How do I set up a one way trust when some DCs are firewalled off from each other?
Solution 1
You should only need DNS resolution for the AD domain name itself, not for specific zones or RR's in the zones. You need to isolate the problem to either a name resolution problem (DNS) or to a communication problem (firewall).
Rather than using host files, the recommended configuration is to set up conditional forwarders for each domain in the opposing domain's DNS servers (DNS serverA in domainA has a conditional forwarder to DNS serverB for domainB).
From each domain run nslookup and query for the other domain (domain.tld). Nslookup should return the IPv4 and IPv6 ip addresses for the DNS servers for that domain (which are probably also the DC's for that domain, unless you've split the DNS role off of the DC's). If nslookup works then DNS resolution is OK and you should look at the firewall as the likely culprit.
Solution 2
You're a little unclear, but the DCs need to be able to communicate for there to be a trust. Set up a VPN if you have to.
You also mention something about the hosts file. Don't do this, it's bad. Use a conditional DNS forwarder to the target domain instead.
Solution 3
Your firewall will need to allow LDAP and DNS traffic between domain controllers in each forest. You will need at least 1, but 2 would be best for redundancy. You do not need to create a firewall rule for every domain controller.
LDAP: 389, 636 (SSL) LDAP Global Catalog Lookups: 3268, 3269 (SSL) DNS: 53
You will also want to set up conditional forwarders in each domain. On a DC/DNS Server in Forest A, create a conditional forwarder for Forest B pointing to 1 or 2 DNS servers in forest B. Then, in Forest B, create a conditional forwarder for Forest A that points to 1 or 2 DNS servers in Forest A.
Related videos on Youtube
09 : 21
25 : 43
12 : 20
06 : 26
02 : 19
Juanjo Daza
Updated on September 18, 2022Comments
-
Juanjo Daza almost 2 years
I have two Windows 2008 forests in Win2003 mode and I need to set up a one way trust between them. The validation button in Domains And Trusts works in one forest but not in the other.
I think this is because not all DCs can see all the other DCs. I'm not sure if I need to set up the hosts file, so I did so with company.com in the respective domain along with the relevant DC. (do I need _msdcs _tcp zones etc)
How do I set up a one way trust when some DCs are firewalled off from each other?
-
Massimo over 12 yearsFYI: ahostsfile can only contain (the equivalent of) A records. It can't help resolving SRV records, like the ones in the _* zones used to locate DCs.
-
-
Juanjo Daza over 12 yearsThanks do all DC's need to be able to communicate with all others? Just the ones holding a FSMO?
-
Juanjo Daza over 12 yearsThanks do all DC's need to be able to communicate with all others? Just the ones holding a FSMO? Is IPv6 required?
-
MDMarra over 12 yearsAll of the DCs should be able to communicate with each other. FSMO roles don't come into play here. -
Juanjo Daza over 12 yearsThat may be the issue, some DC's are on subnets that can't route to the others. This thing happens when we quickly acquire new companies and add them onboard. Conflicting subnets get isolated until we can Re-IP
-
MDMarra over 12 yearsThen it sounds like you need to set up a site-to-site VPN and split-tunnel your traffic in these instances.
-
Juanjo Daza over 12 yearsDo you think Direct Access could be of benefit?\
-
MDMarra over 12 yearsProbably not. You'll have to set up a mesh of connections between all DCs. Honestly, set up a termination point once at your main datacenter, and configure one for each company that you acquire at their site. I'm shocked that you don't have this already. It sounds like you acquire quite a few companies at a fast pace.
-
Yarik Bright almost 12 yearsSturdyErde YOU ARE THE MAN!! Conditional forwarding on my DNS servers solved my 2 month long battle with a trust relationship between 2 domains on different subnets between 2 routers. I had been thinking it was a routing issue up until i saw this post tonight in which you explained to use Conditional Forwarding rules on the DNS servers instead of the "Secondary DNS Zone" solution which I've been using. For some reason the secondary zone solution works for me when domains are links site to site via IPsec, but when trusting two domains that are in same building but are on different subnets, cond -
SamErde almost 12 yearsGlad I could return a favor to another Stack Exchange user. :)