Interforest trust - Trouble finding GC from child domain from trus
LAban24
I set up a two-way external trust between my newly created W2K8 domain in a
new forest and a W2K child domain in an existing forest. Everything seems to
be working fine, my trust is up and running and verifies OK. Cross-domain
authentication etc. works fine. I have a secondary DNS zone copy from the
other trusted domain hosted on each side.
The problem is, that when using AD-UC and trying to retrieve a users
membership, I get the following message:
"A global catalog (GC) cannot be contacted. A GC is needed to list the
object's group memberships. The GC may be temporarily unavailable. Or, if
your enterprise does not have an Active Directory Domain Controller
configured as a GC, then one should be configured. Contact your system
administrator for assistance."
I suspect that this is because the secondary zone copyed from the W2K child
domain DNS doesn't contain the GC folder in the _MSDCS.childdom.com, this
info is part of the root domain.
Background Info:
'Old' forest:
Root domain: company.ORG, hosting its own DNS, All DCs W2K3
child domain: childdom.COM, hosting its own DNS, DCs are W2K, in the process
of being upgraded to W2K3 DCs
As you can see, the forest has a disjoint namespace between the root domain
and child domain. The child domain has a Secondary zone copy of the root
domain (company.ORG).
'New' forest:
Single domain, newdom.COM, hosting its own DNS
My question is, how do I get the DCs in the W2K8-domain to be able to find
the GCs for the W2K child domain?
Any ideas? Thanks, guys.
L.
Kevin D. Goodknecht Sr. [MVP]
In news:3AB82AF6-B73E-4AB9...@microsoft.com,
LAban24 <LAb...@discussions.microsoft.com> wrote:
> Hi there!
>
> I set up a two-way external trust between my newly created W2K8
> domain in a new forest and a W2K child domain in an existing forest.
> Everything seems to be working fine, my trust is up and running and
> verifies OK. Cross-domain authentication etc. works fine. I have a
> secondary DNS zone copy from the other trusted domain hosted on each
> side.
>
> The problem is, that when using AD-UC and trying to retrieve a users
> membership, I get the following message:
>
> "A global catalog (GC) cannot be contacted. A GC is needed to list the
> object's group memberships. The GC may be temporarily unavailable.
> Or, if your enterprise does not have an Active Directory Domain
> Controller configured as a GC, then one should be configured. Contact
> your system administrator for assistance."
>
> I suspect that this is because the secondary zone copyed from the W2K
> child domain DNS doesn't contain the GC folder in the
> _MSDCS.childdom.com, this info is part of the root domain.
>
> Background Info:
>
> 'Old' forest:
> Root domain: company.ORG, hosting its own DNS, All DCs W2K3
> child domain: childdom.COM, hosting its own DNS, DCs are W2K, in the
> process of being upgraded to W2K3 DCs
This is not a Child domain, a child domain is in the same tree as it's
parent, I don't believe Active Directory will allow you to create a
multi-label child domain, (I must admit I've never tried), I believe that
what you created was a new domain (tree) in an existing forest. In any case
the Global Catalog records are Forest records.
> As you can see, the forest has a disjoint namespace between the root
> domain and child domain. The child domain has a Secondary zone copy
> of the root domain (company.ORG).
>
> 'New' forest:
> Single domain, newdom.COM, hosting its own DNS
>
>
> My question is, how do I get the DCs in the W2K8-domain to be able to
> find the GCs for the W2K child domain?
All Global Catalog records are registered in the Forest Root domain zone in
Win2k, Win2k3 and later moved the GC records to a separate _msdcs.forestroot
zone, but they are still registered under forestroot domain. So you can use
a conditional forwarder to the forest root domain and DNS that holds the
Forest Root domain records.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================