[THIN] Re: OT: AD Browsing Issue
- From: Steve <kwajalein@xxxxxxxxx>
- To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
- Date: Wed, 7 Mar 2012 21:12:45 +0100
conditional forwarding has now been enabled on the client domain, resolution of
fqdn now happens. FW guy now tells me that they are limiting traffic to ports
needed for kerberos, though I'm guessing that IPSec filters haven't been
updated for the DCs in the site where the resource servers were moved to. there
is a site in sites & services for the site that's causing consternation. oh,
and even though I
I've got a couple of microsoft guys engaged, hopefully they can figure it out.
Sent from my iPad
On Mar 6, 2012, at 3:14 PM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> wrote:
> Answers inline
>
> On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
>> wrote:
>>>
>>> DNS is replicated completely?
>>
>> That I won't know, though I'm trying to get some hostnames for the other
>> domain to see if I can resolve them.
>> Got a hostname - can't resolve it.
>>>
>>>
>>> NetBIOS over TCP/IP is turned on?
>>
>> On my PC, yes. On the DCs? Don't know.
>>>
>>>
>>> What does sites and services look like?
>>
>> Oodles of sites, can't really tell that there's one setup for the other
>> domain. What should I be looking for here?
>
> Whatever subnet that machine that doesn't work is sitting in, should
> be in a subnet defined in sites and services, that should specify
> which DC it should be looking at. Can you run dcdiag and try to see if
> there is any problems there.
>
>>>
>>>
>>> Can you run wireshark on one of the machines that's not working and
>>>
>>> see whether it's trying to connect out to a DC that's perhaps not in
>>> the policy?
>>
>> that would definitely be out of the question. I can run a port query from
>> PCs and member servers.
>>>
>
> Give that IP address to the firewall admins on both sides and ask for
> drops. Also ask the networking guys if they have routed *all* the IP
> address space in use between the two orgs. Firewall might be open on
> both sides, but without the routes there, you're going to lose out.
>
>
>>>
>>> On the machine that you are running ADUC on, can you login there to
>>> the other domain?
>>
>> I'll see if they can create an account for me to test with.
>>
>> They're currently allowing perhaps 7 DCs on each domain to contact one
>> another. The FW guys say that there's no port restrictions, they're just
>> allowing IPs to connect to one another.
>>
>> One enterprise group controls our DCs and FWs, another enterprise controls
>> the other DCs; FWs on the other domain are controlled locally. Everyone says
>> that their part is configured correctly (of course). Seems like there should
>> be a way to set up a bridgehead or two on each domain, and then just allow
>> the bridgeheads to talk through the firewalls. One enterprise AD guy
>> believes that we need to configure the firewalls with ACLs for all of the
>> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
>> succinct way.
>
> In my experience, he's right. It shouldn't work that way, but you see
> strange oddities sometimes (Timeouts) without it.
>
> I just did a POC for a trust relationship setup the other day.
>
> Also, just to state the obvious. Make sure that are trying to add
> members of another domain to a domain local group. Otherwise it won't
> work.
>
>
>>
>> thanks.
>>>
>>>
>>> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>>>> Alright, one for the AD Gods/Goddesses
>>>>
>>>> Got a trust between two different AD forests. From my PC I can browse
>>>> the
>>>> other domains and select/add objects. From ADUC, I can't even see the
>>>> other
>>>> domains (see the attached pic).
>>>>
>>>> Ideas?
>>>>
>>>> What's driving this issue is from a server in another site (still in my
>>>> domain) one can't see the other domains at all in order to add users (as
>>>> I
>>>> can from my PC). So between these two matters I'm guessing that our
>>>> trust
>>>> isn't quite right, but I don't have access to DCs nor the firewalls so
>>>> I'm
>>>> troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
>>>> Notes version of setting up trusts between AD domains through firewalls
>>>> for
>>>> domains with a *lot* of DCs I'd gladly read it and drink a german bier
>>>> in
>>>> their honor.
>>> ************************************************
>>> For Archives, RSS, to Unsubscribe, Subscribe or
>>> set Digest or Vacation mode use the below link:
>>> //www.freelists.org/list/thin
>>> ************************************************
>>
>>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
