Java apps trying to authenticate against AD that LDAP lookups are referred to this DNS name for the actual LDAP query.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 743147 11-Jan-2013 09:45
Send private message

Kyanar: And does DomainDnsZones.domain.local resolve on both sides too? I've discovered trying to investigate issues with Java apps trying to authenticate against AD that LDAP lookups are referred to this DNS name for the actual LDAP query.


I've added DomainDnsZones to the DNS of both domains (resolving to the domain controller of each domain), but still not recognised on either side.




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  # 743205 11-Jan-2013 11:01
Send private message

Answer : change the AD DNS zone to "Stub Zone" and now one-way trust has been established.

Filter this topic showing only the reply marked as answer Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.