Establishing domain trust on Xserve runing server OS 10.5.8
Hi,
I am new when it comes to setting up an xserve and configuring it for a windows environment. The scenario is as follows:
Xserve operates fine in current domain (eg. currentdomain.com) and users on PCs can successfully access all shares on the newly configured xserve.
We are in the process of moving all clients to a new domain (eg. Newdomain.com) and the and clients that have been moved on to the new domain (mac users) see the xserve shares just fine but my PC users that are moved to the new domain can't.
Your help would be greatly appreciated.
Thank you very much..
J.
Hello, J73ja, and welcome to the Apple Boards,
Unless your question is specific to the Xserve you really have a better chance of getting your question answered in the OS X Server group that most nearly matches the area of your question.
In this case I'd look at filesharing: http://discussions.apple.com/forum.jspa?forumID=1233 as the prime place or maybe Open Directory depending on whether you're using OD/AD binding and that kind of thing.
HTH,
=Tod
Similar Messages
-
Domain Trust Relationships in Windows Small Business Server 2011
I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
etc.
So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work. This is actually my first time
setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
If it is a license violation, I'll remove the trust relationship immediately. This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
list of authorized users on our primary domain's SQL Server.
Thanks in advance.From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Every few days we see two dialogs with the following messages:
Dialog 1, title: Check for Licensing Compliance is Incomplete
The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller.
Dialog 2, title: Check for Licensing Compliance is Incomplete
The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliance check cannot be completed, the server will automatically shut
down in 8 day(s) 23 hour(s) 0 minute(s).
The server is not (and never has been) joined to a domain or had any DC roles installed. In fact its still connected to the default Workgroup.
The server was configured in our office and never showed this message until it was installed on site. The main difference from what I can see is that when installed on site it was given a static IP address and does not have any DNS settings in the network
adapter properties.
I have scoured a number of forums on this error but in almost every other instance of this error message the servers are connected to a Domain Controller and the solutions generally are linked to dis-joining and rejoining the domain. Unfortunately this is
not an option for this scenario.
I initially thought that adding some relevant DNS server IP address may resolve the issue, however, we have the exact same model server configured exactly the same running at a different site that does not experience this problem. This server also has no
DNS server configured.
I have seen a post that suggests turning off the servers "Foundation Checking", but I'm unsure how to do this.Thanks for your response Vivian.
I can confirm that this server is not (and never has been) a member of any active directory, it is configured as a Workgroup server. It was initially configured on a network that does have an active directory, but was never joined to it. During that time it
never displayed these messages.
The server was moved into production on a different site and network and setup with a static IP address.The site network does have its own active directory but the server was not joined to it. It is whilst on this new network that these messages began.
Since my original post DNS servers have been added and the Microsoft activation has been verified, however, the messages are still appearing.
There are only 2 user accounts configured on this server. The local admin account and another local admin user.
The remote desktop services roles have been installed but not yet configured. I don't think that has any bearing on this scenario though.
The description of this error in the above "Introduction to Windows Server 2012 Foundation" link states:
This error occurs when the server cannot finish checking the requirements for the root domain, forest trust configuration, or both. It usually happens when the server cannot connect to a domain controller. If the situation persists, the server will
shut down 10 days after the first time the compliance check failed. Each time this error message occurs, it will state the actual time remaining before the server will shut down. If you restart the server after it has shut down because of non-compliance, the
server will shut itself down again in 3 days.
The above description leads me to the following question - In a Workgroup environment, does the server still try to contact a domain controller to establish a level of trust? If this is the case could it be that the server can no longer see the initial DC
on its new network and this is what is triggering the messages?
Am I clutching at straws here? -
XServe Mail Server not receiving emails from our phone system
Hi everyone,
Since late last year, staff haven't been receiving email notificiations to their work email (hosted by a 10.5.8 Xserve) of voice mail received by our 3COM NBX Phone System. However, if they provide any other email account, such as a Gmail account, they receive the email fine.
Our firewall providers have confirmed that there is nothing stopping the emails going in and out on their end. I've checked the server mail logs and can't find anything of value.
