Trust is set up but cannot browse the other domain

[Nick]

A little history behind the problem.

We have two companies, A and B with the domains: Domain_A and a
Domain_B, each in its own forest
Domain_A is the rootdomain in a Windows 2000 AD in Native mode.
Domain_B is the rootdomain in a Windows 2003 AD in interim mode (one
NT4 left)

Company B bought company A and therefore a trust was necessary.
The domains are on separate networks and a firewall is in the middle.

To succesfully create a two-way trust I made the following:
* Created two secondary DNS zones for Domain_B in Domain_A
(domain_B.com and _msdcs.domain_B.com)
* Created a secondary DNS zone for Domain_A in Domain_B (domain_A)
* Followed article Q179442 to open ports in the firewall.

The trust was set up successfully but now the problems started.

* I cannot browse domain_A from domain_B, and vice versa with explorer.
I don't even see the other domain, only the own domain and some
workgroups.

* I cannot browse domain_A's AD from domain_B, and vice versa, with AD
users and computers. Here I can see the other AD but cannot browse it.
There is no + so I can expand the tree.

I cannot see anything in the firewall logs that are preventing this.
Blocked ports etc.
The event viewer shows nothing.

Have I missed something really basic here?
Is article Q179442 not enough?

Any help is appreciated!

Thanks in advance!

/ Nick

 

[Ace Fekay [MVP]]

In

A little history behind the problem.

We have two companies, A and B with the domains: Domain_A and a
Domain_B, each in its own forest
Domain_A is the rootdomain in a Windows 2000 AD in Native mode.
Domain_B is the rootdomain in a Windows 2003 AD in interim mode (one
NT4 left)

Company B bought company A and therefore a trust was necessary.
The domains are on separate networks and a firewall is in the middle.

To succesfully create a two-way trust I made the following:
* Created two secondary DNS zones for Domain_B in Domain_A
(domain_B.com and _msdcs.domain_B.com)
* Created a secondary DNS zone for Domain_A in Domain_B (domain_A)
* Followed article Q179442 to open ports in the firewall.

The trust was set up successfully but now the problems started.

* I cannot browse domain_A from domain_B, and vice versa with
explorer. I don't even see the other domain, only the own domain and
some workgroups.

* I cannot browse domain_A's AD from domain_B, and vice versa, with AD
users and computers. Here I can see the other AD but cannot browse it.
There is no + so I can expand the tree.

I cannot see anything in the firewall logs that are preventing this.
Blocked ports etc.
The event viewer shows nothing.

Have I missed something really basic here?
Is article Q179442 not enough?

Any help is appreciated!

Thanks in advance!

/ Nick

Browsing depends on the Browser service, which is NetBIOS based. WINS is the
answer for NetBIOS resolution since it's across subnets and the fact NetBIOS
doesn't traverse between subnets (routers).

Also, suprisingly, with an external trust (between two domains of different
forests or between NT4 and Win2000 or 2003 domains), you've got the trust
created since you didn't indicate NetBIOS resolution support between the
locations, especially since they are across subnets. Are you sure the trust
was established and you the trust can be verified?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Are you being presented with an authentication box when you try to view the
other domain using AD Users and Computers? If you haven't already tried, open
up a domain Builtin group, such as Users, and try to browse the other domain,
as if you were going to add a group. If you receive "Domain currently
unavailable..." or something like that, instead of an authentication box, it
would leave me to believe that something is being blocked at the firewall.
You can also try to map a drive to computer in the other domain to see if SMB
is even working through the firewall. If you are prompted with
authentication, that means it is working.

I wouldn't worry so much about not seeing computers in explorer, if you are
referring to "Entire Network". Entire Network is populated by NetBIOS names
only, which making it only work via broadcasts by the "Computer Browser"
service, or if there is a WINS server.

 

[Jorge_de_Almeida_Pinto]

A little history behind the problem.

We have two companies, A and B with the domains: Domain_A and
a
Domain_B, each in its own forest
Domain_A is the rootdomain in a Windows 2000 AD in Native
mode.
Domain_B is the rootdomain in a Windows 2003 AD in interim
mode (one
NT4 left)

Company B bought company A and therefore a trust was
necessary.
The domains are on separate networks and a firewall is in the
middle.

To succesfully create a two-way trust I made the following:
* Created two secondary DNS zones for Domain_B in Domain_A
(domain_B.com and _msdcs.domain_B.com)
* Created a secondary DNS zone for Domain_A in Domain_B
(domain_A)
* Followed article Q179442 to open ports in the firewall.

The trust was set up successfully but now the problems
started.

* I cannot browse domain_A from domain_B, and vice versa with
explorer.
I don't even see the other domain, only the own domain and
some
workgroups.

* I cannot browse domain_A's AD from domain_B, and vice versa,
with AD
users and computers. Here I can see the other AD but cannot
browse it.
There is no + so I can expand the tree.

I cannot see anything in the firewall logs that are preventing
this.
Blocked ports etc.
The event viewer shows nothing.

Have I missed something really basic here?
Is article Q179442 not enough?

Any help is appreciated!

Thanks in advance!

/ Nick

if my memory serves me right you need netbios nameresolution between
both forest if one of them is w2k. You could use WINS for that

 

[Jorge_de_Almeida_Pinto]

if my memory serves me right you need netbios nameresolution
between both forest if one of them is w2k. You could use WINS
for that

just tested that and it works without netbios so never mind what I
said

 

[Nick]

When I try to view the other domain in AD Users & Computers I'm not
presented with an authentication box. Instead I can see the domain but
when I click on the domain it doesn't expand its tree. This happens
from both domains.

I can map a drive on a server in the other domain and when I try that
I'm presented with a authentication box.

I don't know what this means. Should both work if I can map a drive?

 

[Nick]

The trust was set up from Domain_B and it said it was successful and
verified so I thought that was ok.
Today when I tried to verifiy the trust I got this result:

From Domain_B to Domain_A the trust can be verified.
From Domain_A to Domain_B the trust couldn't be verified because the

authentication box is not accepting the administrator account in
Domain_B. It states it want a account with right to modify trusts. Our
Administrator account is in the Enterprise Admins group, Domain Admins
group and Administrators group. Shouldn't that be enough. We don't have
an account with higher rights.

Ace, do you got any ideas here?

 

[Ace Fekay [MVP]]

In

When I try to view the other domain in AD Users & Computers I'm not
presented with an authentication box. Instead I can see the domain but
when I click on the domain it doesn't expand its tree. This happens
from both domains.

I can map a drive on a server in the other domain and when I try that
I'm presented with a authentication box.

I don't know what this means. Should both work if I can map a drive?

For the ability to administer the other domain thru ADUC, the domain admin
group from one domain must be added to the local admin group of the other
domain after the trust is in place, and vice-versa.

Ace

 

[Ace Fekay [MVP]]

In

The trust was set up from Domain_B and it said it was successful and
verified so I thought that was ok.
Today when I tried to verifiy the trust I got this result:

authentication box is not accepting the administrator account in
Domain_B. It states it want a account with right to modify trusts. Our
Administrator account is in the Enterprise Admins group, Domain Admins
group and Administrators group. Shouldn't that be enough. We don't
have an account with higher rights.

Ace, do you got any ideas here?

Do you have NetBIOS name resolution support?
Are you using WINS between the two domains??

Firewall rules? MTU changes?


Ace

 

[Nick]

We are not using WINS in the domains.
The only firewall rules that are applied are the rules described in the
article: Q179442
We haven't done any MTU changes.

Is it better to create the trust with NETDOM instead of the GUI?

 

[Nick]

I understand that the administrators must be in each others domain. The
problem is that I cannot browse the domain at the moment.
I'll try to create the trust again and see what happens.

 

[Ace Fekay [MVP]]

In

We are not using WINS in the domains.
The only firewall rules that are applied are the rules described in
the article: Q179442
We haven't done any MTU changes.

Is it better to create the trust with NETDOM instead of the GUI?

Looks like WINS will be requird to accomplish your intentions. If WINS is on
both sides, just make a replication partner of each other and the browsing
(Network Neighborhood and browsing for a use in the other domain) will
populate and function.

Ace