trust between forest - windows 2000

[Guest]

Hi,
Does windows 2000 active directory allow to establish trust between forest?
or is there a trick to allow that ??? Thanks.
Seeker01

 

[Dean Wells [MVP]]

Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is supported
with Windows Server 2003 (uses Kerberos for authentication and is
transitive between the domains in either forest) assuming something
known as the "forest functional level" is set to Windows 2003 Native.

 

[Dean Wells [MVP]]

No, domain to domain trusts between forests (uswa NTLM for

authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is
supported with Windows Server 2003 (uses Kerberos for authentication
and is transitive between the domains in either forest) assuming
something known as the "forest functional level" is set to Windows
2003 Native.

<GRIN> uswa = uses (missed by 1 column)

 

[Guest]

Thanks Dean. this is so disappointing. I was obviously misled by technet
artilce "managing trusts".

Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is supported
with Windows Server 2003 (uses Kerberos for authentication and is
transitive between the domains in either forest) assuming something
known as the "forest functional level" is set to Windows 2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Thanks Dean. this is so disappointing. I was obviously misled by
technet artilce "managing trusts".

Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is
supported with Windows Server 2003 (uses Kerberos for authentication
and is transitive between the domains in either forest) assuming
something known as the "forest functional level" is set to Windows
2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Which aspects of cross-forest trust do you require that are not met by
domain to domain trusts between forests? This may simply be a
mis-understanding of terminology ... feel free to paste the pertinent
piece(s) of the article you're referencing.

 

[Guest]

from "Table 1.20 Trust Management Tasks and Procedures"

Tasks
====
Create an external trust (between a Windows 2000 domain and a Windows NT 4.0
domain, or between domains in different forests).
Procedures
=======
Create a One-way Trust (MMC Method).
Create a One-way Trust (Netdom.exe Method).
Create a Two-way Trust (MMC Method).
Create a Two-way Trust (Netdom.exe Method).
Tools
===
Active Directory Domains and Trusts (Windows 2000)
-Or-
Netdom.exe
User Manager for Domains (Windows NT 4.0)
Frequency
=======
As needed

Thanks Dean. this is so disappointing. I was obviously misled by
technet artilce "managing trusts".

seeker01 wrote:
Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is
supported with Windows Server 2003 (uses Kerberos for authentication
and is transitive between the domains in either forest) assuming
something known as the "forest functional level" is set to Windows
2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Which aspects of cross-forest trust do you require that are not met by
domain to domain trusts between forests? This may simply be a
mis-understanding of terminology ... feel free to paste the pertinent
piece(s) of the article you're referencing.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

from "Table 1.20 Trust Management Tasks and Procedures"

Tasks
====
Create an external trust (between a Windows 2000 domain and a Windows
NT 4.0 domain, or between domains in different forests).
Procedures
=======
Create a One-way Trust (MMC Method).
Create a One-way Trust (Netdom.exe Method).
Create a Two-way Trust (MMC Method).
Create a Two-way Trust (Netdom.exe Method).
Tools
===
Active Directory Domains and Trusts (Windows 2000)
-Or-
Netdom.exe
User Manager for Domains (Windows NT 4.0)
Frequency
=======
As needed

"Dean Wells [MVP]" wrote:

The article is entirely accurate. As I mentioned in my original reply,
you CAN create trusts between domains in different forests using Windows
2000 but not between entire forests ... it is possible that there's an
aspect of the Windows 2003 Cross-forest trust capability that you
require but you haven't eluded to it as yet. My guess is that the
standard domain to domain trusts (external) between forests supported by
Windows 2000 will suffice ... but, without further information, that is
just a guess.

 

[Guest]

Hi Dean,
My company still uses NT4 domain, & I have setup a Windows 2000 AD that
merely runs Cisco Radius Servers as shared service application that
authenticates many other companies. I cant run Windows 2003 AD because Cisco
Radius Server not supporting Windows 2003. It is a 1 way trust I have setup
between the NT4 domain & Windows 2000AD. Few months later, NT4 domain will be
upgraded to Windows 2003AD. Do you know if I can setup forest trust between
Windows 20003AD & Windows2000AD? Thanks heaps. Rgds, seeker01

Thanks Dean. this is so disappointing. I was obviously misled by technet
artilce "managing trusts".

Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is supported
with Windows Server 2003 (uses Kerberos for authentication and is
transitive between the domains in either forest) assuming something
known as the "forest functional level" is set to Windows 2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Hi Dean,
My company still uses NT4 domain, & I have setup a Windows 2000 AD
that merely runs Cisco Radius Servers as shared service application
that authenticates many other companies. I cant run Windows 2003 AD
because Cisco Radius Server not supporting Windows 2003. It is a 1
way trust I have setup between the NT4 domain & Windows 2000AD. Few
months later, NT4 domain will be upgraded to Windows 2003AD. Do you
know if I can setup forest trust between Windows 20003AD &
Windows2000AD? Thanks heaps. Rgds, seeker01

Thanks Dean. this is so disappointing. I was obviously misled by
technet artilce "managing trusts".

seeker01 wrote:
Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is
supported with Windows Server 2003 (uses Kerberos for
authentication and is transitive between the domains in either
forest) assuming something known as the "forest functional level"
is set to Windows 2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Again, no ... but this is almost certainly a question of terminology and
nothing more at this point. You CAN create a trust (near identical to
the one you currently have) between a single domain in the 2000 forest
and a single domain in the proposed 2003 forest. If either forest has
more than one domain and trust relationships are required for those also
then you'll need to create additional trust relationships.

PS - Does the RADIUS server you're using impose a requirement that it
MUST run on a Domain Controller?

 

[Guest]

Thanks Dean. It is not a requirement for Radius Server to run on DC.
Management prefers that because they want to safe hardware cost.

Hi Dean,
My company still uses NT4 domain, & I have setup a Windows 2000 AD
that merely runs Cisco Radius Servers as shared service application
that authenticates many other companies. I cant run Windows 2003 AD
because Cisco Radius Server not supporting Windows 2003. It is a 1
way trust I have setup between the NT4 domain & Windows 2000AD. Few
months later, NT4 domain will be upgraded to Windows 2003AD. Do you
know if I can setup forest trust between Windows 20003AD &
Windows2000AD? Thanks heaps. Rgds, seeker01

Thanks Dean. this is so disappointing. I was obviously misled by
technet artilce "managing trusts".

:

seeker01 wrote:
Hi,
Does windows 2000 active directory allow to establish trust between
forest? or is there a trick to allow that ??? Thanks.
Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is
supported with Windows Server 2003 (uses Kerberos for
authentication and is transitive between the domains in either
forest) assuming something known as the "forest functional level"
is set to Windows 2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Again, no ... but this is almost certainly a question of terminology and
nothing more at this point. You CAN create a trust (near identical to
the one you currently have) between a single domain in the 2000 forest
and a single domain in the proposed 2003 forest. If either forest has
more than one domain and trust relationships are required for those also
then you'll need to create additional trust relationships.

PS - Does the RADIUS server you're using impose a requirement that it
MUST run on a Domain Controller?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Thanks Dean. It is not a requirement for Radius Server to run on DC.
Management prefers that because they want to safe hardware cost.

Again, no ... but this is almost certainly a question of terminology
and nothing more at this point. You CAN create a trust (near
identical to the one you currently have) between a single domain in
the 2000 forest and a single domain in the proposed 2003 forest. If
either forest has more than one domain and trust relationships are
required for those also then you'll need to create additional trust
relationships.

PS - Does the RADIUS server you're using impose a requirement that it
MUST run on a Domain Controller?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

That being the case, a Windows 2000 domain member could continue to run
the RADIUS service while both forests run with solely Windows 2003
Domain Controllers thereby allowing a Cross-forest trust to be created.
However, I'll take your lack of response to my other questions as
indication that an external trust will suffice.

Hope all this was of use.