Re: W2K3 cross domain trust

From: John Negus (jnegus_at_mask.msetechnology.com)
Date: 01/10/05 

Date: Mon, 10 Jan 2005 14:16:35 -0500

My apologies Kevin.....I missed that you are trying to add users to a
Universal group. You should add the users from the other domain to a
"domain local" group as universal groups can only contain users within
their own forest. 

-- 
John Negus
MSEtechnology
--
"Kevin" <Kevin@discussions.microsoft.com> wrote in message 
news:762E35FA-06F5-4C39-B588-1C43354CF2C6@microsoft.com...
> 2-way external non-transitive trust was formed between the domains. 
> Both
> domains are windows 2003 and the functional level is windows 2000 
> native mode.
>
> Kevin
>
>
> "ptwilliams" wrote:
>
>> You cannot see the domain in the snap-in's because it's external to 
>> the
>> forest in which you reside.  When you see domains listed in the 
>> management
>> snap-in's these are all within the same forest (references to each 
>> domain
>> partition are stored in the configuration partition; as is 
>> information on
>> each domainDNS object).
>>
>> What kind of trust do you have in place?
>>
>> Are you running in 2003 native and do you have a forest trust?
>>
>> -- 
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>> "Kevin" <Kevin@discussions.microsoft.com> wrote in message
>> news:35DADFC5-3AD3-4BC6-B08F-608E589244A2@microsoft.com...
>> I means I cannot see other domains after clicked the "locations" 
>> button.
>> Only
>> abc.com was found.
>>
>> Thanks and Regards,
>> Kevin
>>
>>
>> "John Negus" wrote:
>>
>> >
>> > > Question 1
>> > > I have two forest abc.com and xyz.com, both of them form a two 
>> > > way
>> > > trust.
>> > > I want to add user from xyz.com to a group in abc.com. I can't 
>> > > see the
>> > > domain xyz.com in the "Active directory users and computers" 
>> > > console.
>> > > But in
>> > > the security tab of folder poperties, I can add users and groups 
>> > > from
>> > > xyz.com.
>> > >
>> > > The group in abc.com is a universal group.
>> > > Both domain is windows 2003 and running w2k native mode
>> >
>> > Answer1
>> > In "Active Directory Users and Computers" when you add a user to a 
>> > group
>> > there is a "Locations" button.  If you select that you should see 
>> > the
>> > other domain and be able to select it.  You will then be able to 
>> > add
>> > users from that domain to your group.  This is providing that your 
>> > trust
>> > is set up correctly and that you are not trying to add users from 
>> > the
>> > other domain to a global group.
>> > >
>> > > Question2
>> > > Currently both of the forest abc.com and xyz.com only have one 
>> > > windows
>> > > 2003
>> > > DC, I will add one more DC in each forest but the new DC is 
>> > > windows
>> > > 2000. Can
>> > > I raise the functional level from w2k native to windows 2003 
>> > > later or
>> > > I
>> > > should stay at w2k native mode?
>> >
>> > Answer2
>> > You will not be able to add a W2K DC to your domain if you raise 
>> > the
>> > fuctional level of your domain higher than W2K Native mode.  Stay 
>> > at
>> > native mode until you upgrade your W2K DC or remove it from the 
>> > domain.
>> >
>> > -- 
>> > John Negus
>> > MSEtechnology
>> > --
>> >
>> >
>> >
>> >
>> >
>>
>>
>>