Domain Trust and DNS

Hello,
We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain. Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
The error is:
it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
DC1
----->Forward Lookup Zones
-------->_Msdcs.ukdomain.local
-------->ukdomain.local
I though it should look like this:
DC1
----->Forward Lookup Zones
------->ukdomain.local
--------->_Msdcs
Thanks

If you are on their network can you ping their domain?
If not then you have a DNS, routing, or firewall issue.
Are ports being blocked? For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
Testing
Domain Controller Connectivity Using PORTQRY
Protocol and Port
AD and AD DS Usage
Type of traffic
TCP and UDP 389
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP
TCP 636
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC
TCP 3269
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88
User and Computer Authentication, Forest Level Trusts
Kerberos
TCP and UDP 53
User and Computer Authentication, Name Resolution, Trusts
DNS
TCP and UDP 445
Replication, User and Computer Authentication, Group Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25
Replication
SMTP
TCP 135
Replication
RPC, EPM
TCP Dynamic
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722
File Replication
RPC, DFSR (SYSVOL)
UDP 123
Windows Time, Trusts
Windows Time
TCP and UDP 464
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
UDP Dynamic
Group Policy
DCOM, RPC, EPM
UDP 138
DFS, Group Policy
DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389
AD DS Web Services
SOAP
UDP 67 and UDP 2535
DHCP
Note
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137
User and Computer Authentication,
NetLogon, NetBIOS Name Resolution
TCP 139
User and Computer Authentication, Replication
DFSN, NetBIOS Session Service, NetLogon
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection
Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
Kelly Bush
It appears that you've copied and posted the chart, with some editing,
from my blog, link posted below. No problem, as long as it helps the poster. :-)
Active Directory Firewall Ports – Let’s Try To Make This Simple
http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
Here's the matrix:
Ephemeral Ports:
And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
TCP & UDP 1025-5000
Window 2003/XP and older
Ephemeral Dynamic Service Response Ports
TCP & UDP 49152-65535
Windows 2008/Vista and newer
Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephermeral
Group Policy
DCOM, RPC, EPM
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024 – 65535
NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Similar Messages

What difference between a domain trust and a forest trust?

What difference between a domain trust and a forest trust?

Greetings!
The answer is right on the question! :)
I think it is best to distinguish properly between forest and domain. This article is a good one:
What Are Domains and Forests?
But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
be one-way or two-way depending on your needs.
Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
What Are Domain and Forest Trusts?
I hope you got the answer.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

Server 2012 std not able to see Domain, DC and DNS on Win SBS 2008 std Domain

Hi There
I have a HP ML 110 G5 SBS 2008 std server as my DC on my network. I recently added a HP Microserver running Server 2012 std (with no roles or features installed) to act solely as a file server for a 3rd party program as the program was not running efficiently
on the main server.
The problem I am having now is that the 2012 server keeps falling off the domain and cannot contact DNS server. I have also had to re-enable remote desktop several times. It also shows the 2012 Server as being on a private firewall profile and not on the
domain firewall profile but I suspect that this is part of the same problem.
the resulting problem that this is causing is that the local machines that need to contact an SQL database on the 2012 fileserver intermittently either time out or are very slow to connect.
So far I have tried:
Switching from Static IP to DHCP.
Re-adding the server to the domain.
Stopping and restarting DNS services on the DC.
Checking physical Network connections and routing.
Putting the 2012 server into the same Organizational Unit as the 2008 DC.
Has anyone else encountered this problem when adding a 2012 server to a 2008 domain? I have a feeling that the solution is probably something simple that I've overlooked, but I can't think what. Any help would be greatly appreciated.
Regards
Russ
Also, as some additional info -
Event viewer gives the following errors:
Group Policy Error:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2015-04-27 01:17:51 PM
Event ID: 1129
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: [SERVERNAME].[DOMAIN].local
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has
successfully processed. If you do not see a success message for several hours, then contact your administrator.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1129</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T11:17:51.111942100Z" />
<EventRecordID>19056</EventRecordID>
<Correlation ActivityID="{C0CBAF2B-1E93-49C0-B910-069AE43F74B2}" />
<Execution ProcessID="732" ThreadID="1336" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1548</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">0</Data>
<Data Name="ErrorCode">1222</Data>
<Data Name="ErrorDescription">The network is not present or not started. </Data>
</EventData>
</Event>
DNS Error:
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 2015-04-27 04:54:58 PM
Event ID: 8015
Task Category: (1028)
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: [SERVERNAME].[DOMAIN].local
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings:
Adapter Name : {3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}
Host Name : [SERVERNAME]
Primary Domain Suffix : [DOMAIN].local
DNS server list :
192.168.2.10
Sent update to server : <?>
IP Address(es) :
192.168.2.15
The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running
at this time. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>8015</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1028</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-27T14:54:58.599130300Z" />
<EventRecordID>19105</EventRecordID>
<Correlation />
<Execution ProcessID="856" ThreadID="952" />
<Channel>System</Channel>
<Computer>[SERVERNAME].[DOMAIN].local</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="AdapterName">{3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}</Data>
<Data Name="HostName">[SERVERNAME]</Data>
<Data Name="AdapterSuffixName">[DOMAIN].local</Data>
<Data Name="DnsServerList"> 192.168.2.10</Data>
<Data Name="Sent UpdateServer"><?></Data>
<Data Name="Ipaddress">192.168.2.15</Data>
<Data Name="ErrorCode">1460</Data>
</EventData>
</Event>

Can you post an ipconfig /all from the server and the DC?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

Multiple additional SIP domains - certificate and DNS requirements

We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
This is working successfully internally, externally and through Lync Mobile.
However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
In other words, user A has a primary SMTP and SIP address of
UserA@aaaaa_group.com
However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
There must be in excess of 40 to 50
of these other domains in use as primary SMTP addresses.
(Nearly all
these users have secondary SMTP addresses of aaaaa_group.com).
I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them.
Wilcard certificates aside, what are the names that will I need to add to my SAN certificates? Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull. However, I still need to report back with a cost of doing this, no matter
what it is.
Any thoughts/comments would be very welcome. :-)

Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards. So you may be able to use wildcards,
but do plenty of research on how to approach this. Here are some articles to get started:
http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
FQDNs.
For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry. The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync. Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
have to add all those as well.
So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work. And even if you do have some of those devices you could simply add the 40-50
sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc. Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
domain name entry in the CN and then place the wildcard entries in the SAN field. It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
For example:
Edge Server external certificate
Common Name: sip.domain1.com
Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
etc...
Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

Change domain trust for Forest trust

Hi
I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
Presently, i have a domain trust between domain 2 and 5.
I need to change for a forest trust ? what is a best practice ?
1- Remove domain trust and create a forest trust?
2- Create a forest trust (waiting a few day) a remove a domain trust?
3- Create a forest trust and remove immediately a domain trust?
Do you have a link to explain that?
Thanks

Hi,
Which kind of domain trust have you created? Which kind of forest trust do you want to create?
A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
every domain in both forests.
Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
Best regards,
Susie

Deleted failed DC from the domain (Server 2012 R2) - Now after doing metadata and DNS cleanup, I can no longer promote a new DC to the domain

I work for a university and teach IT courses to undergrad and graduate students. The details below are pertaining an isolated lab environment
I had a storage failure in my lab and the DCs became corrupt. This is a university lab environment so there isn't anything crucial on here. I just would rather avoid rebuilding the domain/forest and would rather use this as a learning experience with my
students...
So after the storage failed and was restored, the VMs hosted became corrupt. I did a NTDSUTIL to basically repair the NDTS.dit file but one of my DCs reverted to a state before DC promotion. Naturally, the domain still had this object in AD. After numerous
failed attempts at trying to reinstall the DC on the server through the server manager wizard in 2012 R2, I decided that a metadata cleanup of the old failed object was necessary.
Utilizing this article, I removed all references of the failed DC from both AD and DNS (http://www.petri.com/delete_failed_dcs_from_ad.htm)
So now that the failed object is removed completely from the domain and the metadata cleanup was successful, I then proceeded to re-install the necessary AD DS role on the server and re-promote to the existing domain. Pre-Requisites pass but generate some
warning around DNS Delgation, and Dynamic Updates (delegation is ignored because the lab is isolated from external comms, and dynamic updates are in fact enabled on both my _msdcs and root domain zones).
Upon the promotion process, I get the following error message (also worth mentioning - the account performing these operations is a member of DA, EA, and Schema Admins)
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=domainVMDC1,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu on the remote AD DC domainVMDC2. Ensure the provided network credentials have sufficient permissions.
"While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."
As you can see, this error seems odd considering. Now that I'm down to a single DC and DNS server, the sync should be corrected. I've run a repadmin /syncall and it completed successfully. Since then, I've run dcdiags and dumped those to a text as well and
here are my results...
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = domainVMDC2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Connectivity
......................... domainVMDC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Advertising
......................... domainVMDC2 passed test Advertising
Starting test: FrsEvent
......................... domainVMDC2 passed test FrsEvent
Starting test: DFSREvent
......................... domainVMDC2 passed test DFSREvent
Starting test: SysVolCheck
......................... domainVMDC2 passed test SysVolCheck
Starting test: KccEvent
......................... domainVMDC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... domainVMDC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... domainVMDC2 passed test MachineAccount
Starting test: NCSecDesc
......................... domainVMDC2 passed test NCSecDesc
Starting test: NetLogons
......................... domainVMDC2 passed test NetLogons
Starting test: ObjectsReplicated
......................... domainVMDC2 passed test ObjectsReplicated
Starting test: Replications
......................... domainVMDC2 passed test Replications
Starting test: RidManager
......................... domainVMDC2 passed test RidManager
Starting test: Services
......................... domainVMDC2 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001795
Time Generated: 12/18/2014 00:35:03
Event String:
The program lsass.exe, with the assigned process ID 476, could not authenticate locally by using the target name ldap/domainvmdc2.domain.school.edu. The target name used is not valid. A target name should
refer to one of the local computer names, for example, the DNS host name.
......................... domainVMDC2 passed test SystemLog
Starting test: VerifyReferences
......................... domainVMDC2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
For the partition
(DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... ForestDnsZones failed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
For the partition
(DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... DomainDnsZones failed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(CN=Schema,CN=Configuration,DC=domain,DC=school,DC=edu) we
encountered the following error retrieving the cross-ref's
(CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... Schema failed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition
(CN=Configuration,DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... Configuration failed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
For the partition (DC=domain,DC=school,DC=edu) we encountered
the following error retrieving the cross-ref's
(CN=domain,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
information:
LDAP Error 0x52e (1326).
......................... domain failed test CrossRefValidation
Running enterprise tests on : domain.school.edu
Starting test: LocatorCheck
......................... domain.school.edu passed test
LocatorCheck
Starting test: Intersite
......................... domain.school.edu passed test Intersite
From what I can gather, there is a definite DNS issue but I don't have any stale records to the old DC stored anywhere. I've tried this with a new server as well and get similar errors...
At this rate I'm ready to rebuild the entire forest over again. I'm just reluctant to do so as I want to make this a learning experience for the students.
Any help would be greatly appreciated. Thanks!

As you can see, there seems to be some errors. The one that I did correct was the one around the _msdcs NS record being unable to resolve. For whatever, reason the name wasn't resolving the IP but all other NS tabs and records were. Just that one _msdcs
sub-zone. Furthermore, the mentioning of any connections to root hint servers can be viewed as false positives. There is no external comms to this lab so no communication with outside IPs can be expected. Lastly, they mentioned a connectivity issue yet mention
that I should check the firewall settings. All three profiles are disabled in Windows Firewall (as they have been the entire time). Thank you in advance for your help!
C:\Windows\system32>dcdiag /test:dns /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine domainVMDC2, is a Directory Server.
Home Server = domainVMDC2
* Connecting to directory service on server domainVMDC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=domainVMDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\domainVMDC2
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
could not be resolved to an IP address. Check the DNS server, DHCP,
server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... domainVMDC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\domainVMDC2
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... domainVMDC2 passed test DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : domain
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : domain.school.edu
Starting test: DNS
Test results for domain controllers:
DC: domainVMDC2
Domain: domain.school.edu
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Error: No LDAP connectivity
The OS
Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] vmxnet3 Ethernet Adapter:
MAC address is 00:50:56:A2:2C:24
IP Address is static
IP address: *.*.100.26
DNS servers:
*.*.100.26 (domainVMDC2) [Valid]
No host records (A or AAAA) were found for this DC
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders are not configured on this DNS server
Root hint Information:
Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
Name: b.root-servers.net. IP: 192.228.79.201 [Invalid (unreachable)]
Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
Name: d.root-servers.net. IP: 199.7.91.13 [Invalid (unreachable)]
Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
Name: l.root-servers.net. IP: 199.7.83.42 [Invalid (unreachable)]
Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
Error: Both root hints and forwarders are not configured or
broken. Please make sure at least one of them works.
TEST: Delegations (Del)
Delegation information for the zone: domain.school.edu.
Delegated domain name: _msdcs.domain.school.edu.
Error: DNS server: domainvmdc2. IP:<Unavailable>
[Missing glue A record]
[Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone domain.school.edu
Warning: Failed to delete the test record dcdiag-test-record in zone domain.school.edu
[Error details: 13 (Type: Win32 - Description: The data is invalid.)]
TEST: Records registration (RReg)
Network Adapter [00000010] vmxnet3 Ethernet Adapter:
Matching CNAME record found at DNS server *.*.100.26:
3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.a9241004-88ea-422d-a71e-df7b622f0d68.domains._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._udp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kpasswd._tcp.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_kerberos._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.gc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_gc._tcp.Default-First-Site-Name._sites.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.school.edu
Matching SRV record found at DNS server *.*.100.26:
_ldap._tcp.pdc._msdcs.domain.school.edu
Error: Record registrations cannot be found for all the network
adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.228.79.201 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 199.7.83.42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 199.7.91.13 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
DNS server: *.*.100.26 (domainVMDC2)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: domain.school.edu
domainVMDC2 PASS FAIL FAIL FAIL WARN FAIL n/a
......................... domain.school.edu failed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite

Cisco ISE and forest trusts vs domain trusts

Hi All,
Is there any issues with forest trusts with Cisco ISE ?
I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
They recently removed external trusts and changed to forest trusts. Now auth doesn't work. Initial error was authc ok, authz fail.
I can search and get lists of AD groups ok for the remote domain.
Using the attribute tab, I can't get attributes for users in remote domain. I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
I have done "leave" and "join" domain again.
In my lab, I have forest trusts and it actually works ok. A previous poster talked about kerberos issues across forest trusts ?
Cheers
Peter.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
Kindly find the steps on the page no.170

Pros and cons in setting AD domain trust into my AD domain for more than 10+ AD domain and some with same FQDN or label ?

Hi,
Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different AD sites into my existing single domain forest let say ParentCompany.com ?
At the moment I only have one single forest AD domain with the Domain and Forest functionality Windows Server 2003. The main domain controller FSMO role holder is in the Data Center spread across three different VMs running on Windows Server 2008 R2.
The main/parent company has acquired smaller business chain of 15+ offices in which they have their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain).
Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure previously.
I'm now considering what are the benefits of creating the AD domain and trust versus importing those AD objects into my domain and then decommission them.
No need to worry about Exchange Server since all of the user in those sites connecting to the RDS to my ParentCompany.com terminal servers.
My requirements or goal are as follows:
1. Simplify the AD domain structure & maintenance
2. Try to avoid the disruptions of the user in terms of downtime and selecting multiple different domain everytime they login to their PC or SharePoint sites.
any kind of help and suggestion would be greatly appreciated.
Thanks.
/* Server Support Specialist */

Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different
AD sites into my existing single domain forest let say ParentCompany.com ?
I think you mean 10 AD domains.
Managing multiple domains can be difficult for administration. I usually recommend using a single domain in a single forest with OUs to separate resources whenever it is possible.
However, if you can't do that then you can simply create trust relationships between your domains. The advantage is that you can enable access to resources to different domains. I do not see cons here.
The main/parent company has acquired smaller business chain of 15+ offices in which they have
their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain). Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure
previously.
I'm now considering what are the benefits of creating the AD domain and trust versus importing those
AD objects into my domain and then decommission them.
I would recommend consolidating your domains into a single one. ADMT is a migration tool that you can use. The advantage would be the ease of administration. Also, by having multiple DCs for the same domain across sites, you will take benefit of High Availability
of your and DRP.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
to moving the Domain to 2008R2

Hi,
Based on my knowledge,
the Upgrade of the function level do not affect the trust relationship.
Besides, before you upgrade the Functional Level,
verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
For more information about function level, we can refer to following links:
Understanding Active Directory Domain Services (AD DS) Functional Levels
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Best Regards,
Erin

Domain trust bet. win2003 and win2008R2 not working

Hi, I try to create Domain trust but not trust. I think I am missing something about NDS, I have read sevel documents but describe diffrent case by case.
I will Like a god step by step guide of NDS setup domain A trust domain B.
Question: Before running trust wizard - should nslook see domain B from domain A doman controller?

Hi,
Below are some links to help you with this dending on the trust type you want to establish.
http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
DNS resolution for certain trust types:
http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc756852(v=ws.10).aspx
Hope this helps.
Regards,
Calin

Domain name with DNS and VPN query

When inside our VPN network computers dont recognise the domain name and have to use the direct IP address of the server to access services. Is that normal? Outside the domain works fine. In my Zone settings the machine IP address is the actual server IP. Should it be resolving to the VPN router's IP?

Please explain your setup a bit further.
What machine/router (gw) is doing VPN and what machine is doing DNS?
If the LAN is using private IPs, VPN clients and LAN clients should be using only the same private IP DNS. Public IP DNS doesn't know about your private IP network.

Exchange Autodiscover in a domain trust environment

I am preparing an Exchange and AD migration / merge between two AD Domains and Exchange Org due to a recent merger / acquisition of another company. I am in the middle of an Exchange 2007 to Exchange 2013 migration whcih may complicate things:
Let me give you some background:
Domain A - "My Company" - Where all the mailboxes and AD accounts will eventually reside. We are mostly Exchange 2007 SP3 UR13, but we have Exchange 2013 SP1 set up, and are migrating accounts to 2013 as we speak. Domain is 2003 Native Mode.
Domain B - "The other company" - Where all the "other" mailboxes and AD accounts currently are. They are Exchange 2010 SP3 UR5. Domain is 2003 Native Mode.
I currently have a two-way transitive trust set up between Domain A and Domain B. The trust is working, users from either domain can log onto PC's on the other domain without issue. DNS resolution is fully functional between domains. Mapped drives happen,
group policy runs, everything is good, except Outlook.
However, when users from either domain try to log into Exchange from a PC on the opposite domain, they get an error which says "The connection to Microsoft Exchange is Unavailable. Outlook must be online or connected to complete this action". It
appears autodiscover is not allowing connection to the other domain. I can resolve autodiscover.DomainA.com from a DomainB.com computer, and vice versa.
So question is, do I have to do something inside of Autodiscover for it to resolve or forward autodiscover requests from one domain to another? I would say I am fairly competent at Exchange, but this is something I am unfamiliar with.

Ok, that worked fine. I had to deploy the root CERT for domain B through Group Policy and everything is working.
Only one further question, not really related to above, but sort of. As I explained, "Domain B" is a company we acquired and have maintained for the past 6 months. Their Domain and Exchange was a mess, but we fixed pretty much all their issues. Some of the
stuff, I have no idea how it was even working. When we first took them over, they were still on Exchange 2010 RTM with no Update rollups, their certificates had expired, an Exchange 2003 server was still in the mix, hosting public folders and acting as the
outbound mail relay. An absolute mess. We brought them up to SP3 and the current update rollup, properly removed Exchange 2003, migrated public folders. Two of their 4 DC's were in Journal Wrap, probably for months. But everything is fully working and patched.
One oddity that I have observed, but have been hesitant to mess with is a DNS issue. They have no autodiscover A record in DNS. What they have instead is what looks like a zone inside their primary forward zone. It's not a record, the icon looks like a folder
with a piece of paper on it. A different color than the other zones, kind of a pale tan. Anyway inside this "autodiscover" zone is a single NS record (not an A record, an NS record), pointing to one of the DC's.
What I had planned to do is just delete whatever this is, and create an A record pointing to the IP primary CAS Array's VIP IP. But thought I would ask before I did this.
I have no idea some of the half baked stuff that went on in this environment before I took over... but what is weird is everything is working, at least from within their domain

Domain Trust over t3s

I am able to propagate the weblogic security context from one domain to another over t3 but when I switch to an ssl connection (t3s) I no longer am able to propagate the original user. I do have the domain credential setup to allow for domain trust. Does anyone know if this is possible?
For example, I have a web app in domain 1 calling a remote ejb in domain 2. When a user logs into the web app in domain 1 which then calls a remote ejb over t3 the security context of domain 1 is propagated into the ejb in domain 2. When I use a server certificate to connect b/w domain 1 and domain 2 over t3s I no longer receive the end user in domain 2. Does anyone know if this is possible?
Thanks!

Hi,
>it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
Would you please tell us what are the DNS Settings of the PC? Is there an AD Integrated DNS zone in the ukdomain?
I suggest you check the SRV Records. You can try to restart the netlogon services to re-register SRV records. More specifically, in the command prompt, type
net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
>it However in DNS can see their _msdcs folder but they can't see ours.
I suggest you select
zone transfer to transfer DNS zone to their domain.
More information about DNS zone transfer, please refer to the following link:
Modify DNS zone transfer settings
http://technet.microsoft.com/en-us/library/cc782181(v=WS.10).aspx
Best Regards,
Erin

Need some clarification on Domain Trust Configuration

Did you configure Forwarders or Conditional Forwarders? They are quite different things.
Conditional Forwarders live in the main DNS window, underneath forward and reverse lookup zones. These are what you want to play with.
A forwarder is a DNS server that will answer all your external DNS queries. Usually Google, OpenDNS or your ISP DNS servers.

I have two domains, let's call them DomainA.com and DomainB.com.The two domains reside in different Forests, so I'm trying to create a Forest Trust between the two forests. DomainB.com is a new domain and I'd like DomainB.com to be able to access the resources from DomainA.com as well. However, each domain is in a different IP range. Currently DomainA.com is in the 192.168.0.0 range, and DomainB.com is in 10.50.0.0 range. Eventually, DomainA.com will be 10.10.0.0.I read that you have to make sure that you can resolve each domain from DNS before you can create the trust between the forests. How exactly can I do this. I think I got the rest of it ironed out, I am just confused on how I can make it possible that from DomainB.com I can resolve DomainA.com and from DomainA.com I can resolve DomainB.com.Both forests are on the same physical...
This topic first appeared in the Spiceworks Community

Domain trust parameters meaning

Hi all,
can you help me understand what's the meaning of these parameters returned after querying a DC for trust relationships?
DOMAIN_NAME={domain.netbios.name=NETBIOS_NAME,
domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=DNS_NAME,
domain.trust.type=2, objectGUID=0etc, objectSid=Setc}
Specifically I'm interested in these parameters:
domain.flags
domain.trust.attributes
domain.trust.type
What do they represent and what are the possible values?
Thanks in advance
Have a nice day

I believe the answer is: https://msdn.microsoft.com/en-us/library/cc237110.aspx
so in my case
domain.flags -> I don't understand this
domain.trust.attributes -> Domain is root of another forest
domain.trust.type -> Trust is with a Windows Active Directory-based Domain
Is this correct?

Domain Trust and DNS

Similar Messages

Maybe you are looking for