I am a programmer trying to cover a network position and setting up remote backup solutions.  Had basic networking about 20 years ago but this is far above my training.  The provider of the backup solution told me it was easy to setup their product for remote backup but neglected to say we needed someone with a lot of network experience dealing with multiple domains.  I could use some professional network advice from someone in the forum.

Basically, the software needed us to create a trust between two domains so they could openly communicate and transfer files.

I've been reading Technet for over a month now and I have established two way trust between my domains.  I built an ID in both domains with domain admin rights and the same password.  I can telnet all the ports required from either domain to the other and I can ping fully qualified and short names from either side.  From each server, I can see the opposite domain as an option for login.  All of this leads me to believe I am good as far as the trusts and firewall but it still doesn't work with the software.

This appears to be the issue holding me back but I am not sure:

Local Domain is DomainA.com  Remote Domain is DomainB.com  User ID is TestUser

Servers on both ends are Win 2003 64bit.  I will add that the server on my end part of a dual domain environment.  We had a primary domain that was also web (mycompany.com for domain and web presence) which caused a conflict with trust. I made my local server its own unique domain so I could establish trusts without conflicts.  Could not think of another way to do it.

From DomainB, I can log into the server (that is on DomainB) with TestUser using the selected domain of DomainA.com. I can also do the reverse from DomainA to DomainB

The TestUser appears to NOT have admin rights to the server or the domain in either case.  In active directory in both domains, the user has Domain Admin level rights but for the local domain only.  If I try to add a user from DomainB to DomainA, it won't let me. The location drop downs only show the current local domain. This now has me questioning if the trusts were done correctly.

Hopefully I am clear, if not let me know what you need and I will provide.  Does this sound like an AD issue only or could I have messed up something in the trust that is bogging me down?

Any advice would be appreciated.

Douglas

I'm not sure where the issue lies. Maybe a little more info may help us.

I will add that the server on my end part of a dual domain environment.  We had a primary domain that was also web (mycompany.com for domain and web presence) which caused a conflict with trust. I made my local server its own unique domain so I could establish trusts without conflicts.  Could not think of another way to do it.

Do you mean that you have two separate AD domains? And mycompany.com is not DOmainA.com or DomainB.com? Can you elaborate on where this comes in play with the trusts, assuming mydomain.com is not the same as DomainA.com or DomainB.com?

-

Which domain did you create the TestUser account in?  

Assuming the TestUser account was created in DomainA.com, did you add the TestUser account to DomainB.com's Domain Administrators group?

What type of trust did you create? Was it a forest trust (that uses DNS for resolution) and with no restrictions, or is it a domain to domain trust (that uses NTLM)?

In the meantime, please review the following:

Using Group Nesting Strategy - AD Best Practices for Group Strategy
Published by acefekay on Jan 6, 2012 at 10:34 PM
http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx

Accessing resources across forests
http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx

Ace,<o:p></o:p>

Sorry for the delay. I did not get a notification of a reply even though I requested to receive one. I will try RSS feed instead and see if it works better.

I had tried to create a trust between mycompany.com and DomainB.com. Going from mycompany.com to DomainB.com appeared to work fine. When I tried to go fromDomainB.com to mycompany.com, tracing showed it was trying to go to web's external IP Address and not the internal IP address for the trust. Did not find good articles on how to avoid this problem so I created a second domain
(DomainA.com) on the same local network with it's own AD and DNS.<o:p></o:p>

TestUser has an account on Both DomainA and DomainB and appear like DomainA\TestUser on DomainA and DomainB\TestUser on DomainB in thier DomainAdmin Groups. I can not seem to get DomainB\TestUser on DomainA or vice versa.

Domain Function and Forest Function Levels are 2003 on both ends. Trust Type is Forest. Direction of Trust is Two-Way. Transitivity of Trust is Forest Transitive. Name Suffix Routing shows *.DomainA.com enabled and *.DomainB.com on the other end. Authentication is Forest-Wide. This is for both incoming and outgoing trust. When I validate, I user TestUser and Password. It always returns a pop-up that says successful and then asks about child changes for updating suffix in which I click affirmative action.<o:p></o:p>

I have not seen your links before. I will read them today.<o:p></o:p>

Hope the above answers all your questions and makes sense.<o:p></o:p>

Douglas

It doesn't sound like you got DNS conditional forwarders setup properly because it's resolving the external IP for the name.

