Forest Trust

Cross Forest Trust Password

Some times the cross forest trust between DSfW and AD fails and a common reason for this failure is the cross forest trust password. By default the Windows server will reset the trust password every 30 days. Some times the change only occurs on the Windows side and trust object in DSfW does not get the update leading to a broken trust. Validating and reseting the trust is one way to fix this. Another option is to disable the server from changing the password. This video will show how to validate the trust, reset the password, modify the number of days when a password is changed, and how to disable password changes.

How to disable the automatic machine account password changes.

  1. In the registry go to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
  2. Change the registry subkey to a value of 1 (default is 0 which enables password changes, 1 disables password changes)
  3. Restart the… Continue reading

How to create a cross forest trust

This video will guide you through the creation of a cross forest trust between DSfW and AD.

For more information on creating a cross forest trust please read through the documentation
http://www.novell.com/documentation/oes11/acc_dsfw_lx/data/ber65jt.html

The trust password will change every 30 days by default. Consider disabling the automatic machine password changes or increasing the time before the password is changed. Some times when a workstation or in this case trust changes its password the change does not get set in the directory and the trust relationship is broken. In that case the trust needs to be re-established.

If a trust is removed and then re-established, before creating the trust again be sure that the trust object in cn=users, is removed as well.  The object will look like a user object with the name of the AD Domain with a $ at the end.

Good MS documents to help troubleshoot errors:

Known… Continue reading

How to create DNS forwarders

In order to create a cross forest trust both the DSfW server and the AD server need to resolve each others domains.  The video will show you how to create a forward and reverse forwarder for only the AD zone (domain) to the AD server and how to put a forwarder on the AD server to the DSfW DNS server.

 

How to Create a Forest and DC on Windows 2008R2

Creating an AD forest and domain is easy with dcpromo.  Before you start, put the DSfW server as the DNS server on the Windows 2008 server.  When the server is promoted to a domain controller, the server listed as the DNS server will be a listed as a forwarder.

Categories