DNS and NetBIOS Name Resolution Issues for Creating
External, Realm and Forest Trusts
For all trusts except trusts across forests, you can use and must have correct
DNS or NetBIOS domain names. The DNS servers that the domain controllers in one
forest use may not be able to resolve the DNS names for domain controllers in
another forest. Therefore, for trusts across forests, you must use a DNS name
To establish DNS name resolution between domains and forests, you may have two
options to configure DNS: Conditional forwarders and Secondary zones with zone
transfers enabled. Note: Stub zones can be used to resolve DNS names, but are
less commonly used than secondary zones and conditional forwarders; therefore,
they are not covered in this document.
Case 1: One of our clients has A domain and B as child domain in the same
network. They try to create the domain trust between two domains, but get "The
New Trust Wizard cannot continue because the specified domain cannot be
contacted". I have enabled WINS on both domain controllers and both WINS servers
list all computers and domain controllers. I can ping A domain from domain B and
B domain from Domain A.
Resolution: Configured Forwarders on both domain DNS to add domain B on domain A
DNS server and domain A on domain B.
Note: Based on Microsoft: “The benefit of using a conditional forwarder is that
it is much easier to configure and troubleshoot than a zone transfer. The
process of configuring a conditional forwarder is straightforward: all you need
to know is the DNS domain name of the domain that houses the DNS server that you
are configuring to forward requests and the IP address of the target DNS
Case 2: The client has two domains in different forest. Adding Configured
Forwarders doesn’t work even they can ping each others.
Resolution: Secondary zones with zone transfers enabled.
Note: A conditional forwarder is not an efficient way to keep a DNS server that
hosts a parent zone aware of the authoritative DNS servers for a child zone. If
you use a conditional forwarder, whenever the authoritative DNS servers for the
child zone change, the conditional forwarder setting on the DNS server that
hosts the parent zone must be configured manually with the IP address for each
new authoritative DNS server for the child zone.
Using a secondary zone with zone transfers enabled is beneficial because this
configuration maintains a list of all the authoritative DNS servers for the
secondary copy of the zone, and the list is updated as DNS servers are added and
removed from the target forest or domain. Secondary zones also host a full copy
of the DNS zone.
The drawbacks to using secondary zones with zone transfers enabled are that this
configuration is much more complicated to configure and maintain and you do not
have the direct, point-to-point contact with a DNS server in the target forest
or domain as you do with a conditional forwarder. In addition, with secondary
zones you expose hosts to IP address mappings for all hosts in the zone. This
can expose the domain or forest to security risks due to unauthorized access.