Re: Forest Two-Way Transative Trust Problem
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Tue, 18 Jul 2006 16:18:12 -0400
If I get you correctly, both domains are single domain/single forest
implementations of Windows 2003 AD. The problem you are having is that you
cannot access the NewDomain file and print resources while logged into the
OldDomain.
What happens if you try to map a drive to the \\NewDomain DC\C$ (use NetBIOS
name if possible) and specