Trust Relationship NT4 & W2K Domains

[Guest]

We have a requirement to setup a two way Trust
Relationship between a NT4 Domain and a Windows 2000
Domain. We have setup a couple of servers in a lab to
test and prove a solution before completing on our
production Servers.

There were no issues noted during the creation of the two-
way Trust. However we cannot logon to either of the PDC's
with the Administrator account from the other Domain.
Also we cannot view the security group properties for the
respective alternate Domains.

We already have in production a similar configuration
between two NT4 Domains which has no special setup apart
from a two-way Trust Relationship and we do not have
these issues.

Can someone please advise if there are special
requirements for allowing this functionality between a
NT4 Domain and a W2K Domain.

 

[Steven L Umbach]

Try adding the administrators account [or domain admins group if appropriate] you are
using from each domain to the administrators group on the other domain to see if that
helps. --- Steve

 

[Guest]

Thanks for the idea, we had already considered this
option but when you open the Domain Admins group on each
of the domains there does not appear to be anyway to
access the users/group from the other Domain.

Also in the current Trust Relationship between the two
NT4 Domains which is working, this has not been necessary
and access would appear to be provided through the two-
way Trust only.

I believe that I can get some of these things working by
adding the respective Domain Admins Groups into the
Policies "Logon on locally" & "Access this computer from
the network". However this has not been necessary to make
the Trust Relationship work between the NT4 Domains. We
would therefore consider this to be a work around and
would be concerned what other things are not going to
work for clients from either Domain connecting to the
alternate Domain.

We need to establish seemless functionality between the
two domains from both an administrative and client
perspective. I have been unable to locate any
documentation which might outline the requirements for
this solution to function as desired.

Any further ideas would be much appreciated.

-----Original Message-----
Try adding the administrators account [or domain admins group if appropriate] you are
using from each domain to the administrators group on

the other domain to see if that

 

[Steven L Umbach]

That is why you would have to add them to the administrators built in group for that
domain, you can not add them to the domain admins because that is a global group.
You should see that the domain admins group of a domain is already a member of the
built in administrators group for the domain. I really don't know why it works for
you with two NT4.0 domains, but then W2K did beef up security somewhat compared to
NT4.0 so it does not surprise me that it does not work the same way. --- Steve

Thanks for the idea, we had already considered this
option but when you open the Domain Admins group on each
of the domains there does not appear to be anyway to
access the users/group from the other Domain.

Also in the current Trust Relationship between the two
NT4 Domains which is working, this has not been necessary
and access would appear to be provided through the two-
way Trust only.

I believe that I can get some of these things working by
adding the respective Domain Admins Groups into the
Policies "Logon on locally" & "Access this computer from
the network". However this has not been necessary to make
the Trust Relationship work between the NT4 Domains. We
would therefore consider this to be a work around and
would be concerned what other things are not going to
work for clients from either Domain connecting to the
alternate Domain.

We need to establish seemless functionality between the
two domains from both an administrative and client
perspective. I have been unable to locate any
documentation which might outline the requirements for
this solution to function as desired.

Any further ideas would be much appreciated.

-----Original Message-----
Try adding the administrators account [or domain admins group if appropriate] you are
using from each domain to the administrators group on

the other domain to see if that

helps. --- Steve




.

 

[Guest]

By way of closure, I think I have solved this issue
within the Lab environment and this is yet to be proved
in production.

I added the Domain Admins group from each Domain into the
Local Administrators group on the other domain. I also
found that I had to add the Domain Users from the W2K
Domain into the Policy "Access this computer from
network" and this all appears to function as we would
like providing seemless functionality from both an
Administrative and client perspective.

Thanks for your help Steve.

-----Original Message-----
That is why you would have to add them to the

administrators built in group for that

domain, you can not add them to the domain admins

because that is a global group.

You should see that the domain admins group of a domain is already a member of the
built in administrators group for the domain. I really don't know why it works for
you with two NT4.0 domains, but then W2K did beef up security somewhat compared to
NT4.0 so it does not surprise me that it does not work the same way. --- Steve

Thanks for the idea, we had already considered this
option but when you open the Domain Admins group on each
of the domains there does not appear to be anyway to
access the users/group from the other Domain.

Also in the current Trust Relationship between the two
NT4 Domains which is working, this has not been necessary
and access would appear to be provided through the two-
way Trust only.

I believe that I can get some of these things working by
adding the respective Domain Admins Groups into the
Policies "Logon on locally" & "Access this computer from
the network". However this has not been necessary to make
the Trust Relationship work between the NT4 Domains. We
would therefore consider this to be a work around and
would be concerned what other things are not going to
work for clients from either Domain connecting to the
alternate Domain.

We need to establish seemless functionality between the
two domains from both an administrative and client
perspective. I have been unable to locate any
documentation which might outline the requirements for
this solution to function as desired.

Any further ideas would be much appreciated.

-----Original Message-----
Try adding the administrators account [or domain

admins
group if appropriate] you are

using from each domain to the administrators group on

the other domain to see if that

helps. --- Steve

We have a requirement to setup a two way Trust
Relationship between a NT4 Domain and a Windows 2000
Domain. We have setup a couple of servers in a lab to
test and prove a solution before completing on our
production Servers.

There were no issues noted during the creation of

the
two-

way Trust. However we cannot logon to either of the PDC's
with the Administrator account from the other Domain.
Also we cannot view the security group properties

for
the

respective alternate Domains.

We already have in production a similar configuration
between two NT4 Domains which has no special setup apart
from a two-way Trust Relationship and we do not have
these issues.

Can someone please advise if there are special
requirements for allowing this functionality between a
NT4 Domain and a W2K Domain.



.

.