Access Denied with an external Trust

[Dan]

I have two windows 2000 DC. one called domain1.local and the other called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and gave
my account (e-mail address removed) full access to this share but when i try to
access it from a mapped drive it says access denied. Dont know what im doing
wrong.

 

[Steven L Umbach]

Assuming you have your dns set up correctly [and maybe wins if it is not a small
network], try adding that account to the domain users group in the other domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename in case of a
name resolution problem. Other things that can be causing lack of access would be
incompatible security options such as ipsec negotiation policies, lan manager
authentication level, smb signing [have client/server digitally sign communications
set to always when the other computer can not comply], and the option for
"additional restrictions for anonymous access" being set to no access without
explicit anonymous permissions in certain situations. --- Steve

 

[Dan]

i did setup IPSEC i wonder if that is the issue.

Assuming you have your dns set up correctly [and maybe wins if it is not a small
network], try adding that account to the domain users group in the other domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename in case of a
name resolution problem. Other things that can be causing lack of access would be
incompatible security options such as ipsec negotiation policies, lan manager
authentication level, smb signing [have client/server digitally sign communications
set to always when the other computer can not comply], and the option for
"additional restrictions for anonymous access" being set to no access without
explicit anonymous permissions in certain situations. --- Steve

I have two windows 2000 DC. one called domain1.local and the other called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and gave
my account (e-mail address removed) full access to this share but when i try to
access it from a mapped drive it says access denied. Dont know what im doing
wrong.

 

[Dan]

I remember messing with IPsec is there a way to turn it off, I set the
option Do not use IPSEC under the TCP/ip Properties but still the same.

i did setup IPSEC i wonder if that is the issue.

Assuming you have your dns set up correctly [and maybe wins if it is not

a

small
network], try adding that account to the domain users group in the other domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename in case of a
name resolution problem. Other things that can be causing lack of access would be
incompatible security options such as ipsec negotiation policies, lan manager
authentication level, smb signing [have client/server digitally sign communications
set to always when the other computer can not comply], and the option for
"additional restrictions for anonymous access" being set to no access without
explicit anonymous permissions in certain situations. --- Steve

I have two windows 2000 DC. one called domain1.local and the other called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and gave
my account (e-mail address removed) full access to this share but when i try to
access it from a mapped drive it says access denied. Dont know what im doing
wrong.

 

[Steven L Umbach]

You will have to "unassign" the policy you assigned in the appropriate security
policy either domain/local/OU/domain controller, etc. You can run netdiag on a
computer as in "netdiag /test:ipsec " and it may help showing what policy is applied.
Gpresult also tells where you are receiving ipsec policy from I believe. Both those
tools are on the install cdrom in the tools/support folder where you will have to run
the setup program. --- Steve

I remember messing with IPsec is there a way to turn it off, I set the
option Do not use IPSEC under the TCP/ip Properties but still the same.

i did setup IPSEC i wonder if that is the issue.

Assuming you have your dns set up correctly [and maybe wins if it is not

a

small
network], try adding that account to the domain users group in the other domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename in case of a
name resolution problem. Other things that can be causing lack of access would be
incompatible security options such as ipsec negotiation policies, lan manager
authentication level, smb signing [have client/server digitally sign communications
set to always when the other computer can not comply], and the option for
"additional restrictions for anonymous access" being set to no access without
explicit anonymous permissions in certain situations. --- Steve


I have two windows 2000 DC. one called domain1.local and the other called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and gave
my account (e-mail address removed) full access to this share but when i try to
access it from a mapped drive it says access denied. Dont know what im doing
wrong.

 

[Dan]

I rant the IPsec test adn this is what i got on both servers.
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

Could it be cause there is an external trust?

I can verify the trusts betwee the servers fine. Or maybe a dns issue that
im overlooking.

You will have to "unassign" the policy you assigned in the appropriate security
policy either domain/local/OU/domain controller, etc. You can run netdiag on a
computer as in "netdiag /test:ipsec " and it may help showing what policy is applied.
Gpresult also tells where you are receiving ipsec policy from I believe. Both those
tools are on the install cdrom in the tools/support folder where you will have to run
the setup program. --- Steve

I remember messing with IPsec is there a way to turn it off, I set the
option Do not use IPSEC under the TCP/ip Properties but still the same.

i did setup IPSEC i wonder if that is the issue.
Assuming you have your dns set up correctly [and maybe wins if it is

not
a

small
network], try adding that account to the domain users group in the other
domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename
in case of a
name resolution problem. Other things that can be causing lack of access
would be
incompatible security options such as ipsec negotiation policies, lan
manager
authentication level, smb signing [have client/server digitally sign
communications
set to always when the other computer can not comply], and the

option
for

"additional restrictions for anonymous access" being set to no access
without
explicit anonymous permissions in certain situations. --- Steve


I have two windows 2000 DC. one called domain1.local and the other
called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and
gave
my account (e-mail address removed) full access to this share but when i

try
to

access it from a mapped drive it says access denied. Dont know what im
doing
wrong.

 

[Steven L Umbach]

Apparently you do not have any ipsec policy assigned then. Did trying to access the
share via IP address such as \\\xxx.xxx.xxx.xxx\sharename work?? If not have you
changed any of the security options on the two domains from default? It may also help
to enable auditing of logon events on the server where you are trying to access the
share and then view the security log in Event Viewer for any failed logons to see if
an event is recorded when you attempt access. Often the failed events have helpful
information. --- Steve

I rant the IPsec test adn this is what i got on both servers.
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

Could it be cause there is an external trust?

I can verify the trusts betwee the servers fine. Or maybe a dns issue that
im overlooking.

You will have to "unassign" the policy you assigned in the appropriate security
policy either domain/local/OU/domain controller, etc. You can run netdiag on a
computer as in "netdiag /test:ipsec " and it may help showing what policy is applied.
Gpresult also tells where you are receiving ipsec policy from I believe. Both those
tools are on the install cdrom in the tools/support folder where you will have to run
the setup program. --- Steve

I remember messing with IPsec is there a way to turn it off, I set the
option Do not use IPSEC under the TCP/ip Properties but still the same.
i did setup IPSEC i wonder if that is the issue.
Assuming you have your dns set up correctly [and maybe wins if it is not
a
small
network], try adding that account to the domain users group in the other
domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename
in case of a
name resolution problem. Other things that can be causing lack of access
would be
incompatible security options such as ipsec negotiation policies, lan
manager
authentication level, smb signing [have client/server digitally sign
communications
set to always when the other computer can not comply], and the option
for
"additional restrictions for anonymous access" being set to no access
without
explicit anonymous permissions in certain situations. --- Steve


I have two windows 2000 DC. one called domain1.local and the other
called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and
gave
my account (e-mail address removed) full access to this share but when i try
to
access it from a mapped drive it says access denied. Dont know what im
doing
wrong.