Trust problem: DNS name resolution works, nltest /dsgetdc fails

Hello,

one AD ist 2003 forest level, the second AD is in the 2008R2 forest level.
The connection between the two locations is not limited, all traffic will be
forwarded to the remote location.
We want to establish a forest trust between both AD's.

Set up conditional forwarders in both AD-DNS which point to one of the
DNS-Servers of the remote AD. Then we could establish a two way forest trust
created from the 2003 AD, but if we try to verify this from the 2008R2 AD
this fails. If we try to establish the two way trust from the 2008R2 AD this
also fails (typed in the DNS name of the domain, then be requestet to select
the trust type "with windows domain" because the called name is no valid
windows domain name; after click to next the trust assistant stops: could not
find the domain).

Ping (from the 2008R2 location) to the domain fqdn or to the domain netbios
name of the 2003 AD is successful, this means the conditional dns forwarding
works. But nltest /dsgetdc:domain-fqdn fails (Error with domain controller
name: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN).

A colleague checks the DNS and SRV entries of the remote 2003 AD - these
"seems" to be ok. But anyway, we (the 2008R2 AD) could successful resolve
(ping the domain name and the domain servers) but nltest and the trust agent
doesn't find the remote domain.

Any hints?

Regards,
Rainer

Did you select a Domain trust, or a Forest trust?

As for DNS resolution between both sides, you have conditional forwarding
setup, which is one way to do it. Did you set the conditional forwarder on
EACH of the DC/DNS servers?

Is one domain or the other possibly single label name?

Are any of the DCs multhomed and/or have RRAS installed?

Are there any ISP's DNS addresses in any of the DCs' IP properties?

Are there any firewall rules between the two locations? If you plan on
setting up firewall rules, 2003 and 2008 use of emepheral ports have been
changed. It is suggested to allow it wide open, no rules, otherwise expect
issues.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.


Ace,

Did you select a Domain trust, or a Forest trust?
Forest Trust

As for DNS resolution between both sides, you have conditional forwarding
setup, which is one way to do it. Did you set the conditional forwarder on
EACH of the DC/DNS servers?
The forwarding is “stored in Active Directory” and set to “Replicate to all
DNS-servers in the organization”

Is one domain or the other possibly single label name?
No

Are any of the DCs multihomed and/or have RRAS installed?
No

Are there any ISP's DNS addresses in any of the DCs' IP properties?
No

Are there any firewall rules between the two locations? If you plan on
setting up firewall rules, 2003 and 2008 use of emepheral ports have been
changed. It is suggested to allow it wide open, no rules, otherwise expect
issues.
No firewall rules (all ports are opened)

Regards,
Rainer

Any hints to my last response ?

Greetings, After several hardware problems on a SBS Server 2003 I can no longer sync my inbox with Outlook 2003? All other folders sync just fine. After a manual sync the properties of the inbox show 147 items on the server and 0 items in the off-line folder. I have deleted the .ost file and had outlook recreate it -- no change. I updated to sp1 -- no change. I logged in on a different box with OL2003sp1 -- no change. ANY help or pointers are appreciated. -Steve S. ...