Windows Server 2012 – How to set up Domain Controller Trust

domain-controllerdomain-name-systeminternal-dnswindows-server-2012

I'm attempting to set up a test system to replicate the following environment:

Two AD domain controllers serving two separate domains, mycorp.local and mycorp.hq. It's not exposed to the outside world and are on the same network.

I'm trying to set them up so that they trust each other, so that a Windows 8.1 machine that is configured for mycorp.local can have someone from mycorp.hq can log into it.

But when I try to add a trust I get the following message.

Cannot Continue

I'm assuming that it is down to DNS, both Windows Server 2012 machines have a DNS server running on it but how do I add the other domain to my DNS servers so they can resolve the domain name?

Or is there another issue?

Best Answer

You need to set up Conditional Forwarders on each DC/DNS server for the other AD domain.

So the mycorp.local DC/DNS server forwards DNS queries for the mycorp.hq domain to the mycorp.hq DC/DNS server and vice versa.

When setting this up, you can ignore the following error if you are sure that the server allows Zone Transfers for your DNS Server.

enter image description here

Related Solutions

DNS – Optimal Order of DNS Servers for an AD Domain Controller

According to this link and the Windows Server 2008 R2 Best Practices Analyzer, the loopback address should be in the list, but never as the primary DNS server. In certain situations like a topology change, this could break replication and cause a server to be "on an island" as far as replication is concerned.

Say that you have two servers: DC01 (10.1.1.1) and DC02 (10.1.1.2) that are both domain controllers in the same domain and both hold copies of the ADI zones for that domain. They should be configured as follows:

DC01
Primary DNS   10.1.1.2
Secondary DNS 127.0.0.1

DC02
Primary DNS   10.1.1.1
Secondary DNS 127.0.0.1

Configuring a Domain Controller for an Internal Domain in Windows Server 2012

You should own the domain you're using, so in your example, you need to own domain.com. You do not, however, need to create any DNS entries for it, either on your internal LAN or externally.

If you're installing AD from scratch then you can just go ahead and install the AD Domain Services role on your server. You just supply the domain name developer.domain.com as the AD domain name.

You'll be prompted to install DNS as part of the AD installation process, say yes to this offer and it should install DNS and create the appropriate entries for you. DO NOT try and use the ISP's DNS for your domain controller or your clients. You can have your local DNS forward requests to the ISP DNS but the sever and its clients need to use the AD server's own DNS server to find each other for your local network to work properly.

While its possible to do the DNS configuration by hand, if you've never installed AD before then I'd strongly suggest letting the AD install process do this for you then looking at what its done afterwards.

This is all you need to do to create a domain that you can join computers to in a network. There's a lot of "best practice" stuff you should really be doing as well (you really should have more than one DC for a start) but this is the basic 'get you started' level.

You might find this question useful for AD background too.

Best Answer

Related Solutions

DNS – Optimal Order of DNS Servers for an AD Domain Controller

Configuring a Domain Controller for an Internal Domain in Windows Server 2012

Related Topic