Re: Trust Relationship Between 2 Domains

Hi Don

Thank you for your reply. I have setup 2 AD integrated zones Primary zones
for Domain A and Domain B.

Browsing DNS Server From Domain A In Domain A:
- The Forward Lookup zones for the DC in domain A has the replication scope
set to All DNS servers in the AD Forest.

- Dynamic Updates is set to SECURE ONLY.

- The Name Servers displays all DC's and DNS servers in Domain A & Domain B.

- The Zone Transfers are set to ONLY TO SERVERS LISTED ON THE NAME SERVERS
TAB.

- WINS Forward Lookup is Unticked.

Browsing DNS Server From Domain B In Domain A:
- The Forward Lookup zones for the Domain B DC in domain A has the
replication scope set to All DNS servers in the AD Doman. (Cannot Change
Replication scope to Forest, I get the error message: The replication scope
could not be set. The error was: The name limit for the local computer
network adapter card was exceeded.)

- Dynamic Updates is set to SECURE ONLY.

- The Name Servers displays all DC's and DNS servers in Domain A & Domain B.

- The Zone Transfers are set to ONLY TO SERVERS LISTED ON THE NAME SERVERS
TAB.

- WINS Forward Lookup is Unticked.

The problem I find is that I only see the DC's appearing in the DNS zone
from Domain B in Domain A. No other workstations appear in the DNS zone.

However in Domain B I see all the records of the DNS zones in Domain A &
Domain B without any problems. I have no access problems from Domain B to
Domain A.

I hope this helps, any suggestions I am truly stuck....


"Don Wilwol" wrote:

How is your DNS set up. Does everything point to the same primary and
secondary DNS servers. If your zones are not getting replicated, you can't
find the resources and the trust won't work. You can also try to manually
create a secondary zone in Domain B.

--
--------
Hope It Helps!

dw
_______________________________
Don Wilwol
Distributed Application Technologies.
dwilwol(DELETE)@datbusiness.com
www.AtTheDataCenter.com (personal website)
www.skysphere.com (hosting available)
"Barazi Fuente" <BaraziFuente@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:76B59798-F5AC-4276-9A88-95E5AD2783FD@xxxxxxxxxxxxxxxx
Hi Vincent

Thank you for your reply, but I have already tried to reset the account
and
this has not worked. Isn't there another way as by resetting the account I
will need to rejoin the PC to the domain. How can I achieve this on the
Domain controllers?

Thank you Imran

"Vincent Xu [MSFT]" wrote:

Hi,

Actually, I suggest you to reset computer account.

320187 HOW TO: Manage Computer Accounts in Active Directory in Windows
2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;320187


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================

Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: Trust Relationship Between 2 Domains
thread-index: AcZ00yQ6Z9ZuhuDNTkSIrmTrBOYw3Q==
X-WBNR-Posting-Host: 217.158.191.82
From: =?Utf-8?B?QmFyYXppIEZ1ZW50ZQ==?=
<BaraziFuente@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <D9CC0B92-3132-4637-8FAD-E22D30CA1E03@xxxxxxxxxxxxx>
<WTdSqrKdGHA.5024@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Trust Relationship Between 2 Domains
Date: Thu, 11 May 2006 01:16:02 -0700
Lines: 153
Message-ID: <EAB52A09-1480-4478-9B39-E783AF528F95@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:23677
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi Vincent

Thank you for your reply, but the problem is not with just one PC but
several, i.e. 500 workstations and 18 servers, how could I possibly
reset
the
computer accounts and rejoin the domain on Domain Controllers, Exchange
Servers, DNS Servers etc. Isn't there another way or at least a
method
in
which I can update all the PC's automatically, without having the need
to
rejoin the PC's one by one.

Thank you

Barazi

"Vincent Xu [MSFT]" wrote:

Hi,

It appears to be the computer account corrupt. You can try to reset
the
computer account.

