From: Ace Fekay [MVP-DS, MCT] on
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in
message news:%23GG6%23cVrKHA.3908(a)TK2MSFTNGP05.phx.gbl...
> Regarding the trust relationship, I first tried it (after the DNS fixes)
> from the Win 2000 server and it kept failing. So, I tried from the 2008
> server with its wizard, and it took less than a minute to create. It says
> that it confirmed it in both directions, and the settings show up on both
> servers. I will go back on Monday to check how it is working, then start
> in on new workstations.
>
> So far, things look good!
>
> Gregg Hill
>


I'm trying to read through all the posts in this thread and get caught up.
Meinolf did provide that one KB that explains what you can do with a single
label domain name. However, what I would like to add, if the Primary DNS
Suffix is incorrect, meaning it doesn't match the actual AD DNS domain name,
a script exists that will correct the Primary DNS Suffix on a domain
controller. So if the two do not match, this scenario is called a
'disjointed namespace' scenario. The script was created by Dean Wells many
years ago to correct this, and is now part of Microsoft Technet. However,
what it does do is sets the Primary DNS Suffix based on what it reads out of
Active Directory. If AD's DNS domain name is single label, then the script
won't help. You can view AD's DNS domain name by opening Active Directory
Users and Computers. At the top left in the nav pane, it shows the AD domain
name. Is that single label?

Surprised that you were able to create a trust to an SBS domain.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.



From: Bill Grant on


"Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message
news:Oga3laZrKHA.5036(a)TK2MSFTNGP02.phx.gbl...
> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
> in message news:%23GG6%23cVrKHA.3908(a)TK2MSFTNGP05.phx.gbl...
>> Regarding the trust relationship, I first tried it (after the DNS fixes)
>> from the Win 2000 server and it kept failing. So, I tried from the 2008
>> server with its wizard, and it took less than a minute to create. It says
>> that it confirmed it in both directions, and the settings show up on both
>> servers. I will go back on Monday to check how it is working, then start
>> in on new workstations.
>>
>> So far, things look good!
>>
>> Gregg Hill
>>
>
>
> I'm trying to read through all the posts in this thread and get caught up.
> Meinolf did provide that one KB that explains what you can do with a
> single label domain name. However, what I would like to add, if the
> Primary DNS Suffix is incorrect, meaning it doesn't match the actual AD
> DNS domain name, a script exists that will correct the Primary DNS Suffix
> on a domain controller. So if the two do not match, this scenario is
> called a 'disjointed namespace' scenario. The script was created by Dean
> Wells many years ago to correct this, and is now part of Microsoft
> Technet. However, what it does do is sets the Primary DNS Suffix based on
> what it reads out of Active Directory. If AD's DNS domain name is single
> label, then the script won't help. You can view AD's DNS domain name by
> opening Active Directory Users and Computers. At the top left in the nav
> pane, it shows the AD domain name. Is that single label?
>
> Surprised that you were able to create a trust to an SBS domain.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

Just one thing to add here regarding the use of forwarders that Meinolf
mentioned. If your DNS has a dot at the top of the tree (as mentioned
somewhere here), you have to delete the dot before you can enable
forwarders. With the dot at the top, the local DNS thinks it is the end of
the universe and won't forward.



From: "Gregg Hill" greggmhill at please do not spam me at yahoo dot on
One answer for everyone:

Yes, I knew it had the root zone "dot" domain and the ISP's DNS servers,
both of which should not be done, and both of which I have seen a few times
before. Due to the dot domain, it had no root hint servers (grayed out and
empty), forwarders were grayed out and empty, etc. I'll bet that is why the
guy put in the ISP's DNS servers...in order to get Internet access...rather
than fix the real problem. These people have had this network for eight
years and have been complaining about it, but the in-house IT guy was not
getting it handled, so one of their people finally got me in the door after
a year of trying (the in-house IT guy is a friend of the owner).

Their in-house IT guy argued with me that the server was set up by a guy
"with 20 years experience who really knows his stuff" and works at the local
college it IT, so "trust me, he knows what he is doing." That was a fun
conversation! Anyway, those were the first things that I corrected. As
mentioned earlier, this server was set up by an old-school NT guy, and I
have seen several with the same DNS errors when done by the guys who did not
read up on AD and just installed as though it were still NT 4. I started in
NT 4 as well, but when AD came out, I read until my brain bled before
installing my first AD server! Now I need to get my hands on their router
password to turn off DHCP and move it to the server.

The other item, as mentioned before, is that it is indeed a single label
domain as it shows in ADUC, AD Domains and Trusts, and in DNS, also a common
problem I have seen when done by more experienced NT techs. Unfortunately,
there is nothing I can do about it. Fortunately, the old server is plain
2000 and the new server is Server 2008 and not SBS 2008, so the trust was
set up successfully when done from the 2008 server (would not work from 2000
server, even with firewall off...could not contact the domain), or so the
wizard stated. I need to go on site tomorrow to confirm it works. I
**thought** I had read that a single label domain would prevent creating a
trust, which turns out not to be true, at least not with 2008. Of course, I
do a lot of my reading at 3:00AM, so that may be a factor!

I have seen that script to correct the registry, and used it or a similar
one years ago to correct a botched DNS. That one was not a single label
domain, but I did not remember that until a few days ago. I was remembering
using it to correct the single label problem, but that was not true; it
merely corrected the DNS suffix problem. Just for giggles, I ran it anyway,
but it made no changes, as it doesn't fix the single label issue.

I am not going to mess with workstations, as they are all being replaced
soon. Some of them have the ISP's DNS servers, some have static addresses
with the AD server's DNS...a real cluster f....!

The mention of SBS versions was just a note of where I had seen the problem
before. There is no SBS in this domain...yet.

Thank you for all of your suggestions!

Gregg Hill



--
Gregg's pet peeves:

First of all, what does a peeve look like, and why would anyone want one as
a pet?

Peeve #1: Apostrophes: when in doubt, leave them out! You will be correct
more often than not.

Its = Belonging to it. For example, "Look at the sky. Its color is blue."
It's = It is. For example, "It's hot today."
It's = It has. For example, "It's been nice talking to you."
Its' = completely incorrect usage. Stop it!


Peeve #2: Your vs. You're
"Your" means belonging to you, as in, "It's your truck."
"You're" means "You are." Example, you're probably about ready to throttle
me for this peeve!

"Bill Grant" <not.available(a)online> wrote in message
news:ujLwbZcrKHA.4284(a)TK2MSFTNGP04.phx.gbl...
>
>
> "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in
> message news:Oga3laZrKHA.5036(a)TK2MSFTNGP02.phx.gbl...
>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
>> in message news:%23GG6%23cVrKHA.3908(a)TK2MSFTNGP05.phx.gbl...
>>> Regarding the trust relationship, I first tried it (after the DNS fixes)
>>> from the Win 2000 server and it kept failing. So, I tried from the 2008
>>> server with its wizard, and it took less than a minute to create. It
>>> says that it confirmed it in both directions, and the settings show up
>>> on both servers. I will go back on Monday to check how it is working,
>>> then start in on new workstations.
>>>
>>> So far, things look good!
>>>
>>> Gregg Hill
>>>
>>
>>
>> I'm trying to read through all the posts in this thread and get caught
>> up. Meinolf did provide that one KB that explains what you can do with a
>> single label domain name. However, what I would like to add, if the
>> Primary DNS Suffix is incorrect, meaning it doesn't match the actual AD
>> DNS domain name, a script exists that will correct the Primary DNS Suffix
>> on a domain controller. So if the two do not match, this scenario is
>> called a 'disjointed namespace' scenario. The script was created by Dean
>> Wells many years ago to correct this, and is now part of Microsoft
>> Technet. However, what it does do is sets the Primary DNS Suffix based on
>> what it reads out of Active Directory. If AD's DNS domain name is single
>> label, then the script won't help. You can view AD's DNS domain name by
>> opening Active Directory Users and Computers. At the top left in the nav
>> pane, it shows the AD domain name. Is that single label?
>>
>> Surprised that you were able to create a trust to an SBS domain.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
>> MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance,
>> please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>>
>>
>
> Just one thing to add here regarding the use of forwarders that Meinolf
> mentioned. If your DNS has a dot at the top of the tree (as mentioned
> somewhere here), you have to delete the dot before you can enable
> forwarders. With the dot at the top, the local DNS thinks it is the end of
> the universe and won't forward.
>
>
>
From: Ace Fekay [MVP-DS, MCT] on
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in
message news:er5yjyerKHA.4236(a)TK2MSFTNGP02.phx.gbl...
> One answer for everyone:
>
> Yes, I knew it had the root zone "dot" domain and the ISP's DNS servers,
> both of which should not be done, and both of which I have seen a few
> times before. Due to the dot domain, it had no root hint servers (grayed
> out and empty), forwarders were grayed out and empty, etc. I'll bet that
> is why the guy put in the ISP's DNS servers...in order to get Internet
> access...rather than fix the real problem. These people have had this
> network for eight years and have been complaining about it, but the
> in-house IT guy was not getting it handled, so one of their people finally
> got me in the door after a year of trying (the in-house IT guy is a friend
> of the owner).
>
> Their in-house IT guy argued with me that the server was set up by a guy
> "with 20 years experience who really knows his stuff" and works at the
> local college it IT, so "trust me, he knows what he is doing." That was a
> fun conversation! Anyway, those were the first things that I corrected. As
> mentioned earlier, this server was set up by an old-school NT guy, and I
> have seen several with the same DNS errors when done by the guys who did
> not read up on AD and just installed as though it were still NT 4. I
> started in NT 4 as well, but when AD came out, I read until my brain bled
> before installing my first AD server! Now I need to get my hands on their
> router password to turn off DHCP and move it to the server.
>
> The other item, as mentioned before, is that it is indeed a single label
> domain as it shows in ADUC, AD Domains and Trusts, and in DNS, also a
> common problem I have seen when done by more experienced NT techs.
> Unfortunately, there is nothing I can do about it. Fortunately, the old
> server is plain 2000 and the new server is Server 2008 and not SBS 2008,
> so the trust was set up successfully when done from the 2008 server (would
> not work from 2000 server, even with firewall off...could not contact the
> domain), or so the wizard stated. I need to go on site tomorrow to confirm
> it works. I **thought** I had read that a single label domain would
> prevent creating a trust, which turns out not to be true, at least not
> with 2008. Of course, I do a lot of my reading at 3:00AM, so that may be a
> factor!
>
> I have seen that script to correct the registry, and used it or a similar
> one years ago to correct a botched DNS. That one was not a single label
> domain, but I did not remember that until a few days ago. I was
> remembering using it to correct the single label problem, but that was not
> true; it merely corrected the DNS suffix problem. Just for giggles, I ran
> it anyway, but it made no changes, as it doesn't fix the single label
> issue.
>
> I am not going to mess with workstations, as they are all being replaced
> soon. Some of them have the ISP's DNS servers, some have static addresses
> with the AD server's DNS...a real cluster f....!
>
> The mention of SBS versions was just a note of where I had seen the
> problem before. There is no SBS in this domain...yet.
>
> Thank you for all of your suggestions!
>
> Gregg Hill
>
>
>
> --
> Gregg's pet peeves:
>
> First of all, what does a peeve look like, and why would anyone want one
> as a pet?
>
> Peeve #1: Apostrophes: when in doubt, leave them out! You will be correct
> more often than not.
>
> Its = Belonging to it. For example, "Look at the sky. Its color is blue."
> It's = It is. For example, "It's hot today."
> It's = It has. For example, "It's been nice talking to you."
> Its' = completely incorrect usage. Stop it!
>
>
> Peeve #2: Your vs. You're
> "Your" means belonging to you, as in, "It's your truck."
> "You're" means "You are." Example, you're probably about ready to throttle
> me for this peeve!
>