According to a forum thread, this is how our mail system sends an off-site notification via email:
1 - NCP performs an MX record lookup using DNS server IP information to return a valid TCP/IP address for each message being sent
2 - NCP acts as an MTA (Message Transfer Agent) - will directly contact each destination mail server for local delivery
3 - NCP establishes a TCP socket to the resolved TCP/IP address on SMTP port 25
4 - NCP must be able to open a TCP session to the resolved IP address of each destination email server
5 - Each destination server the NBX is sending email to may be configured for a rule base and based on certain criteria my reject an email or attachment that other email servers accept.
I'd appreciate any help you can provide.
Thankyou,
RhysI have no way of issuing that command from the "netSet".
Below is the link I found of the self service article on troubleshooting offsite notifications:
http://knowledge.3com.com/service/main.jsp;jsessionid=5CC7B2440667382AC7190A9665 9AC61D.selfservice1?t=solutionTab&ft=searchTab&ps=solutionPanels&locale=enUS&_dyncharset=UTF-8&curResURL=%2Fservice%2Fmain.jsp%3Bjsessionid%3D5CC7B2440667 382AC7190A96659AC61D.selfservice1%3FSearchButton%3DFind%26_dyncharset%3DUTF-8%26 locale%3DenUS%26t%3DsearchTab%26useFocusTopic%3Dtrue%26focusTopic%3D9029739%26searchstring% 3DNBX%252520-%252520Is%252520NAT%252520Supported%253f%26sfield%3D%26dosearch%3Dt rue%26pn%3D4&solutionId=1802&isSrch=Yes
I've tested the internal settings, the dig as we've established, and I've checked the server logs - they don't seem to show anything relating to the nbx.
The firewall has port 25 open to our mail server and phone system only.
-Rhys -
Setting up two way AD domain trust ?
Hi,
I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
Thanks
/* Server Support Specialist */Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
Hope that helps!
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer. -
Error 12703 VMM cannot establish a trust relationship SSL/TLS V2V
Issue with V2V in VMM. I though I'd share this one. On a customer site doing a number of V2Vs and P2Vs via VMM. On the V2V it would create the object then fail with the message below where %ServerName is one of the Hyper-V hosts:
12703 VMM cannot establish a trust relationship for
the SSL/TLS secure channel for %ServerName;
server.
Install the certificate to the trusted
people root store of the VMM server
and then try the operation again.
After much digging and testing I found it was an issue with VMM talking to the ESX host. Nothing to do with certs or the hyper-v hosts. I've worked round this issue by migrating the VM onto another ESX host. The ESX environment is going to be decommissioned
anyway.
Hope this helps someone out there.Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP) -
Master data services 2012 domain trust issues
hi,
we have a Master Data Services 2012 installation within one domain and the users exist within another domain. This has a selective trust both ways.
the behaviour that we are seeing in MDS 2012 when adding users to the master data services from the other domain we are getting no exact match found for the users that exists when adding users in; these users are from the domain that MDS does not reside
in but there is a trust in place.
we have given authentication permissions to all users requiring access to the server that MDS resides on.
the question is what steps are necessary to allow MDS to operate in two domain environment. We have other applications that function in this manner but MDS is causing issues.
any help would be appreciated..
thanksI don't have the exact multi domains environment to try it on. But I tried on mutil forest domains. It seems working fine.
When add the user, the format is like [DomainName\]UserName
When add the user for another domain, the domain name is required.
There is a trust between our two domains (which works because I can log into SQL Server effortlessly with SSMS). However, when I try to add a user from the other domain, I get the error
"No exact match was found for domain\user"
It seems that MDS really doesn't like trusts.
MCSE SQL Server 2012 - Please mark posts as answered where appropriate. -
Hi,
Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different AD sites into my existing single domain forest let say ParentCompany.com ?
At the moment I only have one single forest AD domain with the Domain and Forest functionality Windows Server 2003. The main domain controller FSMO role holder is in the Data Center spread across three different VMs running on Windows Server 2008 R2.
The main/parent company has acquired smaller business chain of 15+ offices in which they have their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain).
Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure previously.
I'm now considering what are the benefits of creating the AD domain and trust versus importing those AD objects into my domain and then decommission them.
No need to worry about Exchange Server since all of the user in those sites connecting to the RDS to my ParentCompany.com terminal servers.
