Problem adding users from another forest

[NetGear]

Hi,

We have a two-way forest trust between two Windows 2000 forests. We have an
ancient NT 4.0 file server that has shared directories that the other forest
users are able to use. I'm also able to manage another forests user
permissions on that servers network shares.

Now I built a brand new Windows 2003 server that acts as a member server in
our AD.

The problem is that I'm not able to add users from the another forest in
that servers network shares. The other forest is visible in the "adding
users" dialog box but when I try to connect to the another forest, it says
that the directory is not operational.

There are correct entries in the 2003 servers lmhosts file and nbtstat -c
gives the right answers. There is also static mapping for the another domain
in our WINS database. What can I do to solve the problem?

 

[Jerold Schulman]

Hi,

We have a two-way forest trust between two Windows 2000 forests. We have an
ancient NT 4.0 file server that has shared directories that the other forest
users are able to use. I'm also able to manage another forests user
permissions on that servers network shares.

Now I built a brand new Windows 2003 server that acts as a member server in
our AD.

The problem is that I'm not able to add users from the another forest in
that servers network shares. The other forest is visible in the "adding
users" dialog box but when I try to connect to the another forest, it says
that the directory is not operational.

There are correct entries in the 2003 servers lmhosts file and nbtstat -c
gives the right answers. There is also static mapping for the another domain
in our WINS database. What can I do to solve the problem?

See if tip 9422 » The Object Picker cannot locate objects that are located in another forest in Windows XP and Windows 2000?
in the 'Tips & Tricks' at http://www.jsifaq.com helps.

 

[Paul Williams [MVP]]

Hi Jerold,

Can you provide me with a link to the information mentioned in your tip
please?

I'm sitting on a 2003 DC with an external trust with an NT 4 domain and am
using the object picker on this DC to add users from the NT 4 domain to
groups in this domain, _and_ to add groups (and users) from the NT 4 domain
to an ACL of a shared folder.

The only strange behaviour I'm noticing is that the check names doesn't seem
to work; although using the advanced option to search the trusted domain
allows me to find users and global groups fine.

Or are you talking about Forest-trusts? In which case, my example doesn't
say anything ;-)

Thanks!!

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net


From tip 9422 @ www.jsiinc.com:

When your domain computer tries to add users from another forest to an ACL
(Access Control List) using the Object Picker, it may not enumerate objects
from an external cross-forest trust.

NOTE: DO NOT add users from a trusted forest directly to an ACL. Add
them to domain local groups on the domain controllers in your domain.


This behavior occurs because the Object Picker is only designed to select
objects from the forest that the computer account you are logged on to
belongs.

NOTE: If you use the UPN (User Principal Name), like (e-mail address removed),
you could add users from a trust domain directly to your ACL.

 

[Jerold Schulman]

http://support.microsoft.com?kbid=878452

 

[Guest]

first instance to your problem would be DNS. Configure your dns settings
correctly. Also why are you using lmhosts files (these are ignored in a DNS
environment)? Use DNS and conditional forwarding on your root DNS server to
locate the other domain.