Answers inline On Tue, Mar 6, 2012 at 11:34 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote: > On Tue, Mar 6, 2012 at 10:53 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> > wrote: >> >> DNS is replicated completely? > > That I won't know, though I'm trying to get some hostnames for the other > domain to see if I can resolve them. > Got a hostname - can't resolve it. >> >> >> NetBIOS over TCP/IP is turned on? > > On my PC, yes. On the DCs? Don't know. >> >> >> What does sites and services look like? > > Oodles of sites, can't really tell that there's one setup for the other > domain. What should I be looking for here? Whatever subnet that machine that doesn't work is sitting in, should be in a subnet defined in sites and services, that should specify which DC it should be looking at. Can you run dcdiag and try to see if there is any problems there. >> >> >> Can you run wireshark on one of the machines that's not working and >> >> see whether it's trying to connect out to a DC that's perhaps not in >> the policy? > > that would definitely be out of the question. I can run a port query from > PCs and member servers. >> Give that IP address to the firewall admins on both sides and ask for drops. Also ask the networking guys if they have routed *all* the IP address space in use between the two orgs. Firewall might be open on both sides, but without the routes there, you're going to lose out. >> >> On the machine that you are running ADUC on, can you login there to >> the other domain? > > I'll see if they can create an account for me to test with. > > They're currently allowing perhaps 7 DCs on each domain to contact one > another. The FW guys say that there's no port restrictions, they're just > allowing IPs to connect to one another. > > One enterprise group controls our DCs and FWs, another enterprise controls > the other DCs; FWs on the other domain are controlled locally. Everyone says > that their part is configured correctly (of course). Seems like there should > be a way to set up a bridgehead or two on each domain, and then just allow > the bridgeheads to talk through the firewalls. One enterprise AD guy > believes that we need to configure the firewalls with ACLs for all of the > DCs (hundreds) on both domains (so hundreds X2); I'm hoping there's a more > succinct way. In my experience, he's right. It shouldn't work that way, but you see strange oddities sometimes (Timeouts) without it. I just did a POC for a trust relationship setup the other day. Also, just to state the obvious. Make sure that are trying to add members of another domain to a domain local group. Otherwise it won't work. > > thanks. >> >> >> On Tue, Mar 6, 2012 at 9:14 AM, Steve Snyder <kwajalein@xxxxxxxxx> wrote: >> > Alright, one for the AD Gods/Goddesses >> > >> > Got a trust between two different AD forests. From my PC I can browse >> > the >> > other domains and select/add objects. From ADUC, I can't even see the >> > other >> > domains (see the attached pic). >> > >> > Ideas? >> > >> > What's driving this issue is from a server in another site (still in my >> > domain) one can't see the other domains at all in order to add users (as >> > I >> > can from my PC). So between these two matters I'm guessing that our >> > trust >> > isn't quite right, but I don't have access to DCs nor the firewalls so >> > I'm >> > troubleshooting symptomatically. If anyone wants to pipe in with a Cliff >> > Notes version of setting up trusts between AD domains through firewalls >> > for >> > domains with a *lot* of DCs I'd gladly read it and drink a german bier >> > in >> > their honor. >> ************************************************ >> For Archives, RSS, to Unsubscribe, Subscribe or >> set Digest or Vacation mode use the below link: >> //www.freelists.org/list/thin >> ************************************************ > > ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************