Re: Multiple domain 2003 and 2000

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

In news:dn8vsh$l71$1@xxxxxxxxxxxxxx,
LarsK <Lars.Kausel@xxxxxx> made this post, which I then commented about
below:
> no it works,
> you go to the w2003 DC -> MMC -> Domains and Trusts.
> you can not create forst root trust, becaus the forset must work at
> W2003 function level, but you can create "external Trust"
> make shure that the DNS config works...

As well as NetBIOS resolution, since external trusts soley rely on NetBIOS
resolution, (hence uses NTLM for authentication), and resolution is NOT DNS
based.

Only Forest trusts work using DNS, but that is only between two forests that
are Windows 2003 Forests and both forests are in 2003 Functional Levels.
This type of trust uses Kerberos for the authentication mechansim, which
relies on DNS.

If there are any questions concerning my above claims, please read these
articles, it is clearly stated:

HOW TO Establish Trusts with a Windows NT-Based Domain in Windows 2000
(Q308195):
http://support.microsoft.com/?id=308195

Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;274438

AD Cookbook, includes trust info, NTLM, and how NTLM uses NetBIOS.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp2.mspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================


.

Relevant Pages

  • Re: One-way trust, Kerberos & IIS
    ... The forest of Domain A is at best Windows 2000 native. ... If you want a trust that supports Kerberos ... you need W2k3 mode forests and a forest-level trust. ... Domain A authentication appears to be using the fall back of NTLM. ...
    (microsoft.public.inetserver.iis.security)
  • RE: How to create trust relationship between Windows 2003 Server (domain controler) and Windows NT 4
    ... relationship between windows NT and Windows 2003 by following the ... Establish Trusts with a Windows NT-Based Domain in Windows Server ... How to Create a Trust Relationship ... Create a Two-Way Trust Relationship ...
    (microsoft.public.win2000.security)
  • Re: Windows 2003 DNS and Windows NT4
    ... To troubleshoot trust configuration issues between a Windows NT 4.0-based ... # Group membership for Microsoft Windows 2000 or Microsoft Windows Server ...
    (microsoft.public.windows.server.migration)
  • Re: Trust is set up but cannot browse the other domain
    ... > Domain_A is the rootdomain in a Windows 2000 AD in Native mode. ... > Company B bought company A and therefore a trust was necessary. ... answer for NetBIOS resolution since it's across subnets and the fact NetBIOS ... please direct all replies ONLY to the Microsoft public newsgroup ...
    (microsoft.public.win2000.active_directory)
  • Re: NSA,Windows, etc.
    ... >> So if you already trust your work to a Microsoft based OS why ... The intent of MSFT's updates was to update the binaries not ... So if you don't trust windowsupdate why would you run windows at all? ...
    (sci.crypt)