If you're going to do a three-way full trust between mydomain.com, DomainA.com and DomainB.com, here's how DNS should be setup - and duly note that resolution MUST resolve to internal private IPs, not public IPs, or the whole thing goes south. If it's resolving public IPs, then either you're pointing to the wrong DNS servers, or the DNS servers have public IPs for the record.

-

In the DNS server for mydomain.com:

• Create a Conditional Forwarder for DomainA.com pointing to a DNS server in domainA.com by using the private IP address, not a public DNS.
• Create a Conditional Forwarder for DomainB.com pointing to a DNS server in DomainB.com by using the private IP address, not a public DNS.

-

In the DNS server for DomainB.com:

• Create a Conditional Forwarder for DomainA.com pointing to a DNS server in DomainA.com by using the private IP address, not a public DNS.
• Create a Conditional Forwarder for MyDomain.com pointing to a DNS server in MyDomain.com by using the private IP address, not a public DNS.

-

In the DNS server for DomainA.com:

• Create a Conditional Forwarder for DomainB.com pointing to a DNS server in DomainB.com by using the private IP address, not a public DNS.
• Create a Conditional Forwarder for MyDomain.com pointing to a DNS server in MyDomain.com by using the private IP address, not a public DNS.

Ace,

Sorry there was a misunderstanding.  I am not looking for a three-way trust.  Only want a two way trust between DomainA and DomainB.  I was only trying to explain steps taken.

I think we found a big part of the issue.  In DomainA, my SOA and NS for DomainB were pointing to DomainA.  In DomainB, my SOA and NS was incorrect as well.  I edited both to point as directed above.

I went to DomainB and tried to login to my backup server using TestUser, Password and DomainA and got a new error message: 'Local policy does not permit you to log on interactively'

I am researching this error now.

Thank you for your assitance so far.  I really feel like we are progressing to a solution.  Thank you.

Douglas

Just eliminate the steps for mydoman.com.

I'm not sure why the SOA or NS records were even touched?? With any forwarding methods, none of the is touched. Besides, the SOA changes automatically with AD integrated zones anyway, to the DC that accepted the last registration request at that point in time. It must not be touched.

Are you trying to access a DC or a member server? If you did it properly by providing the other account admin rights, you shouldn't be getting that interactive error.

I took out the other records as suggested and trust was broken.  I deleted the trust and basically put myself back to square one (starting with a clean slate).

Using the wizards, I built the forwarder in each DNS.
DomainA DNS forward is for DomainB and shows DomainB internal names and IP Addresses
DomainB DNS forward is for DomainA and shows DomainA internal names and IP addresses

I then went through the wizard from DomainA to establish trust with DomainB. In order, I did the following: Forest Trust, Two-Way, Both this domain and the specified domain, (ID/Password), Forest-Wide Authentication for inbound and outbound, Yes to confirm outgoing, Yes to confirm incoming.

At the end of the wizard, I get the following error:
"The verification of the incoming trust failed with the following error(s): The trust password verification test was inconclusive. A secure channel reset will be attempted. The secure channel reset failed with error 1311: There are currently no logon servers available to service the logon request."

If I go to DomainB, go to trusts, I see DomainA. When i go into properties of Outgoing and try to Validate. I get the following error: "Windows could not find a domain controller for the ...DomainA. Verify that a DC is available and try again."

If I go into the incoming and try to validate, I get an error and prompts to reset password.  When I say Yes, I get the following error: "The local Security Authority in unable to obtain an RPC connection to the domain controller Server.DomainA. Please check that the name can be resolved and that the server is available."

server.DomainA is up and running. From server.DomainB, I can ping server.DomainA and vice versa using IP and fully qualified names.

The DNS records and forwards never looked like they do now but they make sense the way they appear and didn't before. I think the trust before was flawed.

Pinging is not the best way to test connectivity. That just says ICMP is open and you are able to resolve the other domain's FQDN by using the FQDN (long name) and not short names, nor does it tell you if the SRVs exist. To resolve single names, you'll need Search Suffixes. Did you also create a Search Suffix for the other domain?

