Cross Forest Trust

Tutorials Win: Microsoft Windows Forum

Hello

I'm trying to setup a cross forest trust in W2K. I have name resolution
working both ways.

The distant domainB has AD integrated DNS enabled forwarding to our unix
name servers. It appears that this one was able to contact Domain A to
create the trust.

But when I try to complete the trust relationship on Domain A adding Domain
B it fails saying the domain cannot be contacted. Domain A is not using AD
integrated DNS only UNIX DNS.

Do I need to have AD integrated DNS setup on both sides?

I've tested accessing all the required ports using the portping util and
everything's successful.

Any Ideas why I can't establish the trust on the Domain A side to trust
Domain B?


--
Thanks!

Crisoft
Top

Re: Cross Forest Trust by Tesdall

Tesdall
Tue Nov 13 04:08:45 PST 2007

On Nov 12, 5:47 pm, Crisoft <ccisat1...@hotmail.com> wrote:
> Hello
>
> I'm trying to setup a cross forest trust in W2K. I have name resolution
> working both ways.
>
> The distant domainB has AD integrated DNS enabled forwarding to our unix
> name servers. It appears that this one was able to contact Domain A to
> create the trust.
>
> But when I try to complete the trust relationship on Domain A adding Domain
> B it fails saying the domain cannot be contacted. Domain A is not using AD
> integrated DNS only UNIX DNS.
>
> Do I need to have AD integrated DNS setup on both sides?
>
> I've tested accessing all the required ports using the portping util and
> everything's successful.
>
> Any Ideas why I can't establish the trust on the Domain A side to trust
> Domain B?
>
> --
> Thanks!
>
> Crisoft

I had some problems with Trusts, there are some things to try like
LMHOST and WINS.

Top

Re: Cross Forest Trust by Paul

Paul
Tue Nov 13 06:03:40 PST 2007

Name Resolution Tests
Windows 2003
Nbtstat -R - Purges and reloads the remote cache name
table
Nbtstat -c - Lists NBT's cache of remote [machine]
names and their IP addresses

If you would like to test connectivity to validate FRS communication (This
communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the firewall via FRS the response
will provide the current version number

Are high ports open or have you limitied the range via a registry hack for
rpc if you have a firewall in the way this is a good chance where your
problem resides.

What about forest functional levels?

I have an article on trust troubleshooting between an NT4 and 2003 forest,
but a lot of the items are still the same.

Check it out at:
http://www.pbbergs.com/windows/articles/firewall_trust.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Crisoft" <ccisat1crc@hotmail.com> wrote in message
news:925A44DD-0B2E-4F93-9AAB-897283B5C8F1@microsoft.com...
> Hello
>
> I'm trying to setup a cross forest trust in W2K. I have name resolution
> working both ways.
>
> The distant domainB has AD integrated DNS enabled forwarding to our unix
> name servers. It appears that this one was able to contact Domain A to
> create the trust.
>
> But when I try to complete the trust relationship on Domain A adding
> Domain
> B it fails saying the domain cannot be contacted. Domain A is not using
> AD
> integrated DNS only UNIX DNS.
>
> Do I need to have AD integrated DNS setup on both sides?
>
> I've tested accessing all the required ports using the portping util and
> everything's successful.
>
> Any Ideas why I can't establish the trust on the Domain A side to trust
> Domain B?
>
>
> --
> Thanks!
>
> Crisoft
>


Top

Re: Cross Forest Trust by ccisat1crc

ccisat1crc
Wed Nov 14 11:57:15 PST 2007

I've used portquery to test connectivity to ports and everything looks good.
Are you supposed to be able to telnet into netbios ports 137,138? These
won't even answer on the localhost.

I noticed that when I ping the domain name that I'm trying to establish the
trust with it replies with the IP of the PDC which is the DC that I've opened
up the connection to use for creating the trust. Would that cause a problem?

Here's my port query.

=============================================

Starting portqry.exe -n ckent -e 135 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.5.18[1152]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
ncalrpc:[LRPC00000124.00000001]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncalrpc:[NTDS_LPC]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.4.108[1029]

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
ncacn_http:192.168.5.18[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[LRPC00000124.00000001]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.4.108[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_ip_tcp:192.168.5.18[1026]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncalrpc:[NTDS_LPC]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.4.108[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncadg_ip_udp:192.168.5.18[1028]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.4.108[1029]

UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
ncacn_http:192.168.5.18[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\PIPE\\lsass]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[LRPC00000124.00000001]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.4.108[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_ip_tcp:192.168.5.18[1026]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncalrpc:[NTDS_LPC]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.4.108[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncadg_ip_udp:192.168.5.18[1028]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.4.108[1029]

UUID: 12345678-1234-abcd-ef00-01234567cffb
ncacn_http:192.168.5.18[1029]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncalrpc:[LRPC000004ec.00000001]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncalrpc:[LRPC000004ec.00000001]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.4.108[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_ip_tcp:192.168.5.18[1079]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:\\\\CKENT[\\PIPE\\atsvc]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.4.108[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncacn_ip_tcp:192.168.5.18[1082]

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
ncalrpc:[LRPC000004a0.00000001]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.4.108[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncacn_ip_tcp:192.168.5.18[1082]

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
ncalrpc:[LRPC000004a0.00000001]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.4.108[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncacn_ip_tcp:192.168.5.18[1082]

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
ncalrpc:[LRPC000004a0.00000001]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.4.108[1092]

UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
ncacn_ip_tcp:192.168.5.18[1092]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.4.108[1117]

UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
ncacn_ip_tcp:192.168.5.18[1117]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncalrpc:[LRPC0000063c.00000001]

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.4.108[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_ip_tcp:192.168.5.18[1127]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncalrpc:[LRPC0000063c.00000001]

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncalrpc:[LRPC000006e4.00000001]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.4.108[1135]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da
ncacn_ip_tcp:192.168.5.18[1135]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 6bffd098-a112-3610-9833-46c3f874532d
ncalrpc:[DHCPSERVERLPC]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.4.108[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncacn_ip_tcp:192.168.5.18[1150]

UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
ncalrpc:[DHCPSERVERLPC]

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:192.168.4.108[1152]

Total endpoints found: 93



==== End of RPC Endpoint Mapper query response ====
portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 389 -p BOTH ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 11/14/2007 19:49:19 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820266
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:


currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========

UDP port 389 is LISTENING

portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 636 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 636 (ldaps service): LISTENING
portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3268 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3268 (unknown service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
dsServiceName: CN=NTDS
Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
defaultNamingContext: DC=mysa,DC=mysahome,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 12820269
supportedSASLMechanisms: GSSAPI
dnsHostName: CKENT.mysa.mysahome.com
ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
serverName:
CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE


======== End of LDAP query response ========
portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 3269 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 3269 (unknown service): LISTENING
portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 53 -p BOTH ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 53 (domain service): LISTENING

UDP port 53 (domain service): LISTENING
portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 88 -p BOTH ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 88 (kerberos service): LISTENING

UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 445 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 445 (microsoft-ds service): LISTENING
portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 137 -p UDP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...


Name resolved to 192.168.5.18

querying...

UDP port 137 (netbios-ns service): LISTENING or FILTERED

Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...

Server's response: MAC address 00d0b7886c92
UDP port: LISTENING
portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 138 -p UDP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...


Name resolved to 192.168.5.18

querying...

UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002.
=============================================

Starting portqry.exe -n ckent -e 139 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 139 (netbios-ssn service): LISTENING
portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000.
=============================================

Starting portqry.exe -n ckent -e 42 -p TCP ...


Querying target system called:

ckent

Attempting to resolve name to IP address...

Name resolved to 192.168.5.18

querying...

TCP port 42 (nameserver service): LISTENING
portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000.


Thanks!

Crisoft



"Paul Bergson [MVP-DS]" wrote:

> Name Resolution Tests
> Windows 2003
> Nbtstat -R - Purges and reloads the remote cache name
> table
> Nbtstat -c - Lists NBT's cache of remote [machine]
> names and their IP addresses
>
> If you would like to test connectivity to validate FRS communication (This
> communication is for Windows 2003 to Windows 2003 communications only)
> NTFRSUTL version server_name
> If the two can communicate through the firewall via FRS the response
> will provide the current version number
>
> Are high ports open or have you limitied the range via a registry hack for
> rpc if you have a firewall in the way this is a good chance where your
> problem resides.
>
> What about forest functional levels?
>
> I have an article on trust troubleshooting between an NT4 and 2003 forest,
> but a lot of the items are still the same.
>
> Check it out at:
> http://www.pbbergs.com/windows/articles/firewall_trust.html
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Crisoft" <ccisat1crc@hotmail.com> wrote in message
> news:925A44DD-0B2E-4F93-9AAB-897283B5C8F1@microsoft.com...
> > Hello
> >
> > I'm trying to setup a cross forest trust in W2K. I have name resolution
> > working both ways.
> >
> > The distant domainB has AD integrated DNS enabled forwarding to our unix
> > name servers. It appears that this one was able to contact Domain A to
> > create the trust.
> >
> > But when I try to complete the trust relationship on Domain A adding
> > Domain
> > B it fails saying the domain cannot be contacted. Domain A is not using
> > AD
> > integrated DNS only UNIX DNS.
> >
> > Do I need to have AD integrated DNS setup on both sides?
> >
> > I've tested accessing all the required ports using the portping util and
> > everything's successful.
> >
> > Any Ideas why I can't establish the trust on the Domain A side to trust
> > Domain B?
> >
> >
> > --
> > Thanks!
> >
> > Crisoft
> >
>
>
>
Top

Re: Cross Forest Trust by Paul

Paul
Thu Nov 15 06:23:34 PST 2007

Pinging the domain name is going to resolve to a dc, this is expected. Do
an nslookup on your domain name and it should return all the dc's within
your domain.

If I recall correctly I don't believe 137 and 138 are needed, I believe 445
is what is used.

Are high ports available both ways?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Crisoft" <ccisat1crc@hotmail.com> wrote in message
news:09B9EF85-8B99-485C-A6E3-70EBD46A4FDA@microsoft.com...
> I've used portquery to test connectivity to ports and everything looks
> good.
> Are you supposed to be able to telnet into netbios ports 137,138? These
> won't even answer on the localhost.
>
> I noticed that when I ping the domain name that I'm trying to establish
> the
> trust with it replies with the IP of the PDC which is the DC that I've
> opened
> up the connection to use for creating the trust. Would that cause a
> problem?
>
> Here's my port query.
>
> =============================================
>
> Starting portqry.exe -n ckent -e 135 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 135 (epmap service): LISTENING
>
> Using ephemeral source port
> Querying Endpoint Mapper Database...
> Server's response:
>
> UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> ncacn_ip_tcp:192.168.5.18[1152]
>
> UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_ip_tcp:192.168.4.108[1026]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_ip_tcp:192.168.5.18[1026]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncalrpc:[NTDS_LPC]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncadg_ip_udp:192.168.4.108[1028]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncadg_ip_udp:192.168.5.18[1028]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_http:192.168.4.108[1029]
>
> UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> ncacn_http:192.168.5.18[1029]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_ip_tcp:192.168.4.108[1026]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_ip_tcp:192.168.5.18[1026]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncalrpc:[NTDS_LPC]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncadg_ip_udp:192.168.4.108[1028]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncadg_ip_udp:192.168.5.18[1028]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_http:192.168.4.108[1029]
>
> UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> ncacn_http:192.168.5.18[1029]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_ip_tcp:192.168.4.108[1026]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_ip_tcp:192.168.5.18[1026]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncalrpc:[NTDS_LPC]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncadg_ip_udp:192.168.4.108[1028]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncadg_ip_udp:192.168.5.18[1028]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_http:192.168.4.108[1029]
>
> UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> ncacn_http:192.168.5.18[1029]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_np:\\\\CKENT[\\PIPE\\lsass]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncalrpc:[LRPC00000124.00000001]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_ip_tcp:192.168.4.108[1026]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_ip_tcp:192.168.5.18[1026]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncalrpc:[NTDS_LPC]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncadg_ip_udp:192.168.4.108[1028]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncadg_ip_udp:192.168.5.18[1028]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_http:192.168.4.108[1029]
>
> UUID: 12345678-1234-abcd-ef00-01234567cffb
> ncacn_http:192.168.5.18[1029]
>
> UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> ncalrpc:[LRPC000004ec.00000001]
>
> UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> ncacn_ip_tcp:192.168.4.108[1079]
>
> UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> ncacn_ip_tcp:192.168.5.18[1079]
>
> UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> ncacn_np:\\\\CKENT[\\PIPE\\atsvc]
>
> UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> ncalrpc:[LRPC000004ec.00000001]
>
> UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> ncacn_ip_tcp:192.168.4.108[1079]
>
> UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> ncacn_ip_tcp:192.168.5.18[1079]
>
> UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> ncacn_np:\\\\CKENT[\\PIPE\\atsvc]
>
> UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> ncacn_ip_tcp:192.168.4.108[1082]
>
> UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> ncacn_ip_tcp:192.168.5.18[1082]
>
> UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> ncalrpc:[LRPC000004a0.00000001]
>
> UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> ncacn_ip_tcp:192.168.4.108[1082]
>
> UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> ncacn_ip_tcp:192.168.5.18[1082]
>
> UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> ncalrpc:[LRPC000004a0.00000001]
>
> UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> ncacn_ip_tcp:192.168.4.108[1082]
>
> UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> ncacn_ip_tcp:192.168.5.18[1082]
>
> UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> ncalrpc:[LRPC000004a0.00000001]
>
> UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
> ncacn_ip_tcp:192.168.4.108[1092]
>
> UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
> ncacn_ip_tcp:192.168.5.18[1092]
>
> UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
> ncacn_ip_tcp:192.168.4.108[1117]
>
> UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
> ncacn_ip_tcp:192.168.5.18[1117]
>
> UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> ncacn_ip_tcp:192.168.4.108[1127]
>
> UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> ncacn_ip_tcp:192.168.5.18[1127]
>
> UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> ncalrpc:[LRPC0000063c.00000001]
>
> UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]
>
> UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> ncacn_ip_tcp:192.168.4.108[1127]
>
> UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> ncacn_ip_tcp:192.168.5.18[1127]
>
> UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> ncalrpc:[LRPC0000063c.00000001]
>
> UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncalrpc:[LRPC000006e4.00000001]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.4.108[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.5.18[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncalrpc:[LRPC000006e4.00000001]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.4.108[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.5.18[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncalrpc:[LRPC000006e4.00000001]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.4.108[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.5.18[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncalrpc:[LRPC000006e4.00000001]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.4.108[1135]
>
> UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> ncacn_ip_tcp:192.168.5.18[1135]
>
> UUID: 6bffd098-a112-3610-9833-46c3f874532d
> ncacn_ip_tcp:192.168.4.108[1150]
>
> UUID: 6bffd098-a112-3610-9833-46c3f874532d
> ncacn_ip_tcp:192.168.5.18[1150]
>
> UUID: 6bffd098-a112-3610-9833-46c3f874532d
> ncalrpc:[DHCPSERVERLPC]
>
> UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
> ncacn_ip_tcp:192.168.4.108[1150]
>
> UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
> ncacn_ip_tcp:192.168.5.18[1150]
>
> UUID: 5b821720-f63b-11d0-aad2-00c04fc324db
> ncalrpc:[DHCPSERVERLPC]
>
> UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> ncacn_ip_tcp:192.168.4.108[1152]
>
> Total endpoints found: 93
>
>
>
> ==== End of RPC Endpoint Mapper query response ====
> portqry.exe -n ckent -e 135 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 389 -p BOTH ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 389 (ldap service): LISTENING
>
> Using ephemeral source port
> Sending LDAP query to TCP port 389...
>
> LDAP query response:
>
>
> currentdate: 11/14/2007 19:49:19 (unadjusted GMT)
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> defaultNamingContext: DC=mysa,DC=mysahome,DC=com
> schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
> rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
> supportedControl: 1.2.840.113556.1.4.319
> supportedLDAPVersion: 3
> supportedLDAPPolicies: MaxPoolThreads
> highestCommittedUSN: 12820266
> supportedSASLMechanisms: GSSAPI
> dnsHostName: CKENT.mysa.mysahome.com
> ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
> serverName:
> CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> supportedCapabilities: 1.2.840.113556.1.4.800
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
>
>
> ======== End of LDAP query response ========
>
> UDP port 389 (unknown service): LISTENING or FILTERED
>
> Using ephemeral source port
> Sending LDAP query to UDP port 389...
>
> LDAP query response:
>
>
> currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> defaultNamingContext: DC=mysa,DC=mysahome,DC=com
> schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
> rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
> supportedControl: 1.2.840.113556.1.4.319
> supportedLDAPVersion: 3
> supportedLDAPPolicies: MaxPoolThreads
> highestCommittedUSN: 12820269
> supportedSASLMechanisms: GSSAPI
> dnsHostName: CKENT.mysa.mysahome.com
> ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
> serverName:
> CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> supportedCapabilities: 1.2.840.113556.1.4.800
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
>
>
> ======== End of LDAP query response ========
>
> UDP port 389 is LISTENING
>
> portqry.exe -n ckent -e 389 -p BOTH exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 636 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 636 (ldaps service): LISTENING
> portqry.exe -n ckent -e 636 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 3268 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 3268 (unknown service): LISTENING
>
> Using ephemeral source port
> Sending LDAP query to TCP port 3268...
>
> LDAP query response:
>
>
> currentdate: 11/14/2007 19:49:22 (unadjusted GMT)
> subschemaSubentry:
> CN=Aggregate,CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> dsServiceName: CN=NTDS
> Settings,CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> defaultNamingContext: DC=mysa,DC=mysahome,DC=com
> schemaNamingContext: CN=Schema,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> configurationNamingContext: CN=Configuration,DC=mysa,DC=mysahome,DC=com
> rootDomainNamingContext: DC=mysa,DC=mysahome,DC=com
> supportedControl: 1.2.840.113556.1.4.319
> supportedLDAPVersion: 3
> supportedLDAPPolicies: MaxPoolThreads
> highestCommittedUSN: 12820269
> supportedSASLMechanisms: GSSAPI
> dnsHostName: CKENT.mysa.mysahome.com
> ldapServiceName: mysa.mysahome.com:ckent$@MYSA.MYSAHOME.COM
> serverName:
> CN=CKENT,CN=Servers,CN=mysa,CN=Sites,CN=Configuration,DC=mysa,DC=mysahome,DC=com
> supportedCapabilities: 1.2.840.113556.1.4.800
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
>
>
> ======== End of LDAP query response ========
> portqry.exe -n ckent -e 3268 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 3269 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 3269 (unknown service): LISTENING
> portqry.exe -n ckent -e 3269 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 53 -p BOTH ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 53 (domain service): LISTENING
>
> UDP port 53 (domain service): LISTENING
> portqry.exe -n ckent -e 53 -p BOTH exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 88 -p BOTH ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 88 (kerberos service): LISTENING
>
> UDP port 88 (kerberos service): LISTENING or FILTERED
> portqry.exe -n ckent -e 88 -p BOTH exits with return code 0x00000002.
> =============================================
>
> Starting portqry.exe -n ckent -e 445 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 445 (microsoft-ds service): LISTENING
> portqry.exe -n ckent -e 445 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 137 -p UDP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
>
> Name resolved to 192.168.5.18
>
> querying...
>
> UDP port 137 (netbios-ns service): LISTENING or FILTERED
>
> Using ephemeral source port
> Attempting NETBIOS adapter status query to UDP port 137...
>
> Server's response: MAC address 00d0b7886c92
> UDP port: LISTENING
> portqry.exe -n ckent -e 137 -p UDP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 138 -p UDP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
>
> Name resolved to 192.168.5.18
>
> querying...
>
> UDP port 138 (netbios-dgm service): LISTENING or FILTERED
> portqry.exe -n ckent -e 138 -p UDP exits with return code 0x00000002.
> =============================================
>
> Starting portqry.exe -n ckent -e 139 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 139 (netbios-ssn service): LISTENING
> portqry.exe -n ckent -e 139 -p TCP exits with return code 0x00000000.
> =============================================
>
> Starting portqry.exe -n ckent -e 42 -p TCP ...
>
>
> Querying target system called:
>
> ckent
>
> Attempting to resolve name to IP address...
>
> Name resolved to 192.168.5.18
>
> querying...
>
> TCP port 42 (nameserver service): LISTENING
> portqry.exe -n ckent -e 42 -p TCP exits with return code 0x00000000.
>
>
> Thanks!
>
> Crisoft
>
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Name Resolution Tests
>> Windows 2003
>> Nbtstat -R - Purges and reloads the remote cache name
>> table
>> Nbtstat -c - Lists NBT's cache of remote [machine]
>> names and their IP addresses
>>
>> If you would like to test connectivity to validate FRS communication
>> (This
>> communication is for Windows 2003 to Windows 2003 communications only)
>> NTFRSUTL version server_name
>> If the two can communicate through the firewall via FRS the response
>> will provide the current version number
>>
>> Are high ports open or have you limitied the range via a registry hack
>> for
>> rpc if you have a firewall in the way this is a good chance where your
>> problem resides.
>>
>> What about forest functional levels?
>>
>> I have an article on trust troubleshooting between an NT4 and 2003
>> forest,
>> but a lot of the items are still the same.
>>
>> Check it out at:
>> http://www.pbbergs.com/windows/articles/firewall_trust.html
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Crisoft" <ccisat1crc@hotmail.com> wrote in message
>> news:925A44DD-0B2E-4F93-9AAB-897283B5C8F1@microsoft.com...
>> > Hello
>> >
>> > I'm trying to setup a cross forest trust in W2K. I have name
>> > resolution
>> > working both ways.
>> >
>> > The distant domainB has AD integrated DNS enabled forwarding to our
>> > unix
>> > name servers. It appears that this one was able to contact Domain A to
>> > create the trust.
>> >
>> > But when I try to complete the trust relationship on Domain A adding
>> > Domain
>> > B it fails saying the domain cannot be contacted. Domain A is not
>> > using
>> > AD
>> > integrated DNS only UNIX DNS.
>> >
>> > Do I need to have AD integrated DNS setup on both sides?
>> >
>> > I've tested accessing all the required ports using the portping util
>> > and
>> > everything's successful.
>> >
>> > Any Ideas why I can't establish the trust on the Domain A side to trust
>> > Domain B?
>> >
>> >
>> > --
>> > Thanks!
>> >
>> > Crisoft
>> >
>>
>>
>>


