http://support.microsoft.com/kb/179442
I would look here. How to configure a firewall for domains and trusts Just because you can't ping the endpoint doesn't mean it isn't available. You can do the following if you need to determine if an endpoint is open. Get a copy of Nmap or if you have a Linux Box you can use tcptraceroute or Nmap also. To test you tell Nmap not to ping the host. Nmap -sS -sV -P0 -p- ip address of endpoint. ( this will do all 65535 ports and tell you what you have open from your system) Tcptraceroute IP_addresss dest_port ( so if I wanted to tcptraceroute to 123.45.67.89 port 135 I would do the following) Tcptraceroute 123.45.67.89 135 HTH I think you up against a FW issue nobody on the other side is telling you about.. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: N Parr [mailto:npar...@mortonind.com] Sent: Tuesday, March 05, 2013 4:29 PM To: NT System Admin Issues Subject: RE: DNS settings for Trusts ________________________________ From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, March 05, 2013 2:42 PM To: NT System Admin Issues Subject: RE: DNS settings for Trusts a) DomainA and DomainB are in separate Forests? - Yes b) Where does the PDCe in DomainA look first for name resolution (itself? Another DNS server?) Itself (Secondary Forward Lookup Zones created on both sides) c) The DNS server in (b) - how does it know where to send requests for DomainB? Does it host a secondary copy? You have configured forwarders? You have glue records? Hosts secondary Copy. Tried Forwarders but from what I'm ready you use either a zone or a forwarder, not both. I tried a forwarder any way and it didn't make a difference. Glue Records? I don't think these come in to play internally. d) For the DC in domainB where you are attempting to create the trust: where does it look for name resolution (itself? Another DNS server?) Can't get to the point of making a trust yet because domainB can't ping domainA.local e) The DNS server in (d) - how does it know where to send requests for DOmainA? Does it host a secondary copy? You have configured forwarders? You have glue records? Answered in C) Cheers Ken From: N Parr [mailto:npar...@mortonind.com] Sent: Wednesday, 6 March 2013 6:46 AM To: NT System Admin Issues Subject: RE: DNS settings for Trusts Domain B can't resolve Domain A. Can't ping domain.local or any host. And if we can't ping domain.local then we can't begin to create the trust. No errors in the event log. ________________________________ From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, March 05, 2013 12:20 PM To: NT System Admin Issues Subject: Re: DNS settings for Trusts Can you describe the type of lookup failures you are receiving? ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Tue, Mar 5, 2013 at 12:43 PM, N Parr <npar...@mortonind.com<mailto:npar...@mortonind.com>> wrote: I'm having some issues getting DNS to resolve properly on a trust we are trying to set up and it doesn't make much sense why I'm having problems. Domain A can resolve everything on Domain B just fine but Domain B can't resolve Domain A. Both are 08 Domains. The zones are fully populated and there's no issues replicating records. All the ports are open across the VPN, I can telnet back and forth, I can ping any IP. According to this article I need to make sure my SRV and Host A records are properly created. But we didn't have to do this on Domain A to get it to work. Either way where am I suppose to create these records? Under my primary Zone? It doesn't give any detail and my Google is failing me. http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx Thanks ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>