External trust problem - A complex scenario!
Hello,
We have a scenario which I think is down to name resolution. I need some advice on how to work around this issue. Our ultimate goal is to perform an Active Directory migration of computer accounts only form domain A to Domain B. Here is our scenario:
There are 2 domains. Domain A and domain B. Both domains are in their own forest. Both domain and forest levels are 2008 forests. A firewall separates the 2 network segments. Security between the 2 forests is of paramount importance and we are not allowed
to open the firewall wide open.
Domain B has a a total of 3 domain controllers (DC1, DC2 and DC3). One of these domain controllers (DC3) is on the same network segment as the DCs in domain A. DC2 and DC3 are behind a firewall and cannot communicate with the DCs from domain A. They can,
however, communicate with DC3.
On domain A there is a DNS conditional forwarded to point to domain B. On domain B there is a conditional forwarder pointing to domain A.
The Problem: From a client joined to domain A, I ping the FQDN of domain B. It resolves the IP however sometimes it cannot ping as the firewall is blocking communication to DC1 and DC2. Occasionally it will resolve DC3 and the ping will
work as and when the DNS round robin allows. When I try and create a trust I believe the same problem is occurring.
What I need: I believe that if I can get a client to only use the IP address that it can physically get to the problem will be resolved. How can i get clients joined to domain A only to use the IP of DC3 on domain B? something which works
like an A record priority woudl be ideal but i dont beleive this to be an option with A records in DNS?
does anyone know how i can do this?
August 29th, 2012 10:10am
Hi Friend
It,s better use AD migration tool :http://www.microsoft.com/en-us/download/details.aspx?id=17488
After migration, you need to edit your firewall for DNS ports,
THERE IS NO WAY to install AD Without DNS, because DNS integerated by AD
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2012 10:45am
Hello,
Yes, I'm aware of what's needed for an AD migration. What I need to know is how I can get domain A to trust domain B but only use DC3 as its point of communication. As it stands domain A wants to talk to DC1, 2 and 3. Because of legal restrictions, it cant
talk to them all, it has to only use DC3 to set up the trust.
August 29th, 2012 10:57am
Hello,
you cannot really specify a dedicated DC for trust connections, please see similar discussion and what may help you with this:
http://social.technet.microsoft.com/Forums/en-IE/winserverDS/thread/28f8884f-c073-41e0-b2ee-0dbb2dff5a1fBest regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2012 3:20am
Hello,
you cannot really specify a dedicated DC for trust connections, please see similar discussion and what may help you with this:
http://social.technet.microsoft.com/Forums/en-IE/winserverDS/thread/28f8884f-c073-41e0-b2ee-0dbb2dff5a1fBest regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
August 30th, 2012 3:22am