Also, are there any ports being blocked? If you can resolve FQDNs, but you're seeing RPC errors and can't find DC errors, then that tells me either there's a DNS misconfiguration, SRV records are missing, ports are blocked, or all the above.

Let's see an unedited ipconfig /all from the DCs from each domain, and explain how exactly you created the conditional forwarders. 

Ace,

Never looked in the forwarders until I got your message so I am not sure how they were changed.

DomainA only has one server and it is the DC.
In DomainB, I am trying to login to a member server of DomainB.  Trust was setup between DomainA and DomainB DC's.

Based on your comments above, I tested/validated my trust again.  My SOA on both ends changed back to what they were.
In DomainA, SOA is DomainA and I have an NS for both DomainA and DomainB. I also have a Host(A) for DomainB DC and internal address.
In DomainB, SOA is DomainB and I have an NS for both DomainA and DomainB. I also have a Host(A) for DomainA DC and internal address.
Never had the second NS and Host(A) before but validation again is successful.

Been looking at the links you provided for Group(s).  Well written but I got confused at one point and hoping you can clarify.
Say DomainA only for now, I build my two Groups as outlined in Active Directory:
G_DomainA - is a Global/Security Group, Member is DomainA/TestUser; Member of DLG_DomainA_FC
DLG_DomainA_FC  - Is DomainLocal/Security Group, Member is G_DomainA

I created the same in DomainB as follows:
G_DomainB - is a Global/Security Group, Member is DomainB/TestUser; Member of DLG_DomainB_FC
DLG_DomainB_FC  - Is DomainLocal/Security Group, Member is G_DomainB

Where I am unclear is the Universal (U_DomainAll).  Your write-up says to build just one Universal Group.  Do I just pick one Domain (say DomainA) and add that group?  I did this in DomainA and I was able to add the G_DomainA as a member.  I don't see how to add G_DomainB?  Location only shows DomainA and doesn't recognize DomainB/G_DomainB or G_DomainB@DomainB.com.

First of all, there should be no NS or hostname records in a domain's zone for any other domains. The forwarder takes care of that. Please remove any records that do not belong to their respective domains.

To lessen the confusion, simply add DmainA's Domain Administrators group to DomainB's Administrators group, and DomainA's Domain Users group to DomainB's Users group. Then test access by connecting from DomainA to a resource on DomainB, such as a shared folder  using DomainA's Administrator account. If that works, now try to use RDP as were describing.

Ace,

Sent you an email with the setups as print screens.  Didn't want my IP's, etc posted on the web for all to see.  Being overly cautious.

As far as how I set up forwarders, I went into DNS and then the forward folder.  Right click and selct new zone. Then selected Stub Zone with Store the zone in Active Directory checked.  I selected to All Domain Controllers in the Active Directory domain for zone replicated. Gave the zone a name which was my domain name. Input the internal or DMZ IP address of the DC in the domain.  Clicked Finish.

Should I have done this differently?

Thanks,

Douglas

Thanks for contacting me. Some of the images are small and difficult to read.

It appears that aksm-CAS064 is an Exchange server. Is that also a DC? If it is, youve introduced a major issue with more than one NIC and IP on a DC. Now I can see why at least partially, the trust is failing.

Probably also due to the Stub, but I'm not sure. 

I suggested to use Conditional Forwarders, not Stubs. Stubs can be used, but required a zone transfer settings to be allowed by the other domain's DNS server that are in the records, so you have to go to each one to do that manually. That was why I suggested Conditional Forwarders.

Also, all TCP/UDP ports must be wide opened between the two.

To get you on the right foot other than what I and anyone else that may offer a suggestion here in the forum, will be a little more complex than can be said in forum posts. I provided the basics, which should just work.

Have you considered finding and getting a qualified consultant involved? After all, this is a production implementation, and I think that may be your best bet at this time to get this going.

Ace,

It actually is not an exchange server.  I just have AD but no mail services.

Only software running (other than OS) is Symantec Backup Exec 2012.  I went Stub based on their recommendation but they would not tell me how to configure.  Relied on MS Articles for that.

I have been trying to get a pro for about a month without success.  Have been trying another angle for the last week but not moving very quickly.  Most don't want to do just this task and call it done.  They want a bigger project.

Thanks for all your assistance up to date.  You ever need programming or DB advice, hit me up.  Will try again to get someone in here.

Douglas