Win2003 Child domain trust to Win2000 Forest Root - Is it possible ?

[Chris]

Hi,

I have 2 domains that I need to link together with a two way trust. My first
domain is a Windows 2003 domain that is a child domain of a 2003 Forest. My
other domain only consists of a single forest root domain which is Windows
2000 based. Is having a 2-way trust between the two possible ? I have heard
in the past this is only possible between 2003 domains. Doing more research
recently, I have seen the concept of creating an external trust that uses
NTLM instead of kerberos. Anyway if this is at all possible and if anyone
has any pointers on the steps involved I'd greatly appreciate it.

Thanks
Chris

 

[Herb Martin]

Hi,

I have 2 domains that I need to link together with a two way trust. My first
domain is a Windows 2003 domain that is a child domain of a 2003 Forest. My
other domain only consists of a single forest root domain which is Windows
2000 based. Is having a 2-way trust between the two possible ? I have heard
in the past this is only possible between 2003 domains. Doing more research
recently, I have seen the concept of creating an external trust that uses
NTLM instead of kerberos. Anyway if this is at all possible and if anyone
has any pointers on the steps involved I'd greatly appreciate it.

Win2000 does not support "Forest Trusts", Win2003 does
but only under the most advanced functional level and only
to another such Win2003 forest.

You must use EXTERNAL trusts -- always one-way, non-transitive.

These are just like NT trusts and must be set up between
precisely ONE PAIR of domains at a time -- there is no
transitivity (a->b->c does NOT mean that a->c).

You must set the trust from each domain with resources to
each domain with users, explicitly.

By the way, why do you need two way trusts?

Such implies that each domain involved has both users and
RESOURCES and each wishes to share resources with the
other domain users.