Environment
Novell Open Enterprise Server 2 SP3 (OES 2SP3) Linux
Domain Services for Windows
DSFW
Situation
Resolution
Follow the steps in the DSFW documentation in section15.2 Cross-Forest Trust Relationships.
OES11.x DocumentationVerify that DNS is configured properly using nslookup. Use nslook up to return the AD domain from the DSfW DC, then for the DSfW domain from the AD DC and reverse lookup the DSfW DC from the AD DC.
Example:
AD domain is ad.domain and DSFW domain is dsfw.domain in this example.nslookup ad.domain – from DSfW server
nslookup -query=any _ldap._tcp.dc_msdcs.ad.domain - from the DSfW server
nslookup dsfw.domain - from AD server
nslookup 10.1.0.5 – from AD server
nslookup -query=any _ldap._tcp.dc._msdcs.dsfw.domain - from the AD serverTurn on remote registry access in AD if it is disabled.
Verify the guest account in DSfW is enabled. It should be enabled by default. The guest account will be disabled in AD and that is fine. It is only the guest account in DSFW that we are concerned about. The guest account in DSFW has to remain enabled to continue accessing AD.
If a domain was created and then removed a trustedDomain object might exist in the system container. Using adsi edit check the system container in the AD domain for a dsfw domain trustedDomain object. If it exists delete it. Do the same in DSFW using iManager or Console One.
- Run a LAN trace and ndstrace with
+debug on the DSFW server for further trouble shooting, look up errors seen in the traces.
- If a trust is removed and then re-established, before creating the trust again be sure that the trust object in cn=users container is removed. The object will look like a user object with the name of the AD Domain with a $ at the end of the object.