I have two Windows 2008 forests in Win2003 mode and I need to set up a one way trust between them. The validation button in Domains And Trusts works in one forest but not in the other.
I think this is because not all DCs can see all the other DCs. I'm not sure if I need to set up the hosts file, so I did so with company.com in the respective domain along with the relevant DC. (do I need _msdcs _tcp zones etc)
How do I set up a one way trust when some DCs are firewalled off from each other?
Best Answer
You should only need DNS resolution for the AD domain name itself, not for specific zones or RR's in the zones. You need to isolate the problem to either a name resolution problem (DNS) or to a communication problem (firewall).
Rather than using host files, the recommended configuration is to set up conditional forwarders for each domain in the opposing domain's DNS servers (DNS serverA in domainA has a conditional forwarder to DNS serverB for domainB).
From each domain run nslookup and query for the other domain (domain.tld). Nslookup should return the IPv4 and IPv6 ip addresses for the DNS servers for that domain (which are probably also the DC's for that domain, unless you've split the DNS role off of the DC's). If nslookup works then DNS resolution is OK and you should look at the firewall as the likely culprit.