My requirements or goal are as follows:
1. Simplify the AD domain structure & maintenance
2. Try to avoid the disruptions of the user in terms of downtime and selecting multiple different domain everytime they login to their PC or SharePoint sites.
any kind of help and suggestion would be greatly appreciated.
Thanks.
/* Server Support Specialist */Can someone please share what is the pros and Cons of trusting AD domain for more than 10 different
AD sites into my existing single domain forest let say ParentCompany.com ?
I think you mean 10 AD domains.
Managing multiple domains can be difficult for administration. I usually recommend using a single domain in a single forest with OUs to separate resources whenever it is possible.
However, if you can't do that then you can simply create trust relationships between your domains. The advantage is that you can enable access to resources to different domains. I do not see cons here.
The main/parent company has acquired smaller business chain of 15+ offices in which they have
their own Domain Controller and also their own domain, sometimes they also got the same AD domain between them (no trust or whatsoever in those 15+ AD domain). Sounds crazy but yes, there is no standardization in them or whoever manage their IT infrastructure
previously.
I'm now considering what are the benefits of creating the AD domain and trust versus importing those
AD objects into my domain and then decommission them.
I would recommend consolidating your domains into a single one. ADMT is a migration tool that you can use. The advantage would be the ease of administration. Also, by having multiple DCs for the same domain across sites, you will take benefit of High Availability
of your and DRP.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Hello Apple Experts!!
I Am Surendra and very new to this forum.. I just came across a problem with my Iphone while connecting to my company WIFI.. we are using Web authentication.. meaning..
The user will try to connect to the wireless network, the client will get the IP address and they are forced to open up the browser to provide the USERNAME and the PASSWORD on the webpage, once they pass the auth they will be able to access to the internet.
The WEB PAGE that asks for the USERNAME and the PASSWORD is HTTPS and for some reason that page is not at all opening and i am getting the below error.. If i disable HTTPS on the cisco Device the IPHONE works great..
Cannot open page Safari cannot open the page because it could not establish a secure connection to the server
This is happening only on the OS 5 and on the OS 4 everything works just great!!
I have a feeling that this has to do something to do with HTTPS / SSL connection with the IPHONE SAFARI or OS 5
Am connecting to Cisco Wireless LAN COntroller and the access point acting as the WIFI devices..
Any help on the same will be much appreciated!!
Regards
SurendraI'm having a similar issue. Connecting on my iPad FROM ANYWHERE to my work's domain results in the message by the OP.
I checked the ciphers enabled by their page, and this was returned:
High Strength Ciphers (>= 112-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
n/a Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
n/a Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
n/a Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
n/a Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
This appeared to be a more than sufficient cipher list, yet my iPad won't load any page. I highly doubt it's a problem with SSL2 not being enabled because SSL2 has been deprecated for awhile now.
Any ideas? -
Safari 8.0.3 Can't establish a secure connection to the server
I have a Macbook Air (early 2014) running OS X Yosemite 10.10.2
Safari is version 8.0.3
When accessing the websites "https://www.national-lottery.co.uk" and "https://portal.wmpfonline.com" I am given the below message:
Safari can't open the page "https://www.national-lottery.co.uk" because Safari can't establish a secure connection to the server "www.national-lottery.co.uk".
Initially when I bought my Macbook Air these sites worked perfectly. Also, when I clear website data it will work for a short period of time (roughly 2 minutes) but other times that makes no difference. I have tried using FireFox but I still have an issue accessing these sites. When in recovery mode both sites work perfectly fine without an issue.
Is anyone able to help me with this issue? I have been searching and searching for a week to find a solution to this problem.
Thank you all in advanceThis could be a complicated problem to solve, as there are several possible causes for it.
Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
Step 1
From the menu bar, select
▹ System Preferences... ▹ Date & Time
Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
Check the box marked
Set date and time automatically
if it's not already checked, and select one of the Apple time servers from the menu next to it.
Step 2
Triple-click anywhere in the line below on this page to select it:
/System/Library/Keychains/SystemCACertificates.keychain
Right-click or control-click the highlighted line and select
Services ▹ Show Info
from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
Repeat with this line:
/System/Library/Keychains/SystemRootCertificates.keychain
If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
Step 3
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad and start typing the name.
