Re: creating one way trust
- From: dkblee <dkblee@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Jun 2009 17:59:01 -0700
hi! I've 3 DC in my domain. The trust is to my headoffice domain DC which is
of different forest. So in short, i've 3 DC in my domain (branchoffice),
1xwin2k(GC) DC, 2x Win2003 DC. I'm planning to establish a one way trust to
my headoffice which is using their own domain name and different forest from
us.
I just run the command netdom query fsmo. The schema owner and domain role
owner is in the Win2k DC. Will moving the global catalogue out of it and
dcpromo automatically shift the 2 roles above to my win2003 DC?
The document provided by Ace Fekay...seems to be very complicated for me :)
"Meinolf Weber [MVP-DS]" wrote:
Hello dkblee,.
It sounds for me that you do not need/have a trust, it sounds that you have
2 domain controllers in the same domain?
Or did you install a new domain controller with a new forest and the SAME
domain name as the existing one and you like to move the old to the new one???
In a command line type "netdom query fsmo" wihtout the quotes, this will
list all FSMO holders.
In a single forest domain, like domain.com for example, you can make all
DCs Global catalog without any problem. Also you should have it for redundancy
and failover reasons.
Additional before demoting a DC make sure the new DC is also DNS server and
all machines are configured to use it on the NIC as preferred DNS. In a domain
it is best practise to use AD integrated zones in the DNS servers.
So please clarify the current setup and we can go to the future planning
of your network.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
hi! I would also like to find out how do i tell where the following
roles are located (i meant in which dc).
1)schema master
2)domain naming master
3) pdc emulator
4) rid masters
5) infrastructure master
My first DC in my domain is a win2k svr, where the global catalogue
is. I've another 2 DC in win2003r2. I'm thinking of retiring the win2k
svr by configuring one of my current dc as a spare global cataloque.
Once everything is replicated from the win2k svr. I will uncheck the
global catalogue settings in the site and trust of the win2k svr and
retired it. Will this work? any other things (roles) that i need to
move out from the win2k svr to win2003 DCs? I'm also thinking of
moving out the global catalogue from the win2k svr first before
running dcpromo to demote it. Pls let me know whether my plan will
work.
The reason for doing above is that....i think in order to raise the
functional domain...all the DC must be win2003.
Let me know. Thanks.
"Jorge Silva" wrote:
Okay,
Let me try to understan a little more about youre network.
How DNS servers are configured to resolve eachother FQDN? Did you
setup Secondary Zones, Stub Zones, Forwarding, Conditional
Forwarding???
You say that the other trust is in a different network, correct?
Assuming FW between them, download and run "portqueryui.exe" or the
command
line version of this tool to test the connectivity between both
forests. If
needed open the necessary ports.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"dkblee" <dkblee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B3BA65A9-8033-48C8-801C-5E6009E27B55@xxxxxxxxxxxxxxxx
hi! i did not turn on the firewall. there are 3 DCs in my domain and
those are in the same network (the other external domain that i'm
creating the trust is in different network). Yes i can resolve the
dns name.
"Jorge Silva" wrote:
Hi
- Windows Server 2003 has the FW disabled by default, did you
enabled it?
If
no, do you have any FW between them?
- What type of trust are you configuring?
- How many DCs and are in the same network?
- Can you resolve eachother FQDN?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"dkblee" <dkblee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:93122C0D-190D-4B58-ABFB-30C13DA4EEFC@xxxxxxxxxxxxxxxx
hi! I'm testing on a one way trust between 2 different domain.
When
configuring that, i got the message the domain can't be contacted.
The
DC
is
running on win2003svr stdn r2. Is there any port that i need to
open in
the
winsvr firewall?
Will there be any different in configuring this one way trust
relationship
between 2 domains in a same forest and 2 domains from 2 seperate
forest?
what
will be the different? can explain? Thks.
- Follow-Ups:
- Re: creating one way trust
- From: Meinolf Weber [MVP-DS]
- Re: creating one way trust
- From: Ace Fekay [Microsoft Certified Trainer]
- Re: creating one way trust
- References:
- creating one way trust
- From: dkblee
- Re: creating one way trust
- From: Jorge Silva
- Re: creating one way trust
- From: dkblee
- Re: creating one way trust
- From: Jorge Silva
- Re: creating one way trust
- From: dkblee
- Re: creating one way trust
- From: Meinolf Weber [MVP-DS]
- creating one way trust
- Prev by Date: Re: Allow Terminal Server RDP Access to Servers via Group Policy
- Next by Date: List printer in active directory on other side of VPN
- Previous by thread: Re: creating one way trust
- Next by thread: Re: creating one way trust
- Index(es):
Relevant Pages
|
