Re: DNS-One Way Trust-questions....

"ECathell" <ecathell@xxxxxxxxxx> wrote in message
news:e3RR7OcSGHA.4740@xxxxxxxxxxxxxxxxxxxxxxx
Hello all.

I have 2 separate domains being utilized where I work. One is the
administration/corporate domain. The > other is a resource domain.


Admin domain is MO.net
Resource domain is MT.net

MT trusts MO, MO does not trust MT. <this may be part of my issue....

Not if you have used the terms correctly. Normally the domain with
RESOURCES (to be shared or manged) must TRUST the domain
with USERS (who will be granted privileges.)

Active directory/Windows authentication between MO>MT works fine.

If this is not the same forest (which is implied by a one-way trust since
forest domains have automatic two-way trusts) the generally you need
NETBIOS name resolution to work.

DNS resolution between MO>MT does not.
I am only the admin for the MT domain...
MO is handled by a separate IT department.

Generally they must cooperate with you -- as they did for the
trust -- in setting up name resolution.

Unless you are on a SINGLE subnet you will need WINS servers
for NetBIOS resolution to work.

And you will need ALL DCs (at least) to be WINS clients if you
use WINS server, plus if you have more than one WINS server
they must be set to replicate.

I want to enable MO to resolve names on our network
carteblanche...If I make changes to my dns(such as alias'
for our webservices) I dont want to have to have MO put
in the alias' on their site, simply have them resolved on our
domain...right now name resolution is sporadic at best...

Then for DNS THEY (on MO) must arrange for their DNS
servers to resolve your zone(s).

In practice this means one of the following:

1) A common root (almost always impractical)

2) Cross secondary (they hold a secondary for your zone)
-- which is usually the only practical solution if they
use Win2000 (not Win2003)

3) Cross stub zone (pretty much like #2 but requires Win2003)

4) Conditional Forwarding -- also requires Win2003 on their
side to enable this.

(Technically there is a fifth choice in Win2003 but it only works
for a single forest so this doesn't seem to fit your situation: AD-DNS
replication forest wide.)



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--
--Eric Cathell, MCSA


.

Relevant Pages

  • Re: DNS-One Way Trust-questions....
    ... If this is not the same forest (which is implied by a one-way trust since ... NETBIOS name resolution to work. ... Unless you are on a SINGLE subnet you will need WINS servers ...
    (microsoft.public.win2000.dns)
  • Re: DNS-One Way Trust-questions....
    ... If this is not the same forest (which is implied by a one-way trust since ... NETBIOS name resolution to work. ... Unless you are on a SINGLE subnet you will need WINS servers ...
    (microsoft.public.win2000.dns)
  • Re: Forest Trust /w Selective Authentication? Allowed to Authenticate
    ... Domain or Server Administration rights, along with the ability to logon ... assigned to administer servers in one resource domain are not allowed to ... >> I've got forest A & B. ... >> Forest A has group TrustedOperators, with accounts from a domain in ...
    (microsoft.public.windows.server.active_directory)
  • 2003 Forest and Domain Functional Level
    ... out which functional level to set the forest and resource domain to. ... I would like to set our forest and domain functional level to Windows Server ...
    (microsoft.public.windows.server.active_directory)
  • DNS Wins after migration
    ... I have a test lab for our migration project. ... I have an account domain which has NT PDC and NT BDC and resource domain ... with several Windows 2000 and Windows 2003 member servers. ... install DNS with AD and I accepted it. ...
    (microsoft.public.windows.server.migration)