Re: Best Plan of action for 2 forest.......

Yep both domains DNS server have got secondary zones for each other and i
have done all the normal tests with nslookup from a comp in the UK to the US
and frm the US to here, the DNS seems fine

:(

Only thing i can think of is STUPIDLY i did not notice that the installer
called the domain in the US (NetBios name) OFFICEBROKER and not
OFFICEBROKERUSA as per the domain name (officebroker.usa) and the NEtBios
name for the domain down here (netbios) is also OFFICEBROKER

I really hope it aint because of that !!! :@

"Paul Bergson" wrote:

No that is NetBIOS datagrams, if you are running 2003 to 2003, I don't
believe it is needed.

Do you have both sides setup to see the others DNS? Just make each other a
secondary dns of the other.

External Forest Trust
http://technet2.microsoft.com/WindowsServer/en/Library/b30ef067-746e-4453-b879-804259aafdd31033.mspx

DNS
http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci1104911,00.html

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com

This posting is provided "AS IS" with no warranties, and confers no rights.

"Neil Cadman" <NeilCadman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:54AB6F56-7743-4C70-A81A-D40DCC5B2D27@xxxxxxxxxxxxxxxx
Hi Paul,

Out of all the ports that had "Listening or Filtered" (non of them had
just
Filtered) only two of them did not return any data after the UDP packet
was
tried.

Those ports are the following.
88 - Kerberos (which i dont belive is needed for a win2k3 to win2k3 trust,
only a Relm to Forest ?)
138 - I think this is the underlining problem as its the Netlogin which is
used for the main authentication is'nt it ?

=============================================

Starting portqry.exe -n 192.168.113.5 -e 138 -p UDP ...


Querying target system called:

192.168.113.5

Attempting to resolve IP address to a name...


IP address resolved to OB-CONTROLLER

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n 192.168.113.5 -e 138 -p UDP exits with return code
0x00000002.
=============================================

Now how to degub this problem :S its alittle strange because i can
connect
to all the server on the network in the US fine, my login details are the
same on both domains (username and password) so when i access a server in
the
US by its FQDN it lets me in with out asking who i am.

I have Enterprise and Domain admin privlages on both sides too.


"Paul Bergson" wrote:

Not sure what happened on the other response????

When I run this I look for one of the following:

PortQry reports the status of a port in one of the following ways:
..LISTENING This response indicates that a process is listening on the
target
port.PortQry received a response from the target port.

..NOT LISTENING This response indicates that no process is listening on
the
targetport. PortQry received one of the following Internet Control
Message
Protocol (ICMP)messages from the target port:Destination unreachablePort
unreachable

..FILTERED This response indicates that the target port is being
filtered.
PortQry didnot receive a response from the target port. A process may or
may
not be listening onthe target port. By default, PortQry queries a TCP
port
three times before it returns aresponse of FILTERED and queries a UDP
port
one time before it returns a responseof FILTERED.


--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Neil Cadman" <NeilCadman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:17ECB4B3-4215-40E2-A8C7-AEB829AA27E0@xxxxxxxxxxxxxxxx
sorry to be a pain mate but im not very familier with this tool so here
goes :)

All the ports returned data (schema looking type data) appart from the
following which returned exit codes. Now im not sure if the exit codes
are
the correct resoponse or not, i'm guessing its not.

Port Number | Response Code
-------------------------------------
389 | 0x0
636 | 0x0
3268 | oxo
3269 | 0x0
53 | 0x0
445 | 0x0
137 | 0x0
139 | 0x0
42 | 0x0

138 | 0x00000002
88 | 0x00000002

"Paul Bergson" wrote:

Read my article. It provides port numbers as well as a utility to
check
if
the ports are open.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Neil Cadman" <NeilCadman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A24E331E-AE25-4760-9910-CB8D2BE80768@xxxxxxxxxxxxxxxx
The two are VPN'ed with a Netscreen Firewall and the VPN is
currently
set
to
allow any service/Port to go down it, what ports do you think i
should
double
check ?

"Paul Bergson" wrote:

They are vpn'd but do you have a firewall up between the two and if
so
which
ports are open?

Check out my article on Firewall Replication on my Articles page at
http://www.pbbergs.com


--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Neil Cadman" <NeilCadman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:698C4EC7-73E7-4783-BCA9-FDFEC8EAC807@xxxxxxxxxxxxxxxx
HI, We have got two forests for our company now, one in the UK
and
the
other
in the US.

They are VPN'ed together over a 2 meg line and i have added DNS
farwarders
so the computers in the UK can see/ping all the computers in the
US,
and
the
US comps can see all the comps in the UK.

I have tried to do a Forest Trust between the two but all i get
back
is
(This operation can not be performed on this domain) and i get
this
"error"
on both the sides.

I have made sure that both DC's and both Forests are running at
2003
level.
Is there somthing i have forgotten to do ? i have read the prep
stuff
on
tech
net about how to set it up and bar the DNS there did'nt seem to
be
anything i
needed to do ?

They are both windows 2003 standard version, do they need to be
enterprise
to form a forest trust?

If anyone can think of a better way of making my networks more
like
one
network than creating a forest trust id like to no your options
:D












.

Relevant Pages

  • Re: Best Plan of action for 2 forest.......
    ... UDP port 138: LISTENING or FILTERED ... ..LISTENING This response indicates that a process is listening on the ... ..FILTERED This response indicates that the target port is being ...
    (microsoft.public.windows.server.active_directory)
  • Re: Best Plan of action for 2 forest.......
    ... UDP port 138: LISTENING or FILTERED ... ..LISTENING This response indicates that a process is listening on the ... ..FILTERED This response indicates that the target port is being ...
    (microsoft.public.windows.server.active_directory)
  • Re: TCP/IP Packet Filtering
    ... First off note that UDP is connectionless. ... What you will notice is that even though a positive response came back, ... > destination port of 53 and the response of the dns server from port 53 back ... Keep in mind that W2K dns client caches ...
    (microsoft.public.win2000.security)
  • Re: Best Plan of action for 2 forest.......
    ... and it should be pure dns. ... Ping request could not find host officebroker. ... UDP port 138: ... ..FILTERED This response indicates that the target port is being ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the state of a port to LISTENING
    ... LISTENING This response indicates that a process is listening on the target ... PortQry received a response from the target port. ...
    (microsoft.public.win2000.general)