Right now, I have three forests I'm trying to create trusts between.
Let's call them hopelessn00b.local
, hopelessn00b.com
and internal.hopelessn00b.com
.
I got trusts configured between hopelessn00b.local
and hopelessn00b.com
, as well as between hopelessn00b.local
and internal.hopelessn00b.com
, but when I went to set up the trust between hopelessn00b.com
and internal.hopelessn00b.com
, it bombed out, because hopelessn00b.com
cannot contact internal.hopelessn00b.com
.
So, I checked DNS, and sure enough, there's no forwarders or stub zones or anything that might tell hopelessn00b.com
how to get to internal.hopelessn00b.com
. I checked my hopelessn00b.local
forest, and it was using a conditional forwarder to reach both the other domains, so I tried to set up a conditional forwarder on hopelessn00b.com
with the IPs of my internal.hopelessn00b.com
domain controllers. That fails with a "zone configuration error," after telling me that my internal.hopelessn00b.com
domain controllers are not authoritative for the internal.hopelessn00b.com
domain (they are). I assume that's because internal.hopelessn00b.com
is a DNS sub-domain of hopelessn00b.com
, even though they're completely different and unrelated AD forests.
Functional levels involved are 2008 R2 and 2012, if it makes a difference (but I don't think it does), and I'd very much like to get these trusts set up so that I can migrate everything off these improperly named forests and then blow them away, so only internal.hopelessn00b.com
will remain.
Accordingly, my questions are:
- Is a conditional forwarder the thing I want here, or should I be using something else? (Stub zone, maybe?)
- How do I force (or finesse)
hopelessn00b.com
into taking my word for it that the DCs forinternal.hopelessn00b.com
are actually authoritative forinternal.hopelessn00b.com
?
Best Answer
Since the two domains, even though they are in unrelated AD forests, are part of the same DNS namespace, you must use DNS delegation.