DOMAIN TRUST

[Nick P]

I have a Windows 2000 SBS server (DC1) and a Windows 2000
adv Server (DC2). I have since transferred a server roles
from DC1 to DC2. These include, RID, PDC Emulation,
Infrastructure and GC... My domain (domain1.com)runs in
Native mode.

I have also set the LMHOST file up in preperation for
Domain trust with an external source (domain2.com). The
server (DC2) appears to have full access to the DC in
domain2.com. This can be confirmed via email on port 25,
directory browsing and terminal services - in other words
no restrictions set between the two domains via teh VPN...

When i try and set the Trust up (domains trusted by this
domain) i get the following error after typing in the
domain name and password in the dialog box

ACCESS TO THE DOMAIN DOMAIN2.COM IS DENIED. CHECK THE
PASSWORD IS CORRECT AND TRY AGAIN.

Having checked my SEcurity event logs, all is well. upon
investigation of the DC's security logs in the
DOMIAN2.COM, i have th following errors numbers???

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/30/2004
Time: 2:11:34 PM
User: NT AUTHORITY\SYSTEM
Computer: MAIA-SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: LEGN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LEGN-DC2












Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 3/30/2004
Time: 2:11:34 PM
User: NT AUTHORITY\SYSTEM
Computer: MAIA-SERVER
Description:
The logon to account: Administrator
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: LEGN-DC2
failed. The error code was: 3221225578

Has anyone come accross this before???

 

[Cary Shultz [A.D. MVP]]

Nick,

Without having read all of your post I can tell you that you can not create
a trust in a SBS environment. There is one exception to that: you can
create a temporary trust between SBS2000 and SBS2003 for seven days ( I
believe ) for purposes of migrating from 2000 to 2003.

Also, there are five FSMO roles: Schema Master, Domain Naming Master; PDC
Emulator, RID Master and Infrastructure Master. The first two are
Forest-wide roles and the last three are domain-wide roles. The Global
Catalog Server is not a role ( in the sense of FSMO Roles ). It looks like
you transferred the domain-wide FSMO Roles from the SBS2000 Server ( DC1 )
to the WIN2000 Advanced Server ( DC2 ).

So long as you have a Small Business Server environment ( where the SBS
Server was the first DC in the environment - which is pretty much the only
way that it can happen IIRC ) you can not establish any trust with any other
domain / forest ( save the above mentioned specific exception ). You can
indeed have additional Servers ( Member Servers and Domain Controllers ) in
the domain.

What is it that you are trying to do? Why did you need to create the trust?
Maybe there is another solution.

HTH,

Cary

 

[Nick P]

Morning Cary

Thank you for the reply. Is there no way of transferring
these roles server roles from the SBS 2000 server to the
Windows 2000 Adv server?? Would this not allow me to
establish a trust with another domain??

The aim of the exercise to to see whether we can establish
a trust between two different offices via our vpn. At the
moment we can browse to the other domain (with a valid
username and password for that domain) however this will
not be sufficient for CVS data checkin/checkout (data
repository like Visual Source Safe). Is there another
seemless way to share information between the domains??

Thanks in advance
Nick P

 

[Cary Shultz [A.D. MVP]]

Nick,

In a SBS2000 environment I was under the impression that the SBS2000 Server
*MUST* hold all five of the FSMO Roles. You can add additional Domain
Controllers or Member Servers ( as I stated in my previous post ).
However, the SBS2000 Server *MUST* hold all five ( so do not transfer any of
them to another DC and for God's sake do not seize them to another DC ).

You can not have a trust with any other domain, be that a child domain in
the same domain tree, another domain tree in the same forest or an external
domain. It is pretty cut and dry!

Now, to answer your question: you should be able to add a VPN at the Site
level ( aka Firewall-to-Firewall ) and thereby 'connect' remote offices.
However, this really does not have anything to do with a domain trust (
unless I am missing something terribly ).

Essentially, when you set up a Firewall-to-Firewall VPN it is like having a
second network segment ( only it is not in the same building ). For
example, your 'home' office would have the 192.168.1.x/24 network segment
and your 'remote' office would have the 192.168.2.x/24 network segment. It
is kinda like you have a router with two LAN interfaces, E0 and E1. Does
that make any sense? You would just set up Sites and Services ( if
appropriate ). We have a client that has a remote office here with four
remote sites. We have set up a Firewall-to-Firewall VPN between the home
site and the remote offices. It is like they are in the same building ( you
just have to deal with the WAN connection ). However, if the situation is
that you need to create a VPN between your SBS domain and another domain
then it will not work as you will need to establish a trust between those
two domains. That aint gonna work! Not with SBS2000 anyway! Unless I am
missing something, if you really need that trust established then you are
going to need to have a non-SBS environment. Sorry!

I might suggest that you take a spin over to the SBS2000 NewsGroup and do a
little searching around in there. You are, naturally, always welcome to
post in the AD NewsGroup, however.

HTH,

Cary

 

[Nick P]

Hi Cary

Thank you very much for all the information. This has made
it crystal clear. I already have a VPN established between
the two sites but as i mentioned previously this will not
suffice for data checkout/checkins as we require Windows
authentication.

I will just have to migrate the users to another domain.
Once again, thank you very much for all your help.

Kindest regards
Nick P

 

[Cary Shultz [A.D. MVP]]

Nick,

You are very welcome. I might suggest that you spin on over to the SBS2000
NewsGroup just to make crystal clear that I am not overlooking anything!

Cary