Re: Trust relationships between sites.

<ichi.brown@xxxxxxxxx> wrote in message
news:1156264221.189203.108240@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
All,

I have searched through the usenet archives as well as most searches on
google for quite awhile. I'm making this post, because frankly, I'm at
a loss.

There is no such thing a "trusts...between sites". Trusts are between
DOMAINS (always, except in the Win2003 Server Native mode case
of trusts between forests -- but even that is implemented between the
root forest domains of each forest.)

I'm a Unix Administrator, turned Windows + Unix administrator for the
past couple years I've been deploying, and maintaining active directory
at a 2003 domain functional level.

We have this weird setup, where one of our departments is located on a
different floor, on a different ad forest on totally different subnets
seperated by routers.

Then likely you have a NetBIOS resolution issue since external trusts are
usually dependent on NetBIOS (you might also have a DNS resolution issue).

For NetBIOS to work across routers you need WINS Server(s)
and every machine to be a WINS "client" of the same replicated
WINS database.

These are facts that can not change. I can not
add the users to the forest they are trying to contact. However I did
setup a one way transitive trust with the domain they are bound to, and
the domain forest we have on the other floors in the building.

External trusts are never transitive so this must be a Forest Level
Trust, right?


Users when trying to map network drives are always unable to, or they
happen spurratically. One of the other gentleman in systems' was a
windows administrator back when NT was rampant and sets up LMHOST files
on the machines to obtain access to some of our servers on the other
floors.

Technically LMHosts files are an alternative to WINS Server(s)
but they are practically unworkable in all but the very simplest
cases.

Dump the LMHosts file and setup one or more WINS Server -- if you
use more than one, make sure they are all fully replicated with each
other.

I want an end-all solution using existing technologies to rid the
problem of "No logon servers currently available to meet your request"
when users try to map shared drives located on the other forest.
Allow me to type things out more clearly.

ad01 = first forest
ad02 = second forest

Each DNS should also be able to resolve all other domains, DCs, and
(relevant) computers from the other domain.

Use conditional forwarding or another cross zone resoluton mechanism
so that the DNS of Ad01 can resolve Ad02 and vice versa.

pc01 = client machine on forest 01
srv02 = server located on second forest seperated broadcast segment.
srv02b = 2nd server on second forest
srv01 = server on first forest.

pc01 needs to map a drive to srv01.ad01 and srv02.ad02.
pc01 can currently map a drive to the servers in the domain it's bound
to srv01.ad01. but always spits out the error no logon servers
available with srv02.ad02 and srv02b.ad02.

Is there something more in depth that needs setup other than what I
have?

You need to get your name resolution right. DNS for sure, and WINS
almost for certain.

I have tried LMHOSTS to some avail, however maintaining a hosts file is
rather out-dated i would assume. i have setup WINS servers on both
networks. the ad01 has entries for domain ad02 and it's domain
controllers. ad02 does not have WINS entries for ad01 and it's
associated machines.

Getting all of the entries right for LMHosts is practically impossible
for a domain of any significant size and way more trouble than it is
worth.

Use WINS Server and make EVERY MACHINE a WINS client.
(Every machine means DCs and all other servers too!)

Unfortunately because of the way administration is on these domains,
the trust is one way transitive. ad02 trusts users in ad01 but not
vice versa. This is to protect various corporate interests and
resources.

Ok.

I only have full control over the ad02 domain which is somewhat a
"rogue" domain we're told but I dont see any reason why this shouldn't
work a lot more smoothly. If you need further information please let
me know I'll be quick to respond. If i've violated any FAQ or posting
guidelines I apologize ahead of time, and flaming isn't required.

You will need admins from both (all) domains to get this right.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in advance,

Robb O'Driscol



.

Relevant Pages

  • Re: Interforest migration with domain name change
    ... server 2003 to server 2008? ... Upgrading my forest to 2003 by using a member server and promoting ... Forest trusts come first with 2003. ... Trusts across Windows Server 2003 and Windows 2000 forests: ...
    (microsoft.public.windows.server.migration)
  • Re: Interforest migration with domain name change
    ... I want to move now to server 2003 to server 08 by first: ... Upgrading my forest to 2003 by using a member server and promoting it. ... Forest trusts come first with 2003. ... Trusts across Windows Server 2003 and Windows 2000 forests: ...
    (microsoft.public.windows.server.migration)
  • Re: Protected Forest with One Child domain
    ... The forest is in native mode. ... so your child DNS servers can resolve both their ... INTERNAL zone on every DNS server using AD-Integrated Forest ...
    (microsoft.public.windows.server.dns)
  • Re: Reinstallation Problem in AD
    ... not have a systemstate backup I had to install from zero and it made a new ... forest with the same domain name. ... I could not connect to the server to do this. ... see, when your server crashes the other one doesn't know about it, so it's ...
    (microsoft.public.windows.server.active_directory)
  • RE: Trust problems with Server 2003
    ... There is no problem to create more child domains in one forest. ... Frequently Asked Questions About Windows 2000 DNS and Windows Server ... > The trusts are replicating fine now. ...
    (microsoft.public.windows.server.migration)
Loading