In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
In the Keychains list, there should be items named System and System Roots. If not, select
File ▹ Add Keychain
from the menu bar and add the following items:
/Library/Keychains/System.keychain
/System/Library/Keychains/SystemRootCertificates.keychain
Open the View menu in the menu bar. If one of the items in the menu is
Show Expired Certificates
select it. Otherwise it will show
Hide Expired Certificates
which is what you want.
From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
Secure Sockets Layer (SSL)
select
no value specified
Close the inspection window. You'll be prompted for your administrator password to update the settings.
Now open the same inspection window again, and select
When using this certificate: Use System Defaults
Save the change in the same way as before.
Revert all the certificates with non-default trust settings. Never again change any of those settings.
Step 4
Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
Help ▹ Keychain Access Help
from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
Step 5
From the menu bar, select
Keychain Access ▹ Preferences... ▹ Certificates
There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.
Step 6
Triple-click anywhere in the line of text below on this page to select it:
/var/db/crls
Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
Restart the computer, empty the Trash, and test.
Step 7
Triple-click anywhere in the line below on this page to select it:
open -e /etc/hosts
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the built-in Terminal application in the same way you launched Keychain Access.
Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
If that's not what you see, post the contents of the window. -
Domain trust bet. win2003 and win2008R2 not working
Hi, I try to create Domain trust but not trust. I think I am missing something about NDS, I have read sevel documents but describe diffrent case by case.
I will Like a god step by step guide of NDS setup domain A trust domain B.
Question: Before running trust wizard - should nslook see domain B from domain A doman controller?Hi,
Below are some links to help you with this dending on the trust type you want to establish.
http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/
DNS resolution for certain trust types:
http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc756852(v=ws.10).aspx
Hope this helps.
Regards,
Calin -
I am able to propagate the weblogic security context from one domain to another over t3 but when I switch to an ssl connection (t3s) I no longer am able to propagate the original user. I do have the domain credential setup to allow for domain trust. Does anyone know if this is possible?
For example, I have a web app in domain 1 calling a remote ejb in domain 2. When a user logs into the web app in domain 1 which then calls a remote ejb over t3 the security context of domain 1 is propagated into the ejb in domain 2. When I use a server certificate to connect b/w domain 1 and domain 2 over t3s I no longer receive the end user in domain 2. Does anyone know if this is possible?
Thanks!Hi,
>it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
Would you please tell us what are the DNS Settings of the PC? Is there an AD Integrated DNS zone in the ukdomain?
I suggest you check the SRV Records. You can try to restart the netlogon services to re-register SRV records. More specifically, in the command prompt, type
net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
>it However in DNS can see their _msdcs folder but they can't see ours.
I suggest you select
zone transfer to transfer DNS zone to their domain.
More information about DNS zone transfer, please refer to the following link:
Modify DNS zone transfer settings
http://technet.microsoft.com/en-us/library/cc782181(v=WS.10).aspx
Best Regards,
Erin -
Change domain trust for Forest trust
Hi
I have a forest A with 3 domains (1 (root),2,3) and i have a forest B with 2 domains (4 (root),5).
Presently, i have a domain trust between domain 2 and 5.
I need to change for a forest trust ? what is a best practice ?
1- Remove domain trust and create a forest trust?
2- Create a forest trust (waiting a few day) a remove a domain trust?
3- Create a forest trust and remove immediately a domain trust?
Do you have a link to explain that?
ThanksHi,
Which kind of domain trust have you created? Which kind of forest trust do you want to create?
A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between
every domain in both forests.
Based on my understanding of forest trust, a forest trust is a transitive trust between a forest root domain and a second forest root domain. If you create a forest
trust between two root domains in forest A and forest B, it provides a one-way or two-way, transitive trust relationship between every domain in each forest.
In another word, all the domains in forest A and forest B would inherit the trust relationship from their root domains. Personally, you can just create a new forest trust and keep the existing domain trust.
In addition, please make sure that the forest function level is Windows Server 2003 or higher before you create a forest trust.
Best regards,
Susie -
Hello,
We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain. Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
The error is:
it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
DC1
----->Forward Lookup Zones
-------->_Msdcs.ukdomain.local
-------->ukdomain.local
I though it should look like this:
DC1
----->Forward Lookup Zones
------->ukdomain.local
--------->_Msdcs
ThanksIf you are on their network can you ping their domain?
