Premkumar Yogeswaran's Blog

Active Directory | PowerShell | DNS | DHCP | Exchange Server | VM Ware

Posts Tagged ‘Links’

How to create an external trust between two seperate domains/forests

Posted by Premkumar Yogeswaran on April 17, 2012


A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust like External, Realm, Forest and shortcut. In this article, I am going to talk about external trust. This can be applied in windows 2003 and windows 2008 also using same principle. External trust is necessary when users from two different domain wants to access resources such as printers and file server of two domains. There are few requirements to fulfill this goal.

Both domain controller must ping each other IP. If both domain controller sits in different subnet then proper routing required.

DNS records of both domain controller must be added in both server (Example: DNS record of bollywood.com must be added in desibaba.com and vice versa).

FQDN must be added in both DC (Example: FQDN of dns1.bollywood.com must be added in dc1.desibaba.com and vice versa).

Now dc1 will be able to ping dns1 by name and FQDN. Now ready to create an external trust. However, you still can’t ping by FQDN then type IP of PDC of forest A as secondary/alternative DNS in the TCP/IP property of PDC of forest B. Do vice versa. Now you will be able to ping by FQDN.

One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dns1 (incoming) but dns1 doesn’t get access to dc1).

Creating incoming trust in dns1

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the incoming trust.

· If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

Creating outgoing trust in dc1

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

· Click Domain-wide authentication.

· Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.

· If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

Note : if you want both sides get access to both sides then change that config to two way and set incoming and outgoing in both sides.

Refer the below Link:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Advertisements

Posted in Active Directory, DNS | Tagged: , , | Leave a Comment »

How to migrate Windows 2003 Active Directory to Windows 2008 Active Directory–Step by Step guide

Posted by Premkumar Yogeswaran on April 17, 2012


Microsoft’s new baby in their server family is Windows Server 2008. The Windows Server® 2008 operating system ease operation of IT administrator and enterprise IT planner and designer. Windows 2008 Active Directory got improved roles, AD domain services, federation services, AD rights management services, compliances and BPA. Its time to shift to Windows 2008 Active Directory. In this article, I will show how to migrate from windows 2003 AD to windows 2008 AD.

On Windows Server 2003 DC, insert the Windows Server 2008 DVD, then open command prompt and change directory to d:sourcesadprerp directory. Here D: is my dvd rom drive. In your case do as appropriate. note: you need to log on to windows 2003 domain controller as enterprise admin to run these command.

Now run following command adprep/ forestprep

After finishing forestprep run adprep/ domainprep

adprep/ rodcprep (Optional)

Install windows 2008 server and promote windows 2008 server as additional domain controller in windows 2003 forest

This is a trial version of windows 2008, I do not find any necessity to mention any cd key for this article. If you have proper cd key, you can mention here.

Windows 2008 will ask you to reset password for the first time. note: password complexity is enabled by default.

Now you have completed installing Windows 2008 machine. Log on as an administrator. Add active directory role in windows 2008 server. follow the screenshot as shown below

Mention your existing domain name, provide domain admin credentials to add this server to domain.

A restore password is required in case you need to restore AD.

Now restart windows 2008 server. It takes few minutes to replicate all AD container, AD object and DNS records. I would prefer to wait more then hours and see all the records are available in windows 2008 active directory. or you can force replicate all record if necessary.

Now transfer all the FSMO roles from windows 2003 AD domain controller to windows 2008 AD domain controller. Log on to windows 2003 domain controller as enterprise admin. open command prompt type as follows:

ntdsutil

roles

connections

connect to server WIN2008SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master

Now you are ready to demod windows 2003 domain controller. log on to windows 2003 domain controller as domain admin . Open AD sites and services from administrative tools, expand default first site name, expand windows 2003 domain controller, right click on NTDS settings and go to properties. uncheck global catalog, click ok.

open run from start menu type dcpromo

LEAVE THIS ABOVE BOX UNCHECKED, this will enable windows 2003 domain controller transfer all AD database to windows 2008 domain controller.

Click next, provide password and follow next prompt, wait until demotion completed. Restart…. That’s all.

Refer Below Link:

http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/

Posted in Active Directory, DNS | Tagged: , , | 1 Comment »