none
Unable to add a second forest in AAD Connect

    Question

  • I have been struggling to add a second forest in AAD Connect, the error that I get is 'the specified domain does not exist or cannot be contacted':

    

    The forest in question is located on a separate, isolated domain controller, and the AAD Connect server is placed in DMZ:

    I found the following article stating that they was able to contact the domain by using FQDN instead of Netbios name: https://blog.kloud.com.au/2015/12/16/azure-ad-connect-the-specified-domain-does-not-exist-or-cannot-be-contacted-when-adding-an-untrusted-ad-forest/
    Using FQDN does not work either - actually it fails even quicker than using Netbios.

    I've tried reinstalling AAD Connect with no success. The domain in question is added in the Office 365 portal.

    The domain answers to ping using the FQDN as in the article  - but I had to add an entry in the hosts file, because initially the domain did not answer - only the domain controller. However by forcing this in the hosts file, the AAD Connect server should definitely be able to contact the domain, shouldn't it?

    So I suspect there's either an issue with the Domain Controller, or the DNS(DNS role is installed on the DC).

    What could be the reason for this, and what should I try to adjust/rectify?
    I would deeply appreciate any advise on this matter.

    Thanks.

    Friday, March 03, 2017 1:48 PM

Answers

  • What you need to do:

    • Enable network communication on ports 53, 135, 389, 445, and 3268 between:
           AADConnect server and DC in the second forest
           DC that AAD Connect has set to primary DNS and DC in the second forest
    • On the DC that AAD Connect is using for DNS resolution, create a conditional forwarding zone for the second forest, and use the IP of the DC in the second forest as the target DNS server.  For example, we'll assume that the IP of the DC in forest 2 is 10.1.1.10. Launch an elevated PowerShell prompt on the DC local to AAD Connect and run:

      $DnsServers = @('10.1.1.10') # DC in Forest 2
      Add-DnsServerConditionalForwarderZone -MasterServers $DnsServers -Name forest2.com

    You should then be able to run through the AAD Connect setup wizard and contact the DC in the second forest.
    Friday, March 03, 2017 8:25 PM

All replies

  • It sounds like a DNS issue. Adding a domain entry in a hosts file does not help. Active Directory has a lot of entries in DNS to be able to find the correct services and domain controllers hosting particular rules. You need to be able to resolve the domain with DNS.

    If the DNS server you have configured cannot see both domain1 and domain2, then the easiest is to install DNS on the Connect server itself. Then you configure "conditional forwarders" in it so all requests for domain1 goes to a DNS server in domain1 and all requests for domain2 goes to a DNS in domain2.

    Friday, March 03, 2017 4:15 PM
  • What you need to do:

    • Enable network communication on ports 53, 135, 389, 445, and 3268 between:
           AADConnect server and DC in the second forest
           DC that AAD Connect has set to primary DNS and DC in the second forest
    • On the DC that AAD Connect is using for DNS resolution, create a conditional forwarding zone for the second forest, and use the IP of the DC in the second forest as the target DNS server.  For example, we'll assume that the IP of the DC in forest 2 is 10.1.1.10. Launch an elevated PowerShell prompt on the DC local to AAD Connect and run:

      $DnsServers = @('10.1.1.10') # DC in Forest 2
      Add-DnsServerConditionalForwarderZone -MasterServers $DnsServers -Name forest2.com

    You should then be able to run through the AAD Connect setup wizard and contact the DC in the second forest.
    Friday, March 03, 2017 8:25 PM
  • Thanks guys, wanted to avoid having a DNS role on the AAD, so I tried creating a 'conditionalforwarder' on the local AD like you mentioned - worked like a charm.

    Let's hope the next stages are smooth sailing..
    Monday, March 06, 2017 8:01 AM