To perform this procedure, you must be a member of the Account
Operators
group, the Domain Admins group, or the Enterprise Admins group in
Active
Directory, or you must have been delegated the appropriate authority.
As a
security best practice, consider using Run as to perform this
procedure. 1.
Click Start , point to Programs , point to Administrative Tools , and
then
click Active Directory Users and Computers .
2. In the console tree, under the domain node, click Computers , or
click
the folder in which the computer is located.
3. In the details pane, right-click the computer, and then click
Reset
Account . NOTE : Resetting a computer account breaks that computer's
connection to the domain and requires it to rejoin the domain.
To reset a computer account using a command line, type the following
at
a
command prompt, and then press ENTER
dsmod computer ComputerDN -reset

320187 HOW TO: Manage Computer Accounts in Active Directory in
Windows
2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;320187


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: Trust Relationship Between 2 Domains
thread-index: AcZ0JBlvZegG2m8DRdyFQa81IRPgGA==
X-WBNR-Posting-Host: 217.158.191.82
From: =?Utf-8?B?QmFyYXppIEZ1ZW50ZQ==?= <Barazi
Fuente@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Trust Relationship Between 2 Domains
Date: Wed, 10 May 2006 04:23:02 -0700
Lines: 54
Message-ID: <D9CC0B92-3132-4637-8FAD-E22D30CA1E03@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:23661
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hello

BACKGROUND
We have 2 domains setup at the site. Domain A was upgraded from NT
to
AD
2003 and Domain B at the time remained as NT. A trust relationship
was
setup
between the 2 domains for users to access resources from Domain A &
B.
This
has been working very well.

Domain B was then migrated to AD 2003 also. The server was upgraded
to be
part of the Forest of Domain A. In the Forest is Domain A & Domain
B.

Seeing
Domain B was upgraded, the trust relationships were inherited as:

TRUST TYPE: Tree Root
TRANSITIVE: Yes
Incoming and Outgoing in Domain A and Domain B.

All the security and Share permissions were set in Domain A & B so
users
from both domains have access.

PROBLEMS
The first problems I noticed was that the DNS servers in Domain A
did
not
contain all the server details of Domain B, however I could see all
the
DNS
servers of Domain B in Domain B. I checked all the replication
topology.
Everything is being replicated without any errors to all servers in
the
Forest.

What I found strange was that users in Domain B could access
resources in
Domain A without any problems, however users in Domain A could not
access
any
resources in Domain B. A dialog box would always appear asking the
user
to
put in a username and password. Even though the user puts in the
Domain
Admin username and password of Domain B, the user still gets Access
is
Denied. The user account works perfectly fine when logging onto
any
servers
and workstations in Domain B.

Recently I found 1 user in Domain A who could access resources
successfully
to domains A & B. After being unsuccessful in finding any
differences
with
his PC and problem PC's as the issue was with the computer not user
account.

TEMPRORARY SOLUTION
I decided to re-join a problem PC back into Domain A and this
resolves
the
problem. The computer can successfully browse resources in both
domains
regarding the correct security permissions have been set.

WHAT SHOULD I DO?
Unfortunately I cannot rejoin all the workstations from Domain A as
the
problem is also with the servers, including DC's, DNS, WINS,
EXCHANGE
etc...
There has got to be another way. Why do I have to rejoin the PC's
for
them
to work. Is there another way I can achieve my goal. I'm sure all
the
DNS
entries will appear once this is done. Can you please help?

Thank you

Barazi










.

Relevant Pages

  • Re: Trust Relationship Between 2 Domains
    ... Are you talking about the Dynamic Updates, in DNS or Replication scope? ... My apologies the DNS servers are Domain Controllers. ... If your using Active Directory Integrated zones, ... I suggest you to reset computer account. ...
    (microsoft.public.windows.server.migration)
  • Re: Trust Relationship Between 2 Domains
    ... secondary DNS servers. ... will need to rejoin the PC to the domain. ... I suggest you to reset computer account. ...
    (microsoft.public.windows.server.migration)
  • Re: Trust Relationship Between 2 Domains
    ... right click the forward lookup zones. ... DNS servers in the Active Directory forest" is there. ... I suggest you to reset computer account. ...
    (microsoft.public.windows.server.migration)
  • Re: Trust Relationship Between 2 Domains
    ... My apologies the DNS servers are Domain Controllers. ... If your using Active Directory Integrated zones, ... The Forward Lookup zones for the DC in domain A has the replication ... I suggest you to reset computer account. ...
    (microsoft.public.windows.server.migration)
  • Re: Trust Relationship Between 2 Domains
    ... All the Forward lookup zones Replication Scope ... Lookup Zone of DOMAIN B which is set to "All DNS Servers in the Active ... Directory Domain" when I try to change the Replication Scope to "All DNS ... "Don Wilwol" wrote: ...
    (microsoft.public.windows.server.migration)