DNS and NetBIOS Name Resolution Issues for Creating External, Realm and Forest Trusts

Clearapps network inventory
software.

DNS and NetBIOS Name Resolution Issues for Creating External, Realm and Forest Trusts

For all trusts except trusts across forests, you can use and must have correct DNS or NetBIOS domain names. The DNS servers that the domain controllers in one forest use may not be able to resolve the DNS names for domain controllers in another forest. Therefore, for trusts across forests, you must use a DNS name only.

To establish DNS name resolution between domains and forests, you may have two options to configure DNS: Conditional forwarders and Secondary zones with zone transfers enabled. Note: Stub zones can be used to resolve DNS names, but are less commonly used than secondary zones and conditional forwarders; therefore, they are not covered in this document.

Case 1: One of our clients has A domain and B as child domain in the same network. They try to create the domain trust between two domains, but get "The New Trust Wizard cannot continue because the specified domain cannot be contacted". I have enabled WINS on both domain controllers and both WINS servers list all computers and domain controllers. I can ping A domain from domain B and B domain from Domain A.

Resolution: Configured Forwarders on both domain DNS to add domain B on domain A DNS server and domain A on domain B.

Note: Based on Microsoft: “The benefit of using a conditional forwarder is that it is much easier to configure and troubleshoot than a zone transfer. The process of configuring a conditional forwarder is straightforward: all you need to know is the DNS domain name of the domain that houses the DNS server that you are configuring to forward requests and the IP address of the target DNS server”.

Case 2: The client has two domains in different forest. Adding Configured Forwarders doesn’t work even they can ping each others.

Resolution: Secondary zones with zone transfers enabled.

Note: A conditional forwarder is not an efficient way to keep a DNS server that hosts a parent zone aware of the authoritative DNS servers for a child zone. If you use a conditional forwarder, whenever the authoritative DNS servers for the child zone change, the conditional forwarder setting on the DNS server that hosts the parent zone must be configured manually with the IP address for each new authoritative DNS server for the child zone.
Using a secondary zone with zone transfers enabled is beneficial because this configuration maintains a list of all the authoritative DNS servers for the secondary copy of the zone, and the list is updated as DNS servers are added and removed from the target forest or domain. Secondary zones also host a full copy of the DNS zone.
The drawbacks to using secondary zones with zone transfers enabled are that this configuration is much more complicated to configure and maintain and you do not have the direct, point-to-point contact with a DNS server in the target forest or domain as you do with a conditional forwarder. In addition, with secondary zones you expose hosts to IP address mappings for all hosts in the zone. This can expose the domain or forest to security risks due to unauthorized access.

Post your questions, comments, feedbacks and suggestions

Contact a consultant