If not then you have a DNS, routing, or firewall issue.
Are ports being blocked? For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
Testing
Domain Controller Connectivity Using PORTQRY
Protocol and Port
AD and AD DS Usage
Type of traffic
TCP and UDP 389
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP
TCP 636
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC
TCP 3269
Directory, Replication, User and Computer Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88
User and Computer Authentication, Forest Level Trusts
Kerberos
TCP and UDP 53
User and Computer Authentication, Name Resolution, Trusts
DNS
TCP and UDP 445
Replication, User and Computer Authentication, Group Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25
Replication
SMTP
TCP 135
Replication
RPC, EPM
TCP Dynamic
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722
File Replication
RPC, DFSR (SYSVOL)
UDP 123
Windows Time, Trusts
Windows Time
TCP and UDP 464
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
UDP Dynamic
Group Policy
DCOM, RPC, EPM
UDP 138
DFS, Group Policy
DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389
AD DS Web Services
SOAP
UDP 67 and UDP 2535
DHCP
Note
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137
User and Computer Authentication,
NetLogon, NetBIOS Name Resolution
TCP 139
User and Computer Authentication, Replication
DFSN, NetBIOS Session Service, NetLogon
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection
Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
Kelly Bush
It appears that you've copied and posted the chart, with some editing,
from my blog, link posted below. No problem, as long as it helps the poster. :-)
Active Directory Firewall Ports – Let’s Try To Make This Simple
http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
Here's the matrix:
Ephemeral Ports:
And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
TCP & UDP 1025-5000
Window 2003/XP and older
Ephemeral Dynamic Service Response Ports
TCP & UDP 49152-65535
Windows 2008/Vista and newer
Ephemeral Dynamic Service Response Ports
TCP Dynamic Ephemeral
Replication, User and Computer Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
UDP Dynamic Ephermeral
Group Policy
DCOM, RPC, EPM
If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
TCP & UDP 1024 – 65535
NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
We have setup a One-Way domain trust between Domain A and Domain B. Users in Domain A can logo on to servers in Domain B. (B trust A). Relevant ports are open in the firewallbetween the domain controllers in A+B. It Works but are very slow. So I need to verify that my conclution is correct. What I think is going on, is that when a users from A is logging on to a server (let us call it B1)in B, thenB1 tries to contact a domain controller in A, using Kerberos. Since this is not allowed in the firewall, the server tries NTML as a fall back option, but here it is the B domain controllers that contact the A domain controllers and the user is authenticated. Because of the "Kerberos then NTML" problem, the logon is very slow. Now is my only option to open so that B1 can connect to domain controllers in Domain A? or is there another way to...
This topic first appeared in the Spiceworks CommunitySorry I don't follow your question? Can you expand on what you are after. When you say AD assessment for Domain Trust do you mean you need to validate and document an existing trust, or propose a solution for a new one? And what are you interested in with
sites.
Thanks
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn:
Maybe you are looking for
-
Windows 2008 64 bits and BO XI 3.1
Bonjour, Que faut il faire pour installer BO XI sans problème sur un serveur windows 2008 64 bits virtualisé ? paramètres,composants 32 bits à installer ou à paramétrer ?? Merci de votre réponse Cordialement F. Bedouin 02.23.21.76.54
-
My mum set up an iCloud account for my iPhone 4 but forgot the password. This caused me to create a new account, and it can be used for the App Store and iTunes and all that, but I can't change the initial iCloud account (the one my mum made). My dev
-
My firefox wont open anymore :( i dont know why or how to fix it
I dont know what happened...everything was fine until last night when i clicked on the little icon and nothing happens, re-started...nothing happened..uninstalled, re-installed firefox 4...nothing happens! There no error message either, I saw the pos
-
How do I increase voice volume on calls
Can anyone tell me how to increase the caller volume please?
-
Data Transformation Services Execution Utility stopped working and was closed
Hi, I had the SSIS packages (ETL job) working fine for a long time and then we moved the server/machine and ETL job keeps failing. The ETL job run number of packages. The ETL job fails for the first run then I set the retires and it works in 2nd or 3