Re: Connecting two Windows 2000 forests together
From: Herb Martin (news_at_LearnQuick.com)
Date: 02/16/05
- Next message: Simon Geary: "Re: Remove a NT BDC from a Windows 2000 Domain"
- Previous message: Herb Martin: "Re: restrict file extensions and size on shared folders"
- In reply to: smc2005: "Connecting two Windows 2000 forests together"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 16 Feb 2005 12:29:05 -0600
"smc2005" <smc2005@discussions.microsoft.com> wrote in message
news:22430226-4CB3-4905-A904-3829084DC6D3@microsoft.com...
> Hi,
>
> I'm the network admin at a school and we have just set up a test
environment
> with some old servers in a new active directory forest. Although the test
lab
> is on the same switch as the main network, it is is on a different VLAN
with
> a different IP address range. What I am trying to do is let users in the
test
> lab access the Internet via the ISA 2000 server in the main network.
Except for the (perhaps) permissions on ISA this is unrelated
to the Forests.
> I have set up a trust between my two forests (both Windows 2000 AD).
No. You have set up a trust (to or from) one of the domains
in the forest from/to a domain in the other forest. (Even if you
only have one domain in each forest the trusts are between
domain and have a direction.)
> The lab
> trusts the main network and the main network has the labs network in its
list
> of domains trusted by itself. I set up the trusts through Active Directory
> Domains and Trusts.
>
> I have used the main network's WINS servers for the lab network.
You really shouldn't mix the terms 'Domain', 'Forest', and 'Network'.
It is difficult to follow your scenario and likely leads to your
own confusion -- we all tend to be victims of our own
language.
> The part I am having difficulty is allowing the lab users access to the
ISA
> server. When I try to add groups from the labs domain I can't.
That is because Lab --trusts-> Domain.
Users are always on the TRUSTED side. Resources on the
TRUSTING side. Since ISA is a resource, it must trust the
user (Lab in your request) side for this to be possible.
> I think the
> problem is DNS related.
Nope, it is a basic trust problem. Your trust is backwards
(for this job although you might need the other trust for some
other resource sharing.)
> The main network has it's own DNS servers, as does
> the labs network. My question is, after creating the trusts through Active
> Directory Domains and Trusts what else do I need to do?
You said you created ONE trust -- external trusts are
always ONE WAY.
> From the DC in the lab AD I can ping the domain controllers on the main
> network by IP address and host name.
> Ping by FQDN doesn't work.
Likely because you don't have the DNS setup correctly
on the DNS server or even on the clients.
This IS likely a DNS problem. It works for simple names
due to broadcasts or due to WINS.
> Could I maybe
> use the DNS server from the main network as my secondary DNS server on my
> servers/clients in the Lab network?
Sure. "Cross secondaries" (DNS servers in one area/domain
holding secondaries for another area/domain are a frequent
solution to the "multiple name trees" problem.)
Here are the basics of DNS for AD:
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
...or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
-- Herb Martin
- Next message: Simon Geary: "Re: Remove a NT BDC from a Windows 2000 Domain"
- Previous message: Herb Martin: "Re: restrict file extensions and size on shared folders"
- In reply to: smc2005: "Connecting two Windows 2000 forests together"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
