[THIN] Re: OT: AD Browsing Issue

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 6 Mar 2012 14:14:42 +0000

Answers inline

On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
> On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
> wrote:
>> DNS is replicated completely?
> That I won't know, though I'm trying to get some hostnames for the other
> domain to see if I can resolve them.
> Got a hostname - can't resolve it.
>> NetBIOS over TCP/IP is turned on?
> On my PC, yes. On the DCs? Don't know.
>> What does sites and services look like?
> Oodles of sites, can't really tell that there's one setup for the other
> domain. What should I be looking for here?

Whatever subnet that machine that doesn't work is sitting in, should
be in a subnet defined in sites and services, that should specify
which DC it should be looking at. Can you run dcdiag and try to see if
there is any problems there.

>> Can you run wireshark on one of the machines that's not working and
>> see whether it's trying to connect out to a DC that's perhaps not in
>> the policy?
> that would definitely be out of the question. I can run a port query from
> PCs and member servers.

Give that IP address to the firewall admins on both sides and ask for
drops. Also ask the networking guys if they have routed *all* the IP
address space in use between the two orgs. Firewall might be open on
both sides, but without the routes there, you're going to lose out.

>> On the machine that you are running ADUC on, can you login there to
>> the other domain?
> I'll see if they can create an account for me to test with.
> They're currently allowing perhaps 7 DCs on each domain to contact one
> another. The FW guys say that there's no port restrictions, they're just
> allowing IPs to connect to one another.
> One enterprise group controls our DCs and FWs, another enterprise controls
> the other DCs; FWs on the other domain are controlled locally. Everyone says
> that their part is configured correctly (of course). Seems like there should
> be a way to set up a bridgehead or two on each domain, and then just allow
> the bridgeheads to talk through the firewalls. One enterprise AD guy
> believes that we need to configure the firewalls with ACLs for all of the
> DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more
> succinct way.

In my experience, he's right. It shouldn't work that way, but you see
strange oddities sometimes (Timeouts) without it.

I just did a POC for a trust relationship setup the other day.

Also, just to state the obvious. Make sure that are trying to add
members of another domain to a domain local group. Otherwise it won't

> thanks.
>> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote:
>> > Alright, one for the AD Gods/Goddesses
>> >
>> > Got a trust between two different AD forests. From my PC I can browse
>> > the
>> > other domains and select/add objects. From ADUC, I can't even see the
>> > other
>> > domains (see the attached pic).
>> >
>> > Ideas?
>> >
>> > What's driving this issue is from a server in another site (still in my
>> > domain) one can't see the other domains at all in order to add users (as
>> > I
>> > can from my PC). So between these two matters I'm guessing that our
>> > trust
>> > isn't quite right, but I don't have access to DCs nor the firewalls so
>> > I'm
>> > troubleshooting symptomatically. If anyone wants to pipe in with a Cliff
>> > Notes version of setting up trusts between AD domains through firewalls
>> > for
>> > domains with a *lot* of DCs I'd gladly read it and drink a german bier
>> > in
>> > their honor.
>> ************************************************
>> For Archives, RSS, to Unsubscribe, Subscribe or
>> set Digest or Vacation mode use the below link:
>> //www.freelists.org/list/thin
>> ************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:

Other related posts: