Resource sharing between domains...

[Cloaked]

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Steven L Umbach]

Apparently the domains are in different forests and within a forest the domain trusts
would already exist. If that is right, you need to make sure that the domain that
contains server B is the trusted domain and that the domain that contains server A is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to the
users local group on server A [use lusrmgr.msc ] . --- Steve

 

[Cloaked]

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

Apparently the domains are in different forests and within a forest the domain trusts
would already exist. If that is right, you need to make sure that the domain that
contains server B is the trusted domain and that the domain that contains server A is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Steven L Umbach]

Verify that the trusts are in place. You can use AD Domains and Trusts to do such by
selecting edit for the trust and verify. I would also run first netdiag and then
dcdiag on each domain controller for any failed test/errors/fatal warnings. For
netdiag you can use the /v switch to find more information about a failed test. In a
W2K domain trust, ntlm and netbios name resolution are important. The best way would
be to use wins in each domain, and then have the wins servers in the domains be
replication partners with each other. Make sure that the wins servers and domain
controllers are also wins servers. You could also use lmhosts files on the domain
controllers. See the link below for more info on that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- note that lmhosts
syntax is case sensitive. Nbtstat -R and then nbtstat -r should show the IP mapping
in the cache.
http://support.microsoft.com/?kbid=228477 -- nltest can also test trusts.

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

Apparently the domains are in different forests and within a forest the domain
trusts
would already exist. If that is right, you need to make sure that the domain that
contains server B is the trusted domain and that the domain that contains server A
is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to
the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Steven L Umbach]

Correction.

" In a W2K domain trust, ntlm and netbios name resolution are important."

I meant in a W2K "forest" trust, ntlm and netbios name resolution are important. ---
Steve

Verify that the trusts are in place. You can use AD Domains and Trusts to do such
by selecting edit for the trust and verify. I would also run first netdiag and then
dcdiag on each domain controller for any failed test/errors/fatal warnings. For
netdiag you can use the /v switch to find more information about a failed test. In
a W2K domain trust, ntlm and netbios name resolution are important. The best way
would be to use wins in each domain, and then have the wins servers in the domains
be replication partners with each other. Make sure that the wins servers and domain
controllers are also wins servers. You could also use lmhosts files on the domain
controllers. See the link below for more info on that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- note that
lmhosts syntax is case sensitive. Nbtstat -R and then nbtstat -r should show the IP
mapping in the cache.
http://support.microsoft.com/?kbid=228477 -- nltest can also test trusts.

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

Apparently the domains are in different forests and within a forest the domain
trusts
would already exist. If that is right, you need to make sure that the domain that
contains server B is the trusted domain and that the domain that contains server A
is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to
the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Cloaked]

Since many people have had this problem, and none of the threads I
could find seem to speak of a resolution to the problem, I thought I
better post back.

I FOUND IT!

DNS!

It seems that the DNS on our older server was not properly configured
by the "consultant" that built and deployed the system a few years
back. (read: the consultant who is now out of business)

Once I fixed the DNS info in the TCP/IP protocol, established proper
DNS forward look-up to the internet, and added secondary look-up zones
with the two domains on my intranet pointing at each other - VOILA!

After all that was done I went into Active Direectory Domains and
Trusts, and I was able to fully verify the two way trust.

NOTE: The user account that you use in the verification process must
have authority to establish the trust! I just added the account to the
"Enterprise Admins" group and all went well!

Hope this helps someone!

Correction.

" In a W2K domain trust, ntlm and netbios name resolution are important."

I meant in a W2K "forest" trust, ntlm and netbios name resolution are important. ---
Steve

Verify that the trusts are in place. You can use AD Domains and Trusts to do such
by selecting edit for the trust and verify. I would also run first netdiag and then
dcdiag on each domain controller for any failed test/errors/fatal warnings. For
netdiag you can use the /v switch to find more information about a failed test. In
a W2K domain trust, ntlm and netbios name resolution are important. The best way
would be to use wins in each domain, and then have the wins servers in the domains
be replication partners with each other. Make sure that the wins servers and domain
controllers are also wins servers. You could also use lmhosts files on the domain
controllers. See the link below for more info on that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- note that
lmhosts syntax is case sensitive. Nbtstat -R and then nbtstat -r should show the IP
mapping in the cache.
http://support.microsoft.com/?kbid=228477 -- nltest can also test trusts.

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

On Mon, 16 Aug 2004 19:40:34 GMT, "Steven L Umbach"

Apparently the domains are in different forests and within a forest the domain
trusts
would already exist. If that is right, you need to make sure that the domain that
contains server B is the trusted domain and that the domain that contains server A
is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to
the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Steven L Umbach]

Excellent. FYI netdiag and dcdiag would have shown failed tests or other errors for
dns when run on that server where dns was misconfigured and that is why I recommend
them so much. --- Steve

Since many people have had this problem, and none of the threads I
could find seem to speak of a resolution to the problem, I thought I
better post back.

I FOUND IT!

DNS!

It seems that the DNS on our older server was not properly configured
by the "consultant" that built and deployed the system a few years
back. (read: the consultant who is now out of business)

Once I fixed the DNS info in the TCP/IP protocol, established proper
DNS forward look-up to the internet, and added secondary look-up zones
with the two domains on my intranet pointing at each other - VOILA!

After all that was done I went into Active Direectory Domains and
Trusts, and I was able to fully verify the two way trust.

NOTE: The user account that you use in the verification process must
have authority to establish the trust! I just added the account to the
"Enterprise Admins" group and all went well!

Hope this helps someone!

Correction.

" In a W2K domain trust, ntlm and netbios name resolution are important."

I meant in a W2K "forest" trust, ntlm and netbios name resolution are
mportant. ---
Steve

Verify that the trusts are in place. You can use AD Domains and Trusts to do such
by selecting edit for the trust and verify. I would also run first netdiag and
then
dcdiag on each domain controller for any failed test/errors/fatal warnings. For
netdiag you can use the /v switch to find more information about a failed test.
In
a W2K domain trust, ntlm and netbios name resolution are important. The best way
would be to use wins in each domain, and then have the wins servers in the
domains
be replication partners with each other. Make sure that the wins servers and
domain
controllers are also wins servers. You could also use lmhosts files on the domain
controllers. See the link below for more info on that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- note that
lmhosts syntax is case sensitive. Nbtstat -R and then nbtstat -r should show the
IP
mapping in the cache.
http://support.microsoft.com/?kbid=228477 -- nltest can also test trusts.

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

On Mon, 16 Aug 2004 19:40:34 GMT, "Steven L Umbach"

Apparently the domains are in different forests and within a forest the domain
trusts
would already exist. If that is right, you need to make sure that the domain
that
contains server B is the trusted domain and that the domain that contains server
A
is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to
the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks

 

[Cloaked]

Thanks Steve!

I forgot to mention that I had to install those tools, and I used
netdiag. When it got to the part about talking to the other server it
just said "[skipped]"! When I looked at the output, this is where I
got my first real clue that DNS was a real possibility.

It sure is a pain in the neck though! I (almost) wish that if
something was not properly configured that it simply would not work at
all. At least that way it becomes self-evident that something is wrong
/ broken and needs to be fixed. When something appears to have been
working for years it is hard to justify tinkering with it.

Having said that, it would have been a whole lot better if there had
been some sort of feature in W2K so that if you tried to establish a
trust and it failed that the wizard could analyze the DNS of both
machines and give you the option to "autoconfigure" and retry the
trust verification. But I guess that would make too much sense.

Thanks again for the help!

Excellent. FYI netdiag and dcdiag would have shown failed tests or other errors for
dns when run on that server where dns was misconfigured and that is why I recommend
them so much. --- Steve

Since many people have had this problem, and none of the threads I
could find seem to speak of a resolution to the problem, I thought I
better post back.

I FOUND IT!

DNS!

It seems that the DNS on our older server was not properly configured
by the "consultant" that built and deployed the system a few years
back. (read: the consultant who is now out of business)

Once I fixed the DNS info in the TCP/IP protocol, established proper
DNS forward look-up to the internet, and added secondary look-up zones
with the two domains on my intranet pointing at each other - VOILA!

After all that was done I went into Active Direectory Domains and
Trusts, and I was able to fully verify the two way trust.

NOTE: The user account that you use in the verification process must
have authority to establish the trust! I just added the account to the
"Enterprise Admins" group and all went well!

Hope this helps someone!

Correction.

" In a W2K domain trust, ntlm and netbios name resolution are important."

I meant in a W2K "forest" trust, ntlm and netbios name resolution are
mportant. ---
Steve


Verify that the trusts are in place. You can use AD Domains and Trusts to do such
by selecting edit for the trust and verify. I would also run first netdiag and
then
dcdiag on each domain controller for any failed test/errors/fatal warnings. For
netdiag you can use the /v switch to find more information about a failed test.
In
a W2K domain trust, ntlm and netbios name resolution are important. The best way
would be to use wins in each domain, and then have the wins servers in the
domains
be replication partners with each other. Make sure that the wins servers and
domain
controllers are also wins servers. You could also use lmhosts files on the domain
controllers. See the link below for more info on that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094 -- note that
lmhosts syntax is case sensitive. Nbtstat -R and then nbtstat -r should show the
IP
mapping in the cache.
http://support.microsoft.com/?kbid=228477 -- nltest can also test trusts.

Indeed, the domains are in their own forests.

I had to manually eastablish a two-way trust so that they could see
each other at all.

The lusrmgr.msc will not run, it tells me that since I am on a domain
controller, I must run "Active Directory Users and Computers".

I tried this, but from inside AD I cannot "browse" to doamin B to
include it's domain users in the domain users of domain A.

As I said, I can see unprotected "shares", but I cannot access AD
between the two domain controllers.

On Mon, 16 Aug 2004 19:40:34 GMT, "Steven L Umbach"

Apparently the domains are in different forests and within a forest the domain
trusts
would already exist. If that is right, you need to make sure that the domain
that
contains server B is the trusted domain and that the domain that contains server
A
is
the trusting domain. The link below may help.

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm

Also try adding the domain users group from the server that contains server B to
the
users local group on server A [use lusrmgr.msc ] . --- Steve

I have two distinct domains on my intranet. Both are W2K server with
Active Directory. I have established a trust relationship between
them, and can access the verious network shares.

What I have discovered though is that server B cannot access anything
from a share on server A where access restictions have been placed
(via group policy). My attampt was made from the server B console
while logged in as "Administrator".

How do I grant users from the server B domain access to the resources
in ther server A domain???

This is something I have not tried to do before, so additional detail
is a good thing!

Thanks