Errors are likely to occur either when creating, validating or using a cross-forest trust. Typical errors you'll see are "unable to contact the domain" or "domain is not available."
The first thing to check is DNS. Let's go back to a scenario created in a previous article on how to create a cross-forest trust in Active Directory:
Let's consider two forests, Corp.net and ABC.com. There is a child domain, NA.corp.net, in the Corp.net forest, but ABC.com is a single domain forest. Our goal will be to create a two-way trust between the Corp.net domain and the ABC.com domain. Because it's a transitive trust, the NA domain will be able to use the trust as well.
In that scenario, secondary zones or conditional forwarders that point to the other domain/forest should have been created. For example, define a secondary zone for ABC.com in the Corp.com DNS servers and vise versa.
To test DNS, try the following:
Next, verify the trust by going to the Domains and trusts snap-in. Right-click on the domain icon, and in the trusts tab, select the trust and click Properties. In the Properties tab, click the Verify tab. If the trust is created but can't be validated, delete both sides of the trust and recreate. The error can often be corrected in this manner.
If the trust is created and validated but you can't do trusted operations, such as l
To continue reading for free, register below or login
To read more you must become a member of SearchWindowsServer.com
ogging in across the trust or finding users in the other forest, check the system time in both forests. The system time on the PDC in the root domain in both forests must be synchronized. You can do this manually or configure them to point to an external time source.
Perform the following operations to verify functionality of the trust:
It is important to note that when you create a trust, you determine the level of security you want. That is, you can have it wide open so that authenticated users in one forest have the same rights as authenticated users in the other, or you can set it so that you must explicitly grant access to resources in the other domain. This can be changed after the trust is built via the trust wizard.
And make sure the time is synchronized in the domains. Even if a trust is successful, if the time gets out of sync, the trust will fail. The best way to do this is to set the root domain PDC of each forest to point to the same external time source. Remember, however, that Kerberos tickets are not encrypted going across a cross forest trust.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He wrote Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Windows Server-File Systems.
