Forest Trust: Between two Forests – RED.COM & PINK.ORG


  Scenario:


In our organization for every location there are one single domain forest. For example, for Kolkata it RED.COM & for Jaipur it is PINK.ORG. Now the company management want to introduce SCCM & its main server should be in Jaipur (PINK.ORG) & a Site Server in Kolkata (RED.COM) for patch management & other deployments. Hence need to establish Forest Trust between two domains. Both domains have Forest & Domain Functional Level Windows Server 2008R2.

Pix 01: Trust

Challenges:


£  In PINK.ORG (Jaipur) DNS, RED.COM (Kolkata) Primary Zone is there, it is created long back & several manual host entries are there. Primary Zone need to convert into Secondary Zone.
£  Establish Two Way Forest Trust between PINK.ORG & RED.COM.

To achieve this DNS name resolution between two forests is must & name resolution can be possible in different way –          i) Secondary Zone creation
ii) Stub Zone
iii) Conditional Forwarding.

In this scenario best option is Secondary Zone creation for each Forest DNS Servers. Because neither Stub Zone nor Conditional Forwarder can allow manual host entry.

Pix 02: RED.COM is the Primary Zone

Conversion of Primary Zone to Secondary Zone:


1.    Export the RED.COM Zone data in txt file & keep intact.


Pix 03: Backup of Primary Zone

2.    Go to RED.COM Zone under PINK.ORG Forward Lookup Zone > Click on “Change”> Select “Secondary Zone” > Set the Master Server for RED.COM Zone.
3.    After successful Zone transfer, secondary RED.COM zone at PINK.ORG dns shows all the zone data.
4.    Those entries are not showing in RED.COM Secondary Zone, do it manually at its master server (RED.COM/10.10.10.10).
5.    Create a Secondary Zone/Stub Zone of PINK.ORG at RED.COM dns.

              
Pix 04: Conversion of Primary to Secondary Zone

Check name resolution fom both Domains:


Pix 05: Check name resolution

Establish Trust Relation between two Domains/Forest:


Go to Active Directory Domains & Trusts  > Trusts > New Trust > Select “Forest Trust” > Select direction of trust “Two way” > Type Administrator ID & Password for the domain which become trusted (i.e. BLUE.COM) > Select “Forest-wide authentication” > Forest Trust created.

Note: If name resolution have issue from any of the participating domains, the “Forest Trust” option at New Trust wizad will not show.

Pix 06: Step -1

Pix 07: Step- 2

Pix 08: Step-3

Pix 09: Step- 4

Pix 10: Step- 5

Pix 11: Step- 6

Pix 12: Step-7

Pix 13: Step- 8

Pix 14: Step- 9

Pix 15: Step- 10

Check also from RED.COM

Pix 16: Forest Trust established

Verify the Trust Relation:


nltest /trusted_domains
netdom query trust /domain:<trusted domains>

Pix 17:  Verify Trust Relation

Validate the trust through GUI: Most reliable & authenticate


Go to  “Active Directory Domains & Trusts” > Select “Domain” (i.e. PINK.ORG) >Properties > Trusts > Select “Trusted Domain” (i.e. RED.COM) > Properties >Validate > Put Admin ID & Password for Trusted Domain > OK

Pix 18: Validation of Trust Relation

Pix 19: Trust validated

Trivia:


Trusted Domain Object (TDO) is created under System container for each trust.


Pix 20: TDO Object

Reference link:


https://www.petri.com/configure-dns-enable-trust-two-active-directory-forests
https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)?redirectedfrom=MSDN

Popular posts from this blog

Google Chrome Bookmark & Homepage through GPO

Image
Goals: We need to create a GPO for Google Chrome Bookmarks & home page/landing page. Under the bookmarks, few URLs would be there. It will be easy for users to access these url/site. Also by home page – most useful/frequently open site can be set, so that when user open Google chrome, the page will be displayed first. Gyan: All policy setting for Group Policy Management Console are not readily available. Sometime to manipulate group policy settings for higher version OS (i.e. Screensaver for Windows 10) or third party application (i.e. Google Chrome),we need to download group policy setting supported files – admx (policy settings) along with adml (language suppot). Both files are stored into central storage repository, known as “ Central Store ”. For higher Windows it is “ PolicyDefinitions” – automaticall created when a DC built under C:\Windows\ Process: Incorporate Chrome GPO templates:         1.       To manage...
Read more

File Server Migration: Windows Server 2008R2 to Windows Server 2019

Image
  Scenario:   We have a File Server on Windows Server 2008R2 . The File Server has several departmental shares & it is accessed by the department user only. But among them few have RW (Read & Write) permission, rest have only R (Read) permission. Also every dept. share have disk quota & every authorized user has their shared folder mapped as a network drive in their Windows Explorer. In my environment, I have implemented the procedure for 15 different departmental share folders accessing different departments consist of 10-30 users each dept & each shared folder volume is 100 GB to 500GB. Challenges: 1 .       Migrated Share Folders must have the same level of permission as on W2008 Server. 2.        Several Disk quota templates need to export to new W2019 to minimized the effort.   Users should be transparent to this migration & their acce...
Read more

DNS Server IP Address change in Client Systems through Group Policy

Image
  Scenario: Recently our network team, restructure IP segments & it is recommended to change the IP address of our DNS server. It is an AD integrated DNS server & around 1000 desktops & laptops are in the network – all have static IP addresses. We need to change the DNS IP for all the systems. Procedure: We can change the DNS IP through Group Policy with the help of a simple *.bat file. We will apply the GPO in Startup as Computer base policy. But here tricky part is, we need run the batch file in "Run as Administrator" mode. Most of the Computer-based Startup GPO is not run in normal mode. The batch file as below, suppose it name DNSIP_Change.bat   :   Replace your DNS Server “ set dnsserver=X.X.X.X ” @echo off set dnsserver=10.10.10.31 set dnsserver2=10.10.10.30 for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (   if %%i EQU Enabled (   rem echo change "%%l" : %dnsserver%   netsh interface ...
Read more