Hi Steve You should be able to ping the domain itself, so if the internal fqdn is company.local then you should get a reply. Its weird though if you've got the trust set up with out DNS being all good. Cheers Russell From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Snyder Sent: 06 March 2012 11:34 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: AD Browsing Issue On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx<mailto:berny@xxxxxxxxxxxxxxxxx>> wrote: DNS is replicated completely? That I won't know, though I'm trying to get some hostnames for the other domain to see if I can resolve them. Got a hostname - can't resolve it. NetBIOS over TCP/IP is turned on? On my PC, yes. On the DCs? Don't know. What does sites and services look like? Oodles of sites, can't really tell that there's one setup for the other domain. What should I be looking for here? Can you run wireshark on one of the machines that's not working and see whether it's trying to connect out to a DC that's perhaps not in the policy? that would definitely be out of the question. I can run a port query from PCs and member servers. On the machine that you are running ADUC on, can you login there to the other domain? I'll see if they can create an account for me to test with. They're currently allowing perhaps 7 DCs on each domain to contact one another. The FW guys say that there's no port restrictions, they're just allowing IPs to connect to one another. One enterprise group controls our DCs and FWs, another enterprise controls the other DCs; FWs on the other domain are controlled locally. Everyone says that their part is configured correctly (of course). Seems like there should be a way to set up a bridgehead or two on each domain, and then just allow the bridgeheads to talk through the firewalls. One enterprise AD guy believes that we need to configure the firewalls with ACLs for all of the DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more succinct way. thanks. On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx<mailto:kwajalein@xxxxxxxxx>> wrote: > Alright, one for the AD Gods/Goddesses > > Got a trust between two different AD forests. From my PC I can browse the > other domains and select/add objects. From ADUC, I can't even see the other > domains (see the attached pic). > > Ideas? > > What's driving this issue is from a server in another site (still in my > domain) one can't see the other domains at all in order to add users (as I > can from my PC). So between these two matters I'm guessing that our trust > isn't quite right, but I don't have access to DCs nor the firewalls so I'm > troubleshooting symptomatically. If anyone wants to pipe in with a Cliff > Notes version of setting up trusts between AD domains through firewalls for > domains with a *lot* of DCs I'd gladly read it and drink a german bier in > their honor. ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************