[THIN] Re: OT: AD Browsing Issue

  • From: Steve Snyder <kwajalein@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 6 Mar 2012 14:43:07 +0100

I can ping the other domain name, well, I can resolve the name to an IPA -
ICMP traffic is fairly restricted so no actual pings.

Oh, and I can resolve an IPA for a hosthost on the other domain (forgot to
ping the fqdn).

However from their side they can't resolve FQDNs to IP addresses

On Tue, Mar 6, 2012 at 1:53 PM, Russell Robertson <
russell@xxxxxxxxxxxxxxxxxxx> wrote:

> Hi Steve****
>
> ** **
>
> You should be able to ping the domain itself, so if the internal fqdn is
> company.local then you should get a reply.****
>
> ** **
>
> Its weird though if you’ve got the trust set up with out DNS being all
> good.****
>
> ** **
>
> Cheers****
>
> ** **
>
> Russell****
>
> ** **
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Steve Snyder
> *Sent:* 06 March 2012 11:34
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: OT: AD Browsing Issue****
>
> ** **
>
> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
> wrote:****
>
> DNS is replicated completely?****
>
> That I won't know, though I'm trying to get some hostnames for the other
> domain to see if I can resolve them.
> Got a hostname - can't resolve it.****
>
>
> NetBIOS over TCP/IP is turned on?****
>
> On my PC, yes. On the DCs? Don't know. ****
>
>
> What does sites and services look like?****
>
> Oodles of sites, can't really tell that there's one setup for the other
> domain. What should I be looking for here?****
>
>
> Can you run wireshark on one of the machines that's not working and ****
>
> see whether it's trying to connect out to a DC that's perhaps not in
> the policy?****
>
> that would definitely be out of the question. I can run a port query from
> PCs and member servers.****
>
>
> On the machine that you are running ADUC on, can you login there to
> the other domain?****
>
> I'll see if they can create an account for me to test with.
>
> They're currently allowing perhaps 7 DCs on each domain to contact one
> another. The FW guys say that there's no port restrictions, they're just
> allowing IPs to connect to one another.
>
> One enterprise group controls our DCs and FWs, another enterprise controls
> the other DCs; FWs on the other domain are controlled locally. Everyone
> says that their part is configured correctly (of course). Seems like there
> should be a way to set up a bridgehead or two on each domain, and then just
> allow the bridgeheads to talk through the firewalls. One enterprise AD guy
> believes that we need to configure the firewalls with ACLs for all of the
> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
> succinct way.
>
> thanks.****
>
>
> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
> > Alright, one for the AD Gods/Goddesses
> >
> > Got a trust between two different AD forests. From my PC I can browse the
> > other domains and select/add objects. From ADUC, I can't even see the
> other
> > domains (see the attached pic).
> >
> > Ideas?
> >
> > What's driving this issue is from a server in another site (still in my
> > domain) one can't see the other domains at all in order to add users (as
> I
> > can from my PC). So between these two matters I'm guessing that our trust
> > isn't quite right, but I don't have access to DCs nor the firewalls so
> I'm
> > troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
> > Notes version of setting up trusts between AD domains through firewalls
> for
> > domains with a *lot* of DCs I'd gladly read it and drink a german bier in
> > their honor.****
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ****************************************************
>
> ** **
>

Other related posts: