Re: one-way trust not working

Yes there is a firewall between the two subnets, but as stated in my
posting I am starting with all ports and addresses open -- nothing
blocked. The connection to ISA works fine if you enter credentials from
the trusting domain (hq.local) rather that the trusted one
(branch.local). Also, as stated in my posting, the same problem is
being experienced with mapping to a shared folder. And in the shared
folder case, it also works to enter credentials from the trusted
domain. So I am confident that it is not a port blocking issue. It just
seems that the servers on the trusting domain are unable to verify
credentials from the trusted domain.

Paul Bergson wrote:
As soon as you mention ISA I think port problems. Do you have a FW between
the two forests?

Download PortQryUI and from both sides to check to see if the ports are open
http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en

Run the query for AD it will check to see if the neccessary ports are open.


--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Mr. Do" <mr_do_1@xxxxxxxxx> wrote in message
news:1149858188.674609.19260@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I set up a one-way trust between two Windows Server 2003 domains (not
in the same forest). The trust was set up successfully and the Validate
button says it works. However, authentication doesn't work when rights
to a resource in the trusting domain are assigned to an account in the
trusted domain. Here are the specifics:

In the trusted domain, branch.local, I set up the DNS server to use as
a forwarder the DNS server from the trusted domain, hq.local. In the
DNS for hq.local I created a secondary zone for branch.local and
configured zone transfers. That way, each domain gets full resolution
of the other. I also configured the firewall to allow unlimited traffic
between the two subnets. (I plan to lock that down more later but
wanted to get it working first.)

In the trusting domain, hq.local, I set up a one-way outgoing trust
with branch.local. At the time of setting up the trust, it prompted me
and I provided a username and password with administrative priveledges
on branch.local. The setup worked and I can see in hq.local that I have
an option of selecting branch.local any place where I select accounts
to assign resources to.

On two different servers in hq.local, I created shares and added
branch.local's Domain Users group to both the share and file
permissions. When I try to map a drive to it while properly signed on
as a domain user in branch.local, I repeatedly get prompted for
username and password. Similarly, on an ISA server in hq.local, I added
rights for the branch.local Domain Users group and that, too, prompts
me over and over for authentication, not accepting the username and
password from branch.local. In all three cases, I tried
BRANCH\username, branch.local\username and simply username, with the
results being the same every time.

Any help would be appreciated.


.