Creating a two way trust

I'm setting up a test domain and was wondering which is the preferred method for going about the DNS setup before creating the trust? Ive read somewhere that it's possible to either..

a) export the zones require by right clicking the zones in DNS, then exporting, then simply reimporting into secondary zones in the opposite domain.

b) manually creating the records in the primary zones in each domain.

c) create forwarders in the DNS console for the other external IP address of the opposite domain.

I'm guessing a is the best way to do this?

Find more posts tagged with

Comments

mr2nut

I've managed to do it by simply added IP addresses into the forwarders tab in each DNS console. I had 2 Servers, one with 10.0.0.1 with domain called testdomain1.local and the other other with 10.0.0.2 with domain called testdomain2.local just for test purposes.

It was good to just get the feel of creating the forest trust, and I have assigned permissions to admins in the opposite domain and have delegated control to OUs etc.

The only thing is, replication doesn't take effect with a two-way forest trust does it? I was hoping that users I created in testdomain1 would replicate to testdomain2, or does that have to be set up manually afterwards? Or should I have set the other domain up as a site instead of doing a two-way trust?

sprkymrk

A trust doesn't replicate anything, it just lets you share resources from one domain to another. Users in domainA do not have accounts in domainB, and users in domainB do not have accounts in domainA. However, an administrator can make a share, printer, or whatever in domainA available to users in domainB, and vice-versa.

And whether you set up a site vs. domain depends on what you want you want to accomplish.

mr2nut

sprkymrk wrote:

A trust doesn't replicate anything, it just lets you share resources from one domain to another. Users in domainA do not have accounts in domainB, and users in domainB do not have accounts in domainA. However, an administrator can make a share, printer, or whatever in domainA available to users in domainB, and vice-versa.

And whether you set up a site vs. domain depends on what you want you want to accomplish.

Ahh, that would explain it. In that case, everything I have done within the trust has worked flawlessly then which is good..

So lets say you have 2 companies, 1 called domain1 one called domain 2

I want replication to occur for all user objects created in either domain. Would you need to set up both sites as seperate domains and put a site link through Active Directory, or is replication from one domain behind one external IP to another domain behind another external IP? This is the bit that is confusing me a little.

aordal

Domains wont replicate their objects to each other, that's by design. If you have 2 companies and you merge them into 1 forest you can setup a trust so you can share resources. But all the objects will remain in their respective domains.

If you want all objects from both companies to be under 1 domain then you need to move all the objects from domain 2 into domain 1. You can make each location a separate Site.

p.s. Two way trust means that domain 1 trusts domain 2 and domain 2 trusts domain 1. It has nothing to do with replication.

royal

You would never do option A or B. Those are ridiculous options. You'd always do a forwarder or a stub zone when you want to create a trust. The only thing a trust will do is allow Kerberos/NTLM from one domain to pass through to the trusted domain and vice versa depending if it's a two-way trust or a one-way trust. Replication does not occur at all over trusts.

As for replication, the following partitions exist within Active Directory:
Schema
Configuration
Domain
DomainDNSZone (Server 2003/2008 only)
ForestDNSZone (Server 2003/2008 only)

All domain controllers in an entire forest get a Read-Only copy of the Schema partition. Only the Schema master has read/write.

All domain controllers in an entire forest get a read/write copy of the Configuration Partition

All domain controllers in a domain get a read/write of the domain partition.

Replicating to other domain controllers depends on whether they're part of the same site or not. Intrasite replication happens every 15 seconds with a 3 second offset in Server 2003 as long as they were installed fresh as Server 2003. Server 2003 systems that were upgraded from Windows 2003 have a 5 minute replication time with a 45 second offset until you upgrade your Forest Functional Level to Windows 2003 which forces it back down to 15 seconds with a 3 second offset.

Intersite replication happens by default every 3 hours. I've found that most people put it down to 15 minutes which is the minimum.

So taking the above into consideration, if all DCs are in the same site, they'll get replication rather fast and get a copy of all the above partitions. The Knowledge Consistency Checker runs every 15 minutes and looks at the AD topology and automatically generates connection objects which determines the replication partner.

For intersite replication, 1 bridgehead server from every site from every domain will be designated as the intersite bridgehead. It determines the bridgehead based on GUID.

So what replicates where and how often depends on the Site Link architecture. Take a look at my stickies and you'll learn quite a bit more about what I wrote above.

mr2nut

As always, cheers for the great responses guys. I'm now starting to get my head around this and now have a fully working two-way trust between domain1 and domain2.

If I for example, have one office in Leeds (headquarters, domain called Leeds) and one in Manchester (branch office, domain called Manchester), but both are in a standard class C range, if I wanted automated replication to happen, would I need to add the Manchester office into the Leeds domain as a site?

dynamik

You have two domains with a single site in each domain? As stated earlier, you have nothing to replicate (unless you have multiple DCs at each site, then you'd simply have intra-site replication between the DCs). If you wanted to setup replication for off-site redundancy and availability, you'd need to create an additional site for each domain and put a DC in those.

mr2nut

I know it seems like i'm not making sense, but i'll try put it another way (damn internet is so hard to explain things sometimes!

)

Lets say I have users who go between the Leeds and Manchester offices, and want to use the same username and password and have the same rights in both locations. It wouldn't exactly be hard to create two users with the same logons and passwords, but say for lazyness purposes, if I were to create a user in Leeds, how could I get it to replicate to Manchester for example without any manual input?

aordal

If you have a 2 way trust setup they can just login to their regular domain account no matter which site they are connected to. This is because the GC is replicated throughout the forest.

