Re: Easy question on External Trust Perimeter-->Internal

if you want to create an external trust between domains in separate forest
with W2K or W2K3 DCs you can use DNS for nameresolution without NetBIOS. In
this same scenario I also thought NetBIOS was required and for that some
form of NetBIOS nameresolution.
A client of mine with a forest in Europe and a forest in the USA have an
external trust without NetBIOS being used. Why I say NetBIOS is not being
used? Because:
* WINS environment from both forests is not connected
* Each WINS environment does not contain a 1Ch record with the records of
the other domain
* Only DNS nameresolution is in place (secondary zones)

I have seen it work without NetBIOS. I talked to Dean Wells about it and he
also tested it while NetBIOS was disabled on both endpoints!!!

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
message news:OFjyUI6$FHA.2156@xxxxxxxxxxxxxxxxxxxxxxx
> In news:eRV5cbu$FHA.740@xxxxxxxxxxxxxxxxxxxx,
> Jorge de Almeida Pinto
> <SubstituteThisWithMyFullNameSeperatedByDots@xxxxxxxxx> stated, which I
> commented on below:
>> it depends what the end points are.
>>
>> if end points are at least w2k then DNS is also OK for name resolution
>
> Jorge, unless I am misunderstanding you, and if you mean for FQDN
> resolution, I apologize, but from my experience and testing, external
> Windows 2000 trusts still require NTLM, which requires NetBIOS name
> resolution. Inside a forest, trusts are Kerberos based, which is DNS based
> resolution, but I beg to differ with Windows 2000 external trusts between
> domains of a different forest, even if the end points are 2000, for the
> trusts are NTLM based and require NetBIOS.
>
> This doc below states this if you want to eliminate NetBIOS and WINS
> (although I HIGHLY suggest NOT to because of other functions that require
> NetBIOS, besides the neighborhood, Exchange/Outlook functionality requires
> NetBIOS resolution.
>
> "You only have a single Windows 2000 forest or you do not need trust
> between multiple forests. Trusts between multiple Windows 2000 forests can
> only be established as explicit LAN Manager trusts. This type of trust
> still requires NetBIOS."
> (From:)
> AD Cookbook, includes trust info, NTLM, and how NTLM uses NetBIOS.
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp2.mspx
>
> Also, here are two other articles that state the same thing:
>
> HOW TO Establish Trusts with a Windows NT-Based Domain in Windows 2000
> (Q308195):
> http://support.microsoft.com/?id=308195
> "Make sure that the Windows NT-based domain controller can resolve the
> host name of the Windows 2000-based domain controller, and that the
> Windows 2000-based domain controller can resolve the NetBIOS name of the
> Windows NT-based domain controller. If you cannot resolve the NetBIOS and
> host names, create an entry in the Lmhosts file on each domain controller
> that specifies the location of the other controller. For additional
> information about creating and modifying Lmhosts files, click the
> following article numbers to view the articles in the Microsoft Knowledge
> Base: "
>
> Cannot Use Kerberos Trust Relationships Between Two Forests in Windows
> 2000:
> http://support.microsoft.com/?id=274438
> "Use an external trust relationship when a trust between two [2000]
> forests is required. This trust relationship uses NLTM authentication."
>
>
> Once again, Jorge, I apologize if I misunderstood your post.
>
> Cheers!
> Ace
>


.

Relevant Pages

  • Re: W2k3 NETBIOS name change?
    ... A follow up question for the original upgrade. ... This is assuming we keep ABC1.com as our NetBIOS domain ... Windows IP Configuration ... >Once you are in Windows 2003 forest mode you can use ...
    (microsoft.public.windows.server.migration)
  • Re: W2k3 NETBIOS name change?
    ... Once you are in Windows 2003 forest mode you can use rendom.exe to rename ... You can't change the DNS or NetBIOS name of a domain ...
    (microsoft.public.windows.server.migration)
  • RE: Can i change my NT 4 domain name during upgrade to W2K3 AD?
    ... give Windows 2003 NetBIOS name called "ad" or you want to create a child ... promote Windows 2003 to DC. ... If you want to rename a domain name from OLDDOMAINNAME to NEWDOMAINNAME, ... The Windows 2003 forest functionality level must be raised to Windows ...
    (microsoft.public.windows.server.migration)
  • Re: Raising the Domain and Forest Mode
    ... See also this article because of different security settings between NT4 and 2003 trust. ... domain (Windows Server 2003 Domain Mode) and a Windows NT domain, ... What you can think about is using forest trust's instead of two-way. ... The functional levels of the domain/forest are ...
    (microsoft.public.windows.server.active_directory)
  • RE: Trusts between two Windows 2003 forests problem
    ... in theory for two W2K3 forests, you should only need DNS resolution, but I ... Making sure you specify the domain FQDN rather than the domain NetBIOS should ... > extweb.dilbert.net and I am running to problems with the forest wide trust. ...
    (microsoft.public.windows.server.active_directory)
Loading