Someone having 20 years of the *correct* experience would have done it
properly. The dot zone appeared in Windows 2000 when DCPROMO was run while
the machine did not have internet access. For some reason with Windows 2000
dcpromo, it was set by default to do that. As we all know, a simple deletion
takes care of it. Similar to Windows 2003 dcpromo where it automatically
puts in the loopback for DNS, where a simple deletion and entering its own
IP can take care of that.

Domain trusts, are NTLM based, whereas Forest trusts are DNS based, hence
why it works with single label name domains. And here I thought you got a
trust to work with SBS until I just read it wasn't SBS!! :-)

Those peeves regarding "it" and versions of "you" are commonplace. I'm
willing to bet that one day Websters will have an "SMS version" for correct
texting syntax and spelling. :-) Can't fight progress, if you want to call
it that! LOL!

Ace



From: "Gregg Hill" greggmhill at please do not spam me at yahoo dot on
I agree with the "correct" experience statement. Some people just keep
plugging along the same old way because it worked for 20 years, why change
now?

Regarding the peeves, my all-time favorite is "prolly" instead of
"probably." I have heard it in conversation and not just seen it in web
forums.

Gregg

--
Gregg's pet peeves:

First of all, what does a peeve look like, and why would anyone want one as
a pet?

Peeve #1: Apostrophes: when in doubt, leave them out! You will be correct
more often than not.

Its = Belonging to it. For example, "Look at the sky. Its color is blue."
It's = It is. For example, "It's hot today."
It's = It has. For example, "It's been nice talking to you."
Its' = completely incorrect usage. Stop it!


Peeve #2: Your vs. You're
"Your" means belonging to you, as in, "It's your truck."
"You're" means "You are." Example, you're probably about ready to throttle
me for this peeve!

"Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message
news:e4bQ$PfrKHA.4236(a)TK2MSFTNGP02.phx.gbl...
> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
> in message news:er5yjyerKHA.4236(a)TK2MSFTNGP02.phx.gbl...
>> One answer for everyone:
>>
>> Yes, I knew it had the root zone "dot" domain and the ISP's DNS servers,
>> both of which should not be done, and both of which I have seen a few
>> times before. Due to the dot domain, it had no root hint servers (grayed
>> out and empty), forwarders were grayed out and empty, etc. I'll bet that
>> is why the guy put in the ISP's DNS servers...in order to get Internet
>> access...rather than fix the real problem. These people have had this
>> network for eight years and have been complaining about it, but the
>> in-house IT guy was not getting it handled, so one of their people
>> finally got me in the door after a year of trying (the in-house IT guy is
>> a friend of the owner).
>>
>> Their in-house IT guy argued with me that the server was set up by a guy
>> "with 20 years experience who really knows his stuff" and works at the
>> local college it IT, so "trust me, he knows what he is doing." That was a
>> fun conversation! Anyway, those were the first things that I corrected.
>> As mentioned earlier, this server was set up by an old-school NT guy, and
>> I have seen several with the same DNS errors when done by the guys who
>> did not read up on AD and just installed as though it were still NT 4. I
>> started in NT 4 as well, but when AD came out, I read until my brain bled
>> before installing my first AD server! Now I need to get my hands on their
>> router password to turn off DHCP and move it to the server.
>>
>> The other item, as mentioned before, is that it is indeed a single label
>> domain as it shows in ADUC, AD Domains and Trusts, and in DNS, also a
>> common problem I have seen when done by more experienced NT techs.
>> Unfortunately, there is nothing I can do about it. Fortunately, the old
>> server is plain 2000 and the new server is Server 2008 and not SBS 2008,
>> so the trust was set up successfully when done from the 2008 server
>> (would not work from 2000 server, even with firewall off...could not
>> contact the domain), or so the wizard stated. I need to go on site
>> tomorrow to confirm it works. I **thought** I had read that a single
>> label domain would prevent creating a trust, which turns out not to be
>> true, at least not with 2008. Of course, I do a lot of my reading at
>> 3:00AM, so that may be a factor!
>>
>> I have seen that script to correct the registry, and used it or a similar
>> one years ago to correct a botched DNS. That one was not a single label
>> domain, but I did not remember that until a few days ago. I was
>> remembering using it to correct the single label problem, but that was
>> not true; it merely corrected the DNS suffix problem. Just for giggles, I
>> ran it anyway, but it made no changes, as it doesn't fix the single label
>> issue.
>>
>> I am not going to mess with workstations, as they are all being replaced
>> soon. Some of them have the ISP's DNS servers, some have static addresses
>> with the AD server's DNS...a real cluster f....!
>>
>> The mention of SBS versions was just a note of where I had seen the
>> problem before. There is no SBS in this domain...yet.
>>
>> Thank you for all of your suggestions!
>>
>> Gregg Hill
>>
>>
>>
>> --
>> Gregg's pet peeves:
>>
>> First of all, what does a peeve look like, and why would anyone want one
>> as a pet?
>>
>> Peeve #1: Apostrophes: when in doubt, leave them out! You will be correct
>> more often than not.
>>
>> Its = Belonging to it. For example, "Look at the sky. Its color is blue."
>> It's = It is. For example, "It's hot today."
>> It's = It has. For example, "It's been nice talking to you."
>> Its' = completely incorrect usage. Stop it!
>>
>>
>> Peeve #2: Your vs. You're
>> "Your" means belonging to you, as in, "It's your truck."
>> "You're" means "You are." Example, you're probably about ready to
>> throttle me for this peeve!
>>
>
>
> Someone having 20 years of the *correct* experience would have done it
> properly. The dot zone appeared in Windows 2000 when DCPROMO was run while
> the machine did not have internet access. For some reason with Windows
> 2000 dcpromo, it was set by default to do that. As we all know, a simple
> deletion takes care of it. Similar to Windows 2003 dcpromo where it
> automatically puts in the loopback for DNS, where a simple deletion and
> entering its own IP can take care of that.
>
> Domain trusts, are NTLM based, whereas Forest trusts are DNS based, hence
> why it works with single label name domains. And here I thought you got a
> trust to work with SBS until I just read it wasn't SBS!! :-)
>
> Those peeves regarding "it" and versions of "you" are commonplace. I'm
> willing to bet that one day Websters will have an "SMS version" for
> correct texting syntax and spelling. :-) Can't fight progress, if you
> want to call it that! LOL!
>
> Ace
>
>
>