Join forests? How

[Fran]

I have a Windows 2000 domain and a Windows 2003 domain. I need to
share resources between these two. I have the routing already set up
and can ping by address and name. Now I need to share some drive
folders (map drives between domains)

I was told I needed to create a trust between forests. Is this
correct? If so, how do I create a forest trust?

-Fran-

 

[Richard G. Harper]

Read here:

http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccadm/trust/w2kadm27.mspx

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Steven L Umbach]

You can not create trusts between forests in your situation but you can
create external trusts between the two domains. First make sure your name
resolution is working correctly for netbios and dns. For netbios over tcp/ip
the easiest way would be to have the wins servers in each domain also be
replication partners with each other. For dns you could easily have a
Windows 2003 domain controllers running dns to use conditional forwarding to
a domain controller running dns in the Windows 2000 domain. For the Windows
2000 domain, configure the domain controllers running dns to have a
secondary forward lookup zone for the Windows 2003 domain. The links below
may be helpful. Also in Windows 2000 Help go to Contents/Active
Directory/how to/manage domains and trusts. --- Steve

http://www.microsoft.com/windows200...ios/trust_config_external_trust_relations.asp

 

[Fran]

Steve,

Thanks for the info. I have a 2003 server acting as a primary DNS
server on domainA. The domanB server is Windows 2000.

I created a fwd lookup zone on domainA that points to domainB. Should
I do the same on domainB to domainA?

I didn't understand the rest of your instructions, however. TMI? I
don't have WINS running as it's all 2000 and XP on these networks.

With the DNS running with lookups going both was I can ping but cannot
access the networks. When I open up Windows Explorer and type in
\\office1.sales.domainA.local
I get "There are currently no logon servers available to service the
request."

I'm not sure if this is a resource issue or a DNS issue or both. Any
thoughts?


-Fran-

 

[Steven L Umbach]

You might want to enable wins or use lmhosts files to enable netbios name
resolution between the pdc fsmo in each domain. Even though Windows 2000 and
2003 use dns as their primary name resolution method, NBT [netbios over
tcp/ip] is still used in some situations including creation of external
trusts which relies on ntlm authentication - not kerberos. You could try it
without using NBT by making sure that your dns is correct between domain
first but you may very well end up needing NBT. If you your users still are
using My Network Places to locate domain resources it makes sense to enable
wins on the domain as it will speed up use of My Network Places and reduce
broadcasts on the network. If you enable wins, make sure that the domain
controllers and the wins server are also wins clients. The wins server
should be a wins client only to itself. The link below explains more on NBT
in Windows 2000 and 2003.

http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html ---
NBT in Windows 2000 and 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;314108 -- lmhosts

As far as dns, yes you want each domain to be able to resolve dns for the
other domain before you enable the trust between domains. Windows 2000 would
need to make the use of a secondary dns zone on it's dns servers for the
other domain and you could do the same for Windows 2003 or use conditional
forwarding to have dns queries forwarded to the domain controllers running
dns in the Windows 2000 domain. Conditional forwarding is very easy to
configure. You can use the nslookup command to see if you can resolve names
in the other domain which should be done before you try to enable the
trusts. "There are currently no logon servers available to service the
request." would be either a name resolution or connectivity issue. If you
can ping the target servers via IP address from each other most likely it is
a name resolution issue. --- Steve


http://www.windowsnetworking.com/ar...tional_Forwarding_in_Windows_Server_2003.html
--- how to enable conditional forwarding.