Re: Re: Questions about Trusts

From: John Rosenlof (greyseal96_at_hotmail.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 14:28:48 -0800

Hi Lara,

Thanks for the link. It's going to prove helpful. I was wondering about
something concerning ADMT. Is what you're suggesting that we migrate the
users and groups from domain2 to domain1, then demote the dc of domain2 and
remove Active Directory, then repromote the dc of domain2 and migrate the
users and groups back? I have been doing some reading on TechNet about ADMT
and Domain Restructuring and this seems to be a possibility. Of course,
there's always the possibility that I didn't understand it completely :)

The potential problem with the migration is that we don't have another
computer to use that we could make a dc (to make another tree in the forest)
and then migrate everything from domain2's dc to it. If this would prevent
migration, what would prevent the users from backing files up to disk to
protect against data loss?

Thanks for any clarification that you can offer.

-John
"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d4be70$1_4@alt.athenanews.com...
> "lforbes" wrote:
> > Hi Ryan,
> >
> > You mentioned something here that I would like clarification
> > on as I haven't ever been able to do this. How did you
> > actually do it?
> >
> > [quote:a5f36b946a]you will need to create new groups local to
> > your domain to hold the foreign users. Then assign privileges
> > to these groups. Create a group, say DomainNameAccountingDept,
> > add the users/ groups from the foreign domain, then assign the
> > new group to the folder.[/quote:a5f36b946a]
> >
> > I have two Domains in a trust (two separate Forests of 2K).
> > However, there is no Option to add the groups from the Foreign
> > Domain. It isn't in the list anywhere. The Only way that I
> > have heard that this can be done is simply by creating
> > Universal Groups which is the benefit of a single Forest
> > rather than two separate Forest/domains. I would be curious to
> > know how you found the foreign domain to add the users or
> > groups?
> >
> > Thanks
> >
> > Lara
>
> Hi John,
>
> In answer to your question. I have my website which specifies how to
> setup DNS properly. http://www.sd61.bc.ca/windows2000
>
> I wouldn't wipe out the User accounts in the one domain. I would use
> the Active Directory Migration Tool available free to download from MS
> (just search for it) and migrate them across. If you don't the
> permissions to their files will be all screwed up as permissions are
> set via SID and not username so even if the users had the same name,
> the permissions would be screwy.
>
> Domains are a security Boundary. Therefore you cannot have access to
> another domain resources unless you are given access. This is by
> design. The Use of Universal Groups in Windows 2000 Native Mode is the
> way for users to get access to multiple domains resources. This is the
> benefit of a single forest vs. two forests. I have never figured out a
> way to access multiple domain resources without using either Universal
> Groups OR the same Username/Pwd in both domains that I mentioned. I
> have been at this some 15 years through NT 3.1/NT4 W2K and now W2003.
> I used to have 4 NT domains and I couldn't even get the users to be
> able to print cross-domain. Therefore the benefit of being able to
> login to either domain is clear.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=742522

Relevant Pages

  • Re: Re: Questions about Trusts
    ... > add the users/ groups from the foreign domain, ... > Universal Groups which is the benefit of a single Forest ... permissions to their files will be all screwed up as permissions are ... another domain resources unless you are given access. ...
    (microsoft.public.win2000.active_directory)
  • Re: Merge two domains
    ... Is each domain it's own single forest? ... ADMT is the correct tool ... 3rd-party migration tools such as those offered by Quest and NetIQ. ...
    (microsoft.public.windows.server.active_directory)
  • Computer Manger Security
    ... Hi, I'm implementing a secure W2K AD domain (Single Forest, and single ... permissions on file servers, this group has Full Control in NTFS permissions ... ADSIedit, Local security policy, but was not success. ...
    (microsoft.public.windows.server.security)
  • Re: admt and virtual pc
    ... You will do much better if you quote the exact error message, ... ADMT but you don't actually say that and more importantly ... single forest and perhaps NetBIOS (including WINS if ...
    (microsoft.public.windows.server.active_directory)
Loading