You don't need 2 sets of accounts. They would still be logging into their own domain even though they were connected in a site where there was no DC for their domain.

mr2nut

I think I may have looked too much into the whole site thing. Am I right in thinking that sites are only used within one domain? I really need to see some of this in production, I cant get my head around this stupid damn book

aordal

You can have as many domains in a site as you want.

If it makes you feel better, I suck at PKI.

dynamik

mr2nut wrote:

I think I may have looked too much into the whole site thing. Am I right in thinking that sites are only used within one domain? I really need to see some of this in production, I cant get my head around this stupid damn book

Are you using virtualization to lab things up? If so, what software are you using? With workstation, I can create slower links, such as 256k, 512k, etc. and simulate multiple sites like that.

aordal wrote:

You can have as many domains in a site as you want.

Think of sites as physical locations. They're not logical entities like domains and OUs. You can also have multiple sites per domain.

aordal wrote:

If it makes you feel better, I suck at PKI.

My PKI is weak as well. I just started reading this: http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210/ref=sr_1_1?ie=UTF8&s=books&qid=1227630411&sr=8-1

I found the best price at half.com (used).

mr2nut

dynamik wrote:

mr2nut wrote:

I think I may have looked too much into the whole site thing. Am I right in thinking that sites are only used within one domain? I really need to see some of this in production, I cant get my head around this stupid damn book

Are you using virtualization to lab things up? If so, what software are you using? With workstation, I can create slower links, such as 256k, 512k, etc. and simulate multiple sites like that.

aordal wrote:

You can have as many domains in a site as you want.

Think of sites as physical locations. They're not logical entities like domains and OUs. You can also have multiple sites per domain.

aordal wrote:

If it makes you feel better, I suck at PKI.

My PKI is weak as well. I just started reading this: http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210/ref=sr_1_1?ie=UTF8&s=books&qid=1227630411&sr=8-1

I found the best price at half.com (used).

So, for example, lets say I had just ONE office. I would never create sites as it's a pointless exercise as replication is done anyway? But if I had TWO offices, one in London and one in Manchester for example, but they were both under the same domain name (example.com), I would create a site for each location and create a subnet for each location?

I have found that if both different sites are using the same subnet (ie. London is on 10.0.0.x and Manchester is on 10.0.0.x) you can't add them to the sites so am I right in thinking that sites have to be on complete different subnets, right?

My PKI is quite poor too but it can't be all that bad as i've just managed to get through 293 with a 769 which isn't too bad. p.s. soz for all the random posts on this topic, I just find it hard to understand some stuff without being shown on a live setup

meadIT

Yes, you can have multiple subnets per site, but you can assign a subnet to two different sites.

aordal

Well first off, every domain has at least 1 site. So even if you had just 1 domain in only 1 building everything would belong to that site. You wouldn't have to bother with making subnets for that site though because everyone would all default to the same site.

Now in your example of having 2 locations and 1 domain then yes it would make sense to make 2 sites. And yes you need to make sure each site has a different subnet. You'll have lots more poblems than AD replication if you don't. DNS will be broke, duplicate IPs on a network, it would just be bad. But ya, then you'd assign site specific subnets to the site.

mr2nut

aordal wrote:

Well first off, every domain has at least 1 site. So even if you had just 1 domain in only 1 building everything would belong to that site. You wouldn't have to bother with making subnets for that site though because everyone would all default to the same site.

Now in your example of having 2 locations and 1 domain then yes it would make sense to make 2 sites. And yes you need to make sure each site has a different subnet. You'll have lots more poblems than AD replication if you don't. DNS will be broke, duplicate IPs on a network, it would just be bad. But ya, then you'd assign site specific subnets to the site.

It's starting to make more sense now (at last!) Also, which server would you do all the site setup on, would it need to be the first network you set up... or would any location be fine since it replicates anyway?

One other q if you don't mind

Since I have only logged my domain controllers into a .local domain on my single LAN, i've not managed to log one onto a domain over the net before. I'm guessing though, that all I would need to do, is put the main offices static external facing IP in the DNS forwarders list on the domain controller in the other site that I am about to log onto the domain. It would then forward the request onto that IP when it can't find the domain I specify locally?

aordal

You can do the AD Sites & Services on any DC. IRL setting up 2 sites is more difficult than just slapping your public IP into your DNS forwarders list. First of all, odds are that public IP isnt a DNS server. And if it is, you have uh lot of security issues.

Usually sites are connected by either a VPN or through a dedicated WAN. If the the 2 sites are 2 different domains, first you get your network up. Once the network itself is up then you can use the internal IP address of your DNS servers and put them on your forwards tab. Does that make sense?

dynamik

You should probably review this: http://technet.microsoft.com/en-us/library/cc754697.aspx

+1 for authenticating via a VPN. You really don't want that traffic going over the internet.

royal

dynamik wrote:

+1 for authenticating via a VPN. You really don't want that traffic going over the internet.

Definitely a +1 on that. You'd always want the traffic over VPN if you don't care too much about the latency or a dedicated WAN if you need good latency between your sites for things such as stretched site Clusters, video, audio, etc....

mr2nut

Cheers for link Dynamic

As for the VPN suggestion... I normally use Draytek 2800 routers using the LAN to LAN feature with ideally L2TP. I assume if I turned on the 'always on' option, this would work a treat for the site-to-site replication?