[THIN] Re: OT: AD Browsing Issue

  • From: Steve Snyder <kwajalein@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 6 Mar 2012 12:34:08 +0100

On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>wrote:

> DNS is replicated completely?
>
That I won't know, though I'm trying to get some hostnames for the other
domain to see if I can resolve them.
Got a hostname - can't resolve it.

>
> NetBIOS over TCP/IP is turned on?
>
On my PC, yes. On the DCs? Don't know.

>
> What does sites and services look like?
>
Oodles of sites, can't really tell that there's one setup for the other
domain. What should I be looking for here?

>
> Can you run wireshark on one of the machines that's not working and

see whether it's trying to connect out to a DC that's perhaps not in
> the policy?
>
that would definitely be out of the question. I can run a port query from
PCs and member servers.

>
> On the machine that you are running ADUC on, can you login there to
> the other domain?
>
I'll see if they can create an account for me to test with.

They're currently allowing perhaps 7 DCs on each domain to contact one
another. The FW guys say that there's no port restrictions, they're just
allowing IPs to connect to one another.

One enterprise group controls our DCs and FWs, another enterprise controls
the other DCs; FWs on the other domain are controlled locally. Everyone
says that their part is configured correctly (of course). Seems like there
should be a way to set up a bridgehead or two on each domain, and then just
allow the bridgeheads to talk through the firewalls. One enterprise AD guy
believes that we need to configure the firewalls with ACLs for all of the
DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
succinct way.

thanks.

>
> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
> > Alright, one for the AD Gods/Goddesses
> >
> > Got a trust between two different AD forests. From my PC I can browse the
> > other domains and select/add objects. From ADUC, I can't even see the
> other
> > domains (see the attached pic).
> >
> > Ideas?
> >
> > What's driving this issue is from a server in another site (still in my
> > domain) one can't see the other domains at all in order to add users (as
> I
> > can from my PC). So between these two matters I'm guessing that our trust
> > isn't quite right, but I don't have access to DCs nor the firewalls so
> I'm
> > troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
> > Notes version of setting up trusts between AD domains through firewalls
> for
> > domains with a *lot* of DCs I'd gladly read it and drink a german bier in
> > their honor.
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>

Other related posts: