Creating a trust between 2 Windows 2000 Domains

[Guest]

I want to create a trust between two Windows 2000 domains, one with ourselves
(domain A) and one domain from an external source (domain B). We do have a
VPN connection with the external source. We want to put a trust in so that
users in domain B can access a network share in domain A and have write
access to it.

Basically how do I go about this and is it granular - in that we can specify
certain users from Domain B to have access to certain files/folders on our
domain.

When I try to setup a trust via AD Domains & Trusts I receive an error
message stating 'The <domain B> cannot be contacted. If this domain is a
Windows domain, the trust cannot be setup until the domain is contacted...'
For this I was using the domain name of domain B.

Reading from other questions posted I see I may have to setup DNS entries,
configure WINS etc.. add Firewall rule(s)

Can anyone give me a definitive outline on what needs to be done - at our
end domain A and at domain B to allow this to happen.

any guidance would be appreciated.

 

[Herb Martin]

I want to create a trust between two Windows 2000 domains, one with
ourselves
(domain A) and one domain from an external source (domain B). We do have
a
VPN connection with the external source. We want to put a trust in so
that
users in domain B can access a network share in domain A and have write
access to it.

Basically how do I go about this and is it granular - in that we can
specify
certain users from Domain B to have access to certain files/folders on our
domain.

When I try to setup a trust via AD Domains & Trusts I receive an error
message stating 'The <domain B> cannot be contacted. If this domain is a
Windows domain, the trust cannot be setup until the domain is
contacted...'
For this I was using the domain name of domain B.

The magic word is "NetBIOS". External trusts are dependent on NetBIOS
name resolution.

Reading from other questions posted I see I may have to setup DNS entries,
configure WINS etc.. add Firewall rule(s)

Can anyone give me a definitive outline on what needs to be done - at our
end domain A and at domain B to allow this to happen.

If you are working across routers (likely in your VPN situation) you
have a practical need for "WINS Server(s)" that are fully replicated.

So setup WINS Server(s) and replicate them (see MMC, any GUI
Smart admin can do that part) and make sure that EVERY MACHINE
(both 'clients' AND 'servers') are WINS clients (NIC->IP->Advanced
properties.)

As to your firewall, you must know how to use the specific tools
or commands that allow you to open the ports for NetBIOS if you
are blocking them, but the chances are that your VPN tunnel is allowing
free flow of traffic through it.

any guidance would be appreciated.

Routing? What about routing? Can you currently ping or use other
simple traffic through the VPN IF you specific IP addresses instead
of names? (If routing doesn't work nothing else is going to either.)

 

[Guest]

I have setup 2000 trusts using both of the following methods:

1) If using NetBIOS name resolution, add NetBT entries in the LMHOSTS for
the target domains and domain controllers on each domain controller. The
syntax is specific. Refer to KB ID 180094 for detailed steps on how to
configure LMHOSTS for domain validation. I have used this method on several
domains where the trust included a NT 4.0 domain.

2) This workaround works great for using DNS resolution. Creat forward
primary DNS zones for each target domain, inluding all the needed kerberos
and ldap DC records need to resolve for trust authentication. To do this, you
can temporarily configure secondaries that will replicate the zone data from
the target primary. This way you get all the kerberos and ldap records
without needing to add them manually, though you can do that as well. Once
the secondary completes the zone transfer, turn the secondary into a primary.
Delete any uneeded HOST records from the zone file and only keep the
kerberos, ldap, etc. records that you need to resolve for trust
authentication. These records will need be maintained manually in the future,
such as a DC being added or modified, since the server is now a primary.

Trusts are not dependent on NetBIOS resolution unless the trust is with a
pre-Windows 2000 domain.

 

[Guest]

Herb

surely only the DCs need WINS configured or do the clients of Domain B -
that are going to connect to the share on Domain A - need configured as well?

I want to create a trust between two Windows 2000 domains, one with
ourselves
(domain A) and one domain from an external source (domain B). We do have
a
VPN connection with the external source. We want to put a trust in so
that
users in domain B can access a network share in domain A and have write
access to it.

Basically how do I go about this and is it granular - in that we can
specify
certain users from Domain B to have access to certain files/folders on our
domain.

When I try to setup a trust via AD Domains & Trusts I receive an error
message stating 'The <domain B> cannot be contacted. If this domain is a
Windows domain, the trust cannot be setup until the domain is
contacted...'
For this I was using the domain name of domain B.

The magic word is "NetBIOS". External trusts are dependent on NetBIOS
name resolution.

Reading from other questions posted I see I may have to setup DNS entries,
configure WINS etc.. add Firewall rule(s)

Can anyone give me a definitive outline on what needs to be done - at our
end domain A and at domain B to allow this to happen.

If you are working across routers (likely in your VPN situation) you
have a practical need for "WINS Server(s)" that are fully replicated.

So setup WINS Server(s) and replicate them (see MMC, any GUI
Smart admin can do that part) and make sure that EVERY MACHINE
(both 'clients' AND 'servers') are WINS clients (NIC->IP->Advanced
properties.)

As to your firewall, you must know how to use the specific tools
or commands that allow you to open the ports for NetBIOS if you
are blocking them, but the chances are that your VPN tunnel is allowing
free flow of traffic through it.

any guidance would be appreciated.

Routing? What about routing? Can you currently ping or use other
simple traffic through the VPN IF you specific IP addresses instead
of names? (If routing doesn't work nothing else is going to either.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

Herb

surely only the DCs need WINS configured or do the clients of Domain B -
that are going to connect to the share on Domain A - need configured as
well?

I am not 100% sure if the clients NEED to be WINS clients
for the AUTHENTICATION part (there may be cases where
it goes each way) but the clients need this (and the servers)
to see browsing work across routers and if you have WINS
server there is likely no compelling reason to forego doing
it completely.

The trust itself can technically be established with just the
DCs as WINS clients. (This doesn't mean everything will
work for ACCESS though.)


--
Herb Martin

I want to create a trust between two Windows 2000 domains, one with
ourselves
(domain A) and one domain from an external source (domain B). We do
have
a
VPN connection with the external source. We want to put a trust in so
that
users in domain B can access a network share in domain A and have write
access to it.

Basically how do I go about this and is it granular - in that we can
specify
certain users from Domain B to have access to certain files/folders on
our
domain.

When I try to setup a trust via AD Domains & Trusts I receive an error
message stating 'The <domain B> cannot be contacted. If this domain is
a
Windows domain, the trust cannot be setup until the domain is
contacted...'
For this I was using the domain name of domain B.

The magic word is "NetBIOS". External trusts are dependent on NetBIOS
name resolution.

Reading from other questions posted I see I may have to setup DNS
entries,
configure WINS etc.. add Firewall rule(s)

Can anyone give me a definitive outline on what needs to be done - at
our
end domain A and at domain B to allow this to happen.

If you are working across routers (likely in your VPN situation) you
have a practical need for "WINS Server(s)" that are fully replicated.

So setup WINS Server(s) and replicate them (see MMC, any GUI
Smart admin can do that part) and make sure that EVERY MACHINE
(both 'clients' AND 'servers') are WINS clients (NIC->IP->Advanced
properties.)

As to your firewall, you must know how to use the specific tools
or commands that allow you to open the ports for NetBIOS if you
are blocking them, but the chances are that your VPN tunnel is allowing
free flow of traffic through it.

any guidance would be appreciated.

Routing? What about routing? Can you currently ping or use other
simple traffic through the VPN IF you specific IP addresses instead
of names? (If routing doesn't work nothing else is going to either.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]