[THIN] Re: OT: AD Browsing Issue

  • From: Russell Robertson <russell@xxxxxxxxxxxxxxxxxxx>
  • To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
  • Date: Tue, 6 Mar 2012 12:53:46 +0000

Hi Steve

You should be able to ping the domain itself, so if the internal fqdn is 
company.local then you should get a reply.

Its weird though if you've got the trust set up with out DNS being all good.



From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Steve Snyder
Sent: 06 March 2012 11:34
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: AD Browsing Issue

On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton 
<berny@xxxxxxxxxxxxxxxxx<mailto:berny@xxxxxxxxxxxxxxxxx>> wrote:
DNS is replicated completely?
That I won't know, though I'm trying to get some hostnames for the other domain 
to see if I can resolve them.
Got a hostname - can't resolve it.

NetBIOS over TCP/IP is turned on?
On my PC, yes. On the DCs? Don't know.

What does sites and services look like?
Oodles of sites, can't really tell that there's one setup for the other domain. 
What should I be looking for here?

Can you run wireshark on one of the machines that's not working and
see whether it's trying to connect out to a DC that's perhaps not in
the policy?
that would definitely be out of the question. I can run a port query from PCs 
and member servers.

On the machine that you are running ADUC on, can you login there to
the other domain?
I'll see if they can create an account for me to test with.

They're currently allowing perhaps 7 DCs on each domain to contact one another. 
The FW guys say that there's no port restrictions, they're just allowing IPs to 
connect to one another.

One enterprise group controls our DCs and FWs, another enterprise controls the 
other DCs; FWs on the other domain are controlled locally. Everyone says that 
their part is configured correctly (of course). Seems like there should be a 
way to set up a bridgehead or two on each domain, and then just allow the 
bridgeheads to talk through the firewalls. One enterprise AD guy believes that 
we need to configure the firewalls with ACLs for all of the DCs (hundreds) on 
both domains (so hundreds X2); I'm hoping there's a more succinct way.


On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder 
<kwajalein@xxxxxxxxx<mailto:kwajalein@xxxxxxxxx>> wrote:
> Alright, one for the AD Gods/Goddesses
> Got a trust between two different AD forests. From my PC I can browse the
> other domains and select/add objects. From ADUC, I can't even see the other
> domains (see the attached pic).
> Ideas?
> What's driving this issue is from a server in another site (still in my
> domain) one can't see the other domains at all in order to add users (as I
> can from my PC). So between these two matters I'm guessing that our trust
> isn't quite right, but I don't have access to DCs nor the firewalls so I'm
> troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
> Notes version of setting up trusts between AD domains through firewalls for
> domains with a *lot* of DCs I'd gladly read it and drink a german bier in
> their honor.
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:

Other related posts: