Trust Problem due to DNS

Question

Hi,

I am trying to create a trust between two forests but the conditional forwarders I created in both the domains are not working correctly. When I ping the domains from each side, sometimes it pings the correct DNS Server but sometimes it pings other DNS Servers which are in different branches. How to let the condiotional forwarders always forward the DNS queries to a specific DNS?

Secondly, the I am trying to create a trust between an additional DC in one domain and a PDC in another domain but the PDC is trying to reach the PDC of the other domain which is not directly connected to it. The additional DC is also a writable DC. The details are like below:

1. Domain (A) PDC IP: 192.168.1.11
2. Domain (B) PDC IP: 192.168.2.12
3. Domain (B) Branch DC IP: 192.168.3.11

Thanks.

Thanks.

Answer 1

Hello @create share ,

Thank you for posting here.

Before establishing forest/domain trust, we need to set up conditional forwarders OR secondary zone.

We recommend that the domain controller is also a DNS server.

We can set up conditional forwarders or secondary zone on the primary domain controller (DNS server) in both domains.

For example, in my lab environment:

Forest one: primary domain controller and DNS server, domain controller name: 2012R2, IP address 192.168.2.50, domain name: fabrikam.com.

Forest two: primary domain controller and DNS server, domain controller name: 2019standard, IP address 192.168.3.50, domain name: a.com.

Prerequisite：

1.Ensure both forests are operating at the Windows Server 2003 Active Directory functional level.

2.Configure a Domain Name Server (DNS) root server that is authoritative over both forest DNS servers involved in the partnership. Alternately, you can create a DNS forwarder on both forest DNS servers, as long as they are authoritative for the trusting forests (we can create conditional forwarder on any DNS(DC) server in the same root domain).

3.The domain name, FQDN and IP address can be pinged mutually.

Create secondary zone:

1. On the PDC of fabrikam.com, open the DNS server, right-click "Fabrikam.com" -> select "Properties" -> Zone Transfer -> Allow zone transfer to any server.
   
2. By right-clicking on DNS-> "Forward Lookup Zone" -> Select "New Zone"-Secondary Zone -> a.com and IP address, the results are as follows:
   
3. On the PDC of the a.com domain, right-click "a.com" -> select "Properties" -> Zone Transfer -> Allow zone transfer to any server.
   
4. By right-clicking on "Forward Lookup Zone" in DNS->Select "New Zone"-Secondary Zone->fabrikam.com, the result is as follows:
   

Set up conditional forwarders

1. Open the DNS manager on the PDC of fabrikam.com, right-click "Conditional Forwarders"> "New Conditional Forwarders"> enter the other party's domain name and IP address.
   
2. Open the DNS manager on the PDC of a.com, right-click "Conditional Forwarders"> "New Conditional Forwarders"> enter the other party's domain name and IP address.
   

After we set up conditional forwarder or secondary zone, we can create forest trust and validate the trust based on the following links.

References:

Create a forest trust
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780479(v=ws.10)?redirectedfrom=MSDN

How to configure Forest Level Trust in Windows Server
https://www.interfacett.com/blogs/how-to-configure-forest-level-trust-in-windows-server/

Verify a Trust
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753821(v=ws.11)?redirectedfrom=MSDN

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Found the problem with replication to additional DCs. Sysvol and Netlogon folders are missing in the branch DC. The GPOs also not being synced across DCs.

The problem is that the PDCs of both the domains don't have access to each other. They are connected through an additional DCs in the middle.

I am always getting the below error while testing the trust from one side but it is working from the opposite side.

Answer 3

Hello @create share ,

Thank you for your update.

Based on my experience, it may be your forest issue or DNS issue.

Here are my suggests:

1.we can remove the forest trust and conditional forwarder on both PDC of the two forest.

2.Check DC health of all DCs in both forests by running DCdiag /v on every DC.

3.Check AD replication for each forest by running the commands on PDC in each forest, if there is no any error about the reuslt. AD replication may work properly.
repadmin /showrepl
repadmin /replsum
repadmin /showrepl * /csv >c:\repsum.csv

4.Check if NETLOGON and SYSVOL are shared on all DCs in both forests.

5.Check if SYSVOL replication work for each forest properly.

We can create a new file or folder in the path \fabrikam.com\SYSVOL\Fabrikam.com\Policies on one DC, check if the same file or folder are replicated to other DCs in the same domain.

6.Check if we can update GPO by running gpupdate /force on each DC in both forests.

7.Please ensure both forests are working fine, then we can try to create conditional forwarders OR secondary zone.

8.Create forest trust.

9.Validate forest trust.

Tip: If your forest are like abc.xyz.com and xyz.com, you can not set conditional forwarder, we can create secondary zone.

Best Regards,
Daisy Zhou