Okay time to weigh in here. You don't need WINS to establish the trust in my experience. You do need connectivity though, if your trust is going through a firewall you might encounter UDP fragmentation, port blocking, etc ... so you will want to force the use of TCP protocol on your DC's for these operations and make sure your firewall is configured per the various MS KB articles for stable operations. The only reason why you might need to host the other zone either as a secondary is if you feel that referrals will not work (Once gain firewalls, or if your AD DNS is split brained, using custom TLD extension, and your domain isn't registered.
It is best to use an account that has EA privileges on both domains to establish the trust. Verify name resolution is working. Then use the AD Trust Wizard and have at it. AS to what operations break if you don't have WINS. That is up for a lot of debate. What I can say is there are still a lot of MS applications and network services that do seem to still want to talk to a WINS server. Unless you are starting 100% from scratch on your domain, you will probably still be running WINS 50 years from now :-) Todd Myrick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 31, 2005 10:42 PM To: [email protected] Subject: RE: [ActiveDir] _msdcs question I'm sorry that you felt I was arguing. Didn't mean to argue, just thought that we were discussing. Let's close it. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan Sent: Tue 5/31/2005 7:34 PM To: [email protected] Subject: Re: [ActiveDir] _msdcs question I don't want to start an argument here but I have installed Exchange 2003 in a pristine environment with and without WINS. 99% of time it failed without WINS. Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I am with you on that. Which is why I said my suggestion is not a replacement > for WINS. But, for the items under discussion, I can say "WINS? What WINS?" > > Remember our discussion about devolution and DNS Suffixes a while back? This > is where the concept comes into play. A process is asked to look for, say, > "Rick", where no WINS exists. It says to itself "Rick is not qualified [1], > so let me see what I have in my suffix list". It sees "Akomolafe.who, > Kingslan.what, anyone.no" - in that order. It immediately devolves the lookup > to "Rick.akomolafe.who". Since "akomolafe.who" has no record of a Rick, the > process moves on and devolves to "Rick.Kingslan.what" and gets a hit. Some > milliseconds added to the lookup, yes, but it found the record anyway. > > Would WINS have helped? Certainly, IF there is a replication of WINS records > between the domains in question. If there is no replication, then ..... > > [1] I know you are qualified, Rick. That was just a figure of speech ;) > > Sincerely, > > D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Rick Kingslan > Sent: Tue 5/31/2005 7:00 PM > To: [email protected] > Subject: RE: [ActiveDir] _msdcs question > > > > But, my experiments have shown that though you might be able to get rid of > WINS for Exchange purposes, the Office team hasn't quite grown past its use. > > Outlook (including 2003) has a bit of a hard time finding its mailbox if > WINS is not active (or, at least an LMHosts file in place). > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, May 31, 2005 8:45 PM > To: [email protected] > Subject: RE: [ActiveDir] _msdcs question > > >>>> Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > If you mean in a multi-domain environment, yes but....... > > You don't need WINS per se. With appropriate DNS suffixes, you can overcome > the NetBIOS resolution limitations that necessitates the WINS requirement. I > am not saying don't use WINS or that you can get rid of WINS easily. I am > just saying that for purposes like these (Exchange install in a multi-domain > environ, or trust establishment, etc), it is not a necessity IF you do the > necessary home-work. > > > Sincerely, > > D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > Sent: Tue 5/31/2005 4:59 PM > To: [email protected] > Subject: Re: [ActiveDir] _msdcs question > > > > Deji, > > I completely understand your point but from my experience, if you > don't have NetBIOS name resolution you cannot establish a trust. > Also, you need to make sure all the required ports are open between > two Domains. > (http://support.microsoft.com/default.aspx?scid=kb;en-us;179442) > > Exchange also is relies on WINS name resolution. You cannot install > Exchange without WINS name resolution. > > HTH > Santhosh > > Santhosh Sivarajan > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > Houston, TX > > > On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Santhosh, I don't understand the significance of WINS here, as opposed to > > getting DNS resolution properly working. Since he's on W2K3, wouldn't it > be > > better that he uses a stub of each domain on the other side of the trust > (or > > even cond fwding for that matter)? Just curious. > > > > On a similar note, I've noticed that the trust process (and other > processes, > > like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of > doing > > an FQDN lookup. One way I do this is to simply create an A record in MY > zone > > for the DC on the other side. By creating the A record, the query will > simply > > get handed the record for that DC. This works IF the name of the DC on the > > other side is not the same as the name of any of the DC in MY domain. Let > me > > explain with an example. > > > > MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC. > During > > the trust establishment process, I see a query for YourDC, which of course > > does not exist in MyDomain, and because YourDomain is also not on my > suffix, > > no record is located. > > > > So, I create an A record for YourDC and give it the true IP of YourDC. So, > > now the process goes and query for YourDC (instead of YourDC.YourDomain), > it > > gets resolved to the YourDC that is located in MyDomain, which happens to > be > > the same as YourDC.YourDomain. > > > > > > Deji > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan > > Sent: Tue 5/31/2005 2:07 PM > > To: [email protected] > > Subject: Re: [ActiveDir] _msdcs question > > > > > > > > I don't think you have to do anything with your _msdcs zone. You have > > to have WINS name resolution in-order to configure the trust. What is > > your WINS configuration? Can you ping both Domain DCs using NetBIOS > > and FQDN? > > > > HTH > > Santhosh > > > > Santhosh Sivarajan > > MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ > > Houston, TX > > > > > > On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > > > > > We upgraded our Win2k AD domain to Win2k3 a few months ago. Now I'm > > > attempting to set up a two-way trust with an outside Win2k3 domain, and > > > I found out that _msdcs.company.com in the Win2k3 domain is at the same > > > level as the company.com zone. So I found out this means that they > > > build this as a Win2k3 domain rather than upgrading from Win2k. > > > > > > I found http://support.microsoft.com/?id=817470 on how to reconfigure an > > > _msdcs subdomain to a forest-wide DNS application directory partition > > > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't > > > know about it until just now). > > > > > > Question is - I want to set up a two-way trust with this win2k3 domain, > > > but when I set them up as a secondary zone in our empty root domain, we > > > didn't get the _msdcs data since it's just a grey reference folder > > > rather than actual data. > > > > > > How do I get the two-way trust working? Do I have to set up two > > > secondary zones in my empty root domain, one for company.com and one for > > > _msdcs.company.com? > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > This e-mail is confidential, may contain proprietary information > > > of the Cooper Cameron Corporation and its operating Divisions > > > and may be confidential or privileged. > > > > > > This e-mail should be read, copied, disseminated and/or used only > > > by the addressee. If you have received this message in error please > > > delete it, together with any attachments, from your system. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
