AD domain management

G

Guest

I have 2 domains. Domain A is Windows 2000 with Active Directory. Domain B
was Windows NT4. There is a one way trust between the domain (Domain A is
the accounts (trusted) domain and domain B is the resource (trusting)
domain). I converted domain B to Windows 2003 with AD. From "AD Domain
Domains and Trusts", I see that the converted trust is an "external,
non-transitive" trust (as expected). All cross domain functionality appear
to work fine, except for the below.

I currently log onto a machine in Domain A under my personal account (which
also had Domain Admin rights in domain A). I want to use "AD Users and
Computer" from domain A to manage Domain B, but I cannot see the domain B as
a choice. It also can't find Domain B when I entered it in the "location"
portion. Domain A's "Domain Admin" is a member of domain B's "Administrator
group" as is my personal account.
 
H

Herb Martin

Serverdude said:
I have 2 domains. Domain A is Windows 2000 with Active Directory. Domain B
was Windows NT4. There is a one way trust between the domain (Domain A is
the accounts (trusted) domain and domain B is the resource (trusting)
domain). I converted domain B to Windows 2003 with AD. From "AD Domain
Domains and Trusts", I see that the converted trust is an "external,
non-transitive" trust (as expected). All cross domain functionality appear
to work fine, except for the below.

Can we presume you did NOT put the new AD domain in
the same forest?
I currently log onto a machine in Domain A under my personal account (which
also had Domain Admin rights in domain A).

Onto Domain A at (or from) a Domain A machine, right?
I want to use "AD Users and
Computer" from domain A to manage Domain B, but I cannot see the domain B as
a choice. It also can't find Domain B when I entered it in the "location"
portion. Domain A's "Domain Admin" is a member of domain B's "Administrator
group" as is my personal account.

External trusts still require NetBIOS name resolution.

"Seeing" is not usually about permissions directly, although
it can be about authentication, it is usually about name resolution.

Do you have more than one subnet?

Do you use WINS Servers?

IF so, did you make ALL of the machines -- especially all DCs--
WINS clients?

DNS might also play a role at times so review DNS as well:


--
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
G

Guest

I followed Mr. Herb Martin's procedure and still no
success.

I reinstalled the DNS server.

When I run te different Diag I get these errors:

netdiag /fix

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/fserv2.myDomainName.local.


dcdiag /fix

Starting test: frsevent
There are warning or error events within the last 24
hours after the
SYSVOL has been shared. Failing SYSVOL replication
problems may cause
Group Policy problems.
......................... FSERV2 failed test frsevent

I did erase manually a folder yesterday in sysvol, ooops.

I followed the procedure to reinstall DNS ( I see the
Active Directory DNS records _msdcs, _sites, _tcp, _udp)

The AD settings in sites and services seem ok.

How could I re-emit a Kerberos Key? Fix the sysvol?

Can anybody shed some light, please.

Thanks again
Dora
 
G

Guest

Thanks Herb. More info for you below ...

Herb Martin said:
Can we presume you did NOT put the new AD domain in
the same forest?
Yes. We didn't want them in the same forest on purpose!
Onto Domain A at (or from) a Domain A machine, right?
Yes


External trusts still require NetBIOS name resolution.

"Seeing" is not usually about permissions directly, although
it can be about authentication, it is usually about name resolution.

Do you have more than one subnet?
Yes

Do you use WINS Servers?
Yes. The WINS Server is in Domain A and all servers point there.
IF so, did you make ALL of the machines -- especially all DCs--
WINS clients?
Yes.

DNS might also play a role at times so review DNS as well:


--
DNS for AD
1) Dynamic for the zone supporting AD Yes

2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.) Yes

3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
All Servers and Clients are set to use Domain B's DNS server. DomainB's DNS
Servers are set to forward DNS request to DomainA's DNS servers for name
resolution that it does not understand.
netdiag /fix

....or maybe:

dcdiag /fix
I have used those tools before and they didn't do anything for me.

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

How does one domain "see" another domain. What sub protocols are used (TCP,
UDP, ?) I assume it's some sort of broadcast?
 
H

Herb Martin

Serverdude said:
Thanks Herb. More info for you below ...

Yes. We didn't want them in the same forest on purpose!

Usually a mistake if you actually plan to share resource or
admins but that is your choice.

Different domains means that the external trusts likely need
NetBIOS for the TRUSTS.

Probably still need DNS for general name resolution.

Yes. The WINS Server is in Domain A and all servers point there.

So all servers in all domains are clients of this SAME
WINS server? (That's good.)

And all other machines probably should be too. And NetBIOS
must be on for the machines. (But that should gray out the
WINS server setting if you did that so likely you didn't.)

But if true, it doesn't solve the problem since it pretty much
eliminates the NetBIOS issue.
All Servers and Clients are set to use Domain B's DNS server. DomainB's DNS
Servers are set to forward DNS request to DomainA's DNS servers for name
resolution that it does not understand.

Are you really using Dynamic Update for Domain A DNS
on a Domain DNS machine?

That is an awkward method but if you didn't create any
mistakes it SHOULD work.

I have used those tools before and they didn't do anything for me.

Humor me and run

DCDIAG /Fix > nameOfDC.txt

....on each DC. Fix or report all errors by loading the txt to this
thread.
(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

How does one domain "see" another domain. What sub protocols are used (TCP,
UDP, ?) I assume it's some sort of broadcast?

For external Trusts, they broadcast NetBIOS on same subnet,
OR rendevous through WINS (if you set them up) for those
on other subnets.

For a single Forest, they rendezvous through DNS.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top