Creating External Trust Between Domains

drumdogg · 4 Feb 2015 at 20:42

Hi Guys, basically as the title says I am looking to create an external trust between two domains.

A subsidiary part of the company has now its own servers, domain etc. but these employees are connected to domain1 network but need to be part of the new domain instead. So initially there was domain1 and a new part of the company has been setup and migrated to new domain (domain2) offsite in a datacentre. Networking Routes have been put in place so domain2 network can be accessed while connected to domain1 network. The issue is that there are employees who are physically in the domain1 network which need to be connected to domain2 instead. So even tho I can ping servers in the datacentre on domain2 from domain1 network when I try to connect the users PC to domain2 it cant see DC on domain2. (Hope you can understand this lol)

Been looking online and people have been saying about creating DNS forward lookup zones etc between domains. I can ping domain2 servers fine by IP by names are not resolving. When I try to create the trust it says it cannot find the domain to connect to.

Can someone give me some advice or how to go forward with this or have you had to do something similar before.

Thanks in Advance

Saundie · 4 Feb 2015 at 20:45

If you're unable to resolve the name of one domain from the other, you'll need to configure DNS in each domain to be able to find the other domain. If you don't want to replicate the zones between the two domains, you can use a conditional forwarder instead - just create a conditional forwarder for domain2 on the DNS servers on domain1, and vice versa. The DNS servers in both domains will then know where to forward requests for host names in the other domain, and so the domains will be able to "see" each other, as it were.

Caged · 4 Feb 2015 at 21:17

Add a stub zone to your domain 1 DNS with the FQDN of domain 2 and set the nameservers to the DNS servers of domain 2.

Edit: https://technet.microsoft.com/en-us/library/cc780434(v=ws.10).aspx says go with a forwarder, so as above.

drumdogg · 5 Feb 2015 at 10:35

If you're unable to resolve the name of one domain from the other, you'll need to configure DNS in each domain to be able to find the other domain. If you don't want to replicate the zones between the two domains, you can use a conditional forwarder instead - just create a conditional forwarder for domain2 on the DNS servers on domain1, and vice versa. The DNS servers in both domains will then know where to forward requests for host names in the other domain, and so the domains will be able to "see" each other, as it were.

I have setup Forward Lookup Zones and Reverse Lookup Zone on both domains and still not completly working. Is this the same to conditional forwarder? Its strange because i can ping DNS name of domain2 from domain1 but cant the opposite way. From domain2 i can only ping domain1 DC when i add domain name to end of DC name. So works with DC.domain1.com but not with just DC name.

Thanks for the help

drumdogg · 5 Feb 2015 at 13:08

Add a stub zone to your domain 1 DNS with the FQDN of domain 2 and set the nameservers to the DNS servers of domain 2.

So i did what Caged has said and it worked

Can now connect to Domain2.

Thanks Guys

drumdogg · 6 Feb 2015 at 14:51

Just want to run some thing else by you guys as well.

So i am now connected to Domain2 while my PC is physically in domain1 network. I would have thought that i would have got an IP from the Domain2 network range. Is this possible or not? Was expecting to get an IP from the new network range but probably not possible. Just wanted to check.

Uhtred · 6 Feb 2015 at 21:47

You need a gateway/router for the local network infrastructure. If you had a VPN type solution installed on the computers you would get an IP from domain 2 as well (as domain1). What you've got is better though, I'm guessing a direct connection or site to site VPN and routing to take care of access to resources from the opposite network.

Do you need a trust still or is DNS forward enough for now? A trust would allow you to grant access to a user in domain 1 to a resource in domain 2 and, if you create a two way trust, vice versa.

drumdogg · 9 Feb 2015 at 08:40

You need a gateway/router for the local network infrastructure. If you had a VPN type solution installed on the computers you would get an IP from domain 2 as well (as domain1). What you've got is better though, I'm guessing a direct connection or site to site VPN and routing to take care of access to resources from the opposite network.

Do you need a trust still or is DNS forward enough for now? A trust would allow you to grant access to a user in domain 1 to a resource in domain 2 and, if you create a two way trust, vice versa.

I have setup a two way trust but is doesnt seem be to working 100% yet. Any user on the domain2 cannot get internet access as they need security groups from Domain1 added. When i go to add a security group from domain1 to a domain2 user it wont find it. In the location section when your adding a member of it can see the second domain but cant see the contents within it.

Uhtred · 9 Feb 2015 at 09:45

Could be a firewall issue. You may also need to read up on 'AGDULP'

drumdogg · 10 Feb 2015 at 16:17

Could be a firewall issue. You may also need to read up on 'AGDULP'

From the DC on Domain2 i can search for the Domain1 security groups but can seem to add anyone to them. When i click into a group the Add button is greyed out! Must be some sort of security or permissions. Any ideas??

Uhtred · 10 Feb 2015 at 20:04

sounds like it. Have you tried adding the user to the group from domain 1?

drumdogg · 11 Feb 2015 at 13:11

Have played around with the groups on Domain1 and can now see the ones i want on Domain2 now. So i add a group from Domain1 to a Domain2 user (on Domain2 DC) when i click apply i get an error saying i do not have the permissions to modify this group!!

If i go to Domain1, get the security group and add Domain2 User to it it doesn't seem to replicate to Domain2. It will save in Domain1 but does show in Domain2.

Moeks · 15 Feb 2015 at 21:46

Might seem a bit simple at first, but the simplest things can trip us all up at times ... so is your account in the domain admin group on Domain2 ?

drumdogg · 16 Feb 2015 at 14:04

Might seem a bit simple at first, but the simplest things can trip us all up at times ... so is your account in the domain admin group on Domain2 ?

This may be the issue but having more issues adding user across domains! So in Domain2 i have added domain1 user in Domain2 Administrator account (Builtin local). When i go to add same user to Domain2's 'Domain Admins' it wont let me search for users in domain1 now! I guess this is the issue with how the AD is structured like AGDULP which was mentioned before?

Seem to have more success search between domains in Domain2 which is 2012 R2 than in Domain1 which is 2003. Domain1 throws up errors when searching for domain2 groups etc but think its just the age of the machine.

Surely with a external two way trust you can manage both domains from any DC provided the correct permissions are in place?