AD DNS configuration for multi forest setup

  • 80 Views
  • Last Post 20 June 2015
ahobbs posted this 18 June 2015

Hey all
We have the following setup.
Forest 1, single domain A - Windows Server 2012 R2 (populated with 2,000 users)Forest 2, single domain B - Windows Server 2012 R2 (currently empty)
There are no trusts setup between the two forests. 
We need to provision all 2,000 user objects in domain A to domain B. To do this we plan on installing FIM in domain B and create an AD MA to use domain A as the authoritative data source and pull the users into domain B.
We need to configure name resolution between the two forests. We have set both AD domains DNS servers to resolve queries against itself and a secondary DNS server in the same AD site.
What would be the correct way to configure name resolution between the two AD forests. Would I be best creating conditional forwarders? 
Amanda

Order By: Standard | Newest | Votes
Patrick posted this 18 June 2015

Why have you not setup a trust relationship?
I am not sure it will work without the forests trusting one another. On Jun 18, 2015 9:28 AM, "Amanda Hobbs" <ahobbslist@xxxxxxxxxxxxxxxx> wrote:
Hey all
We have the following setup.
Forest 1, single domain A - Windows Server 2012 R2 (populated with 2,000 users)Forest 2, single domain B - Windows Server 2012 R2 (currently empty)
There are no trusts setup between the two forests. 
We need to provision all 2,000 user objects in domain A to domain B. To do this we plan on installing FIM in domain B and create an AD MA to use domain A as the authoritative data source and pull the users into domain B.
We need to configure name resolution between the two forests. We have set both AD domains DNS servers to resolve queries against itself and a secondary DNS server in the same AD site.
What would be the correct way to configure name resolution between the two AD forests. Would I be best creating conditional forwarders? 
Amanda

kevinrjames posted this 18 June 2015

AH, but before a trust can be established, name resolution needs to be in place. So, conditional forwarders, in both directions would be typical. Stub zones or secondary zones would also work.  /kj 

show

skradel posted this 18 June 2015

Agreed, conditional forwarders are usually the way to go.
FIM will do fine without any trusts in place, provided DNS and firewall are sorted.
--Steve

show

ahobbs posted this 18 June 2015


Surely you'd need name resolution before you can create a trust? 
The trust is off the table for the moment due to politics.


show

ahobbs posted this 18 June 2015

Hello Steve/Kevin
That's what we were led to believe. We'll go with conditional forwarders.
Thank you!
Amanda


show

jeremyts posted this 19 June 2015

You will need a Forest level trust though if you use the FIM Password Change Notification Services (PCNS). An external trust does not work for PCNS. It only

has to be a one-way trust so that domain B Trusts domain A, and therefore domain A is Trusted by domain B.

 

I would definitely use conditional forwarders. It’s nice and clean that way.

 

Cheers,

Jeremy

 

show

ahobbs posted this 19 June 2015

Thank you Jeremy. It's something we'll need to consider in the future!
Regards,
Amanda


show

slavickp posted this 20 June 2015

Sorry for the offtopic, but I’d like to state that I got PCNS working over external trusts for a while. The requirement is Kerberos, which in certain scenarios works over external trusts. I actually used Kerberos realm configuration applied via GPO to remove any unknowns.
Not that anyone would consider external trust as opposed to forest trust nowadays.
Regards
Slav
MCM-DS

show

jeremyts posted this 20 June 2015

True, I’ve heard it works, but never tried it, as it’s not a path I would ever take unless faced with major push back for political or security reasons in multi-domain

forests. It’s not an MS recommended/supported config for PCNS.

 

Cheers,

Jeremy

 

show

Close