Top

Re: Cross Forest Trust by ccisat1crc

ccisat1crc
Thu Nov 15 08:08:01 PST 2007

So if I do an nsloookup from my domain trying to resolve for the domain I'm
trying to create the trust with should it resolve to thier DC's as well?

Would I need to do a zone transfer in DNS from thier windows DNS to our UNIX
dns?


--
Thanks!

Crisoft



"Paul Bergson [MVP-DS]" wrote:

> Pinging the domain name is going to resolve to a dc, this is expected. Do
> an nslookup on your domain name and it should return all the dc's within
> your domain.
>
> If I recall correctly I don't believe 137 and 138 are needed, I believe 445
> is what is used.
>
> Are high ports available both ways?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Crisoft" <ccisat1crc@hotmail.com> wrote in message
> news:09B9EF85-8B99-485C-A6E3-70EBD46A4FDA@microsoft.com...
> > I've used portquery to test connectivity to ports and everything looks
> > good.
> > Are you supposed to be able to telnet into netbios ports 137,138? These
> > won't even answer on the localhost.
> >
> > I noticed that when I ping the domain name that I'm trying to establish
> > the
> > trust with it replies with the IP of the PDC which is the DC that I've
> > opened
> > up the connection to use for creating the trust. Would that cause a
> > problem?
> >
> > Here's my port query.
> >
> > =============================================
> >
> > Starting portqry.exe -n ckent -e 135 -p TCP ...
> >
> >
> > Querying target system called:
> >
> > ckent
> >
> > Attempting to resolve name to IP address...
> >
> > Name resolved to 192.168.5.18
> >
> > querying...
> >
> > TCP port 135 (epmap service): LISTENING
> >
> > Using ephemeral source port
> > Querying Endpoint Mapper Database...
> > Server's response:
> >
> > UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> > ncacn_ip_tcp:192.168.5.18[1152]
> >
> > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 NTDS Restore Interface
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_ip_tcp:192.168.4.108[1026]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_ip_tcp:192.168.5.18[1026]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncalrpc:[NTDS_LPC]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncadg_ip_udp:192.168.4.108[1028]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncadg_ip_udp:192.168.5.18[1028]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_http:192.168.4.108[1029]
> >
> > UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
> > ncacn_http:192.168.5.18[1029]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_ip_tcp:192.168.4.108[1026]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_ip_tcp:192.168.5.18[1026]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncalrpc:[NTDS_LPC]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncadg_ip_udp:192.168.4.108[1028]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncadg_ip_udp:192.168.5.18[1028]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_http:192.168.4.108[1029]
> >
> > UUID: f5cc5a7c-4264-101a-8c59-08002b2f8426 MS NT Directory XDS Interface
> > ncacn_http:192.168.5.18[1029]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_ip_tcp:192.168.4.108[1026]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_ip_tcp:192.168.5.18[1026]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncalrpc:[NTDS_LPC]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncadg_ip_udp:192.168.4.108[1028]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncadg_ip_udp:192.168.5.18[1028]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_http:192.168.4.108[1029]
> >
> > UUID: f5cc5a18-4264-101a-8c59-08002b2f8426 MS NT Directory NSP Interface
> > ncacn_http:192.168.5.18[1029]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_np:\\\\CKENT[\\PIPE\\lsass]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncalrpc:[LRPC00000124.00000001]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_np:\\\\CKENT[\\pipe\\WMIEP_124]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_ip_tcp:192.168.4.108[1026]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_ip_tcp:192.168.5.18[1026]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncalrpc:[NTDS_LPC]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncadg_ip_udp:192.168.4.108[1028]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncadg_ip_udp:192.168.5.18[1028]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_http:192.168.4.108[1029]
> >
> > UUID: 12345678-1234-abcd-ef00-01234567cffb
> > ncacn_http:192.168.5.18[1029]
> >
> > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> > ncalrpc:[LRPC000004ec.00000001]
> >
> > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> > ncacn_ip_tcp:192.168.4.108[1079]
> >
> > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> > ncacn_ip_tcp:192.168.5.18[1079]
> >
> > UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
> > ncacn_np:\\\\CKENT[\\PIPE\\atsvc]
> >
> > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> > ncalrpc:[LRPC000004ec.00000001]
> >
> > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> > ncacn_ip_tcp:192.168.4.108[1079]
> >
> > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> > ncacn_ip_tcp:192.168.5.18[1079]
> >
> > UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
> > ncacn_np:\\\\CKENT[\\PIPE\\atsvc]
> >
> > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> > ncacn_ip_tcp:192.168.4.108[1082]
> >
> > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> > ncacn_ip_tcp:192.168.5.18[1082]
> >
> > UUID: f5cc59b4-4264-101a-8c59-08002b2f8426 NtFrs Service
> > ncalrpc:[LRPC000004a0.00000001]
> >
> > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> > ncacn_ip_tcp:192.168.4.108[1082]
> >
> > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> > ncacn_ip_tcp:192.168.5.18[1082]
> >
> > UUID: d049b186-814f-11d1-9a3c-00c04fc9b232 NtFrs API
> > ncalrpc:[LRPC000004a0.00000001]
> >
> > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> > ncacn_ip_tcp:192.168.4.108[1082]
> >
> > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> > ncacn_ip_tcp:192.168.5.18[1082]
> >
> > UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e PERFMON SERVICE
> > ncalrpc:[LRPC000004a0.00000001]
> >
> > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
> > ncacn_ip_tcp:192.168.4.108[1092]
> >
> > UUID: 4da1c422-943d-11d1-acae-00c04fc2aa3f
> > ncacn_ip_tcp:192.168.5.18[1092]
> >
> > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
> > ncacn_ip_tcp:192.168.4.108[1117]
> >
> > UUID: 130ceefb-e466-11d1-b78b-00c04fa32883 NTDS ISM IP Transport
> > ncacn_ip_tcp:192.168.5.18[1117]
> >
> > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> > ncacn_ip_tcp:192.168.4.108[1127]
> >
> > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> > ncacn_ip_tcp:192.168.5.18[1127]
> >
> > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> > ncalrpc:[LRPC0000063c.00000001]
> >
> > UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe
> > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]
> >
> > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> > ncacn_ip_tcp:192.168.4.108[1127]
> >
> > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> > ncacn_ip_tcp:192.168.5.18[1127]
> >
> > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> > ncalrpc:[LRPC0000063c.00000001]
> >
> > UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45
> > ncacn_np:\\\\CKENT[\\pipe\\WinsPipe]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncalrpc:[LRPC000006e4.00000001]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncacn_ip_tcp:192.168.4.108[1135]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncacn_ip_tcp:192.168.5.18[1135]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncalrpc:[LRPC000006e4.00000001]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncacn_ip_tcp:192.168.4.108[1135]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncacn_ip_tcp:192.168.5.18[1135]
> >
> > UUID: 906b0ce0-c70b-1067-b317-00dd010662da
> > ncalrpc:[LRPC000006e4.00000001]
> >
Top

Re: Cross Forest Trust by Ace

Ace
Thu Nov 15 20:26:44 PST 2007

In news:524CFF07-29CA-4101-8F73-B2E8F11B4549@microsoft.com,
Crisoft <ccisat1crc@hotmail.com> typed:
> So if I do an nsloookup from my domain trying to resolve for the
> domain I'm trying to create the trust with should it resolve to thier
> DC's as well?
>
> Would I need to do a zone transfer in DNS from thier windows DNS to
> our UNIX dns?

If I may jump in, and I hope Paul doesn't mind, first I would like to say
that Windows 2000 does not support cross-forest trusts. I think Paul
overlooked you are talking about a Windows 2000 domain here. The only type
of trusts it supports are inherited transient trusts that exist intra-forest
between trees and domains and external one-way trusts between domains of
different forests or realms, such as Unix realms, etc.

DNS in such external one-way trusts are not required. Nslookup tests to
determine hostname resolution will not help you in your scenario. Trust
authentication in such a scenario is based on NTLM authentication, which is
based on NetBIOS resolution. This will mean you need to be able to resolve
NetBIOS names as well as allow all traffic between locations. I would either
use WINS, which is easier, or lmhosts files, as Paul's link clearly shows
how to create one. But I think you would need to use the lmhosts file first
to create the trust, then establish WINS partnerships after that.

As far as ports, I think it is challenging discern the specific ports
required for domain communication because there are numerous ports required
(about 30), as Paul's links indicate, including the all-opening UDP greater
than 1023 for the ephemeral response ports.

As for DNS, you asked about making the zone AD Integrated. That wouldn't
apply to a UNIX Bind server. FYI, making a zone AD Integrated is just
stipulating where you are storing the zone. Primary and secondaries are text
files stored in system32\dns folder. AD Integrated zones are stored in the
actual physical AD database and replicates to all DCs during the normal AD
replication process. Windows 2003 offers additional AD integrated zone
features, but since you have 2000, I won't go further about it's features.
So the answer to this is no, AD integration is not necessary, unless you
want to reap the features and better secure your zone data by choosing AD <