Here is my network design
1. New domain under new forest DC1 = flex.com (IP = 192168.10.190/24)
child domain = support.flex.com (IP = 192168.10.2/24)
child domain = info.flex.com (IP = 192168.10.3/24)
2.New domain under anotehr new forest DC2 = jfkw.com (IP = 192168.11.210/24)
child domain = sales.jfkw.com (IP = 192168.11.2/24)
child domain = support.jfkw.com (IP = 192168.11.3/24)
NOTE : DC1 is DNS server and all can ping each other,
Here, i want to create trust between two diff domains (DC1 & DC2) so that, parent domain users can access resources from child domain respectively
And trust between parent and child domains respectively.
Kindly provide me the steps to configure the above network design, but dont just copy the article from net.
Waiting for the kind response.
Thank you
Answers & Comments
Verified answer
Hi! The way to do it is to use the "Active Directory Domains and Trusts" administrative console within the servers to create the trust. The trust needs to be configured on both servers in order to make it bi-directional. There are a few things to consider however.
First, each domain needs to have its own DNS server. I am assuming that both DC1 and DC2 are DNS servers in their respective domains but you only listed DC1 as a DNS server. If DC2 is not, then it must be created and made authoratative for the JFKW.com domain.
Second, each DNS server must know about the other domain in either one of two ways. One, on each DNS server, configure a zone for the other domain listing the other DNS server as the authority for the respective domain. This means that DC1 should have an entry in DNS for JFKW.com, and a starting authority DNS name and IP address of JFKW.com and 192.168.11.210 respectively. Opposite, DC2 should have an entry for FLEX.com, and a starting authority DNS name and IP address of FLEX.com and 192.168.10.190 respectively. The other way this can be accomplished is to list the other DNS server in the DNS forwarders list on each server. So DC2 would be listed as a forwarder on DC1's list and vice versa. This means that when someone queries DC1 for JFKW.com, DC1 would not know what that domain is BUT would then forward the request to DC2 and it would respond with an answer.
A good way to test to make sure your DNS resolution is working correctly is to try to ping DC1 from DC2, and then back from DC2 to DC1 and make sure they resolve each other. Ping by DNS name and NOT by IP address. If they don't resolve, you have an issue
The reason why this is such a big deal is because the domain trust needs to be able to resolve your other domain before the trust can be established. If your servers can't be resolved, it won't work.
**I did notice that all of your internal domain names have a ".Com" suffix tagged on the end of them. Make sure that your domains resolve to the INTERNAL IP address of your servers, and not the External... Otherwise your firewall will block the requests. At the moment, JFKW.com does not resolve to any external IP, but FLEX.com resolves to 75.101.146.179. I'm not sure if this is your IP or not, but just be careful. It is recommended that your internal domain name be different than your external for security reasons AND DNS resolution reasons. You may have the same common name, just give your internal network a ".Local" suffix. Just a thought.
Once your DNS resolution is working, just use the "Active Directory Domains and Trusts" administrative console to create the trust, and remember this needs to be configured on both servers. You should be good to go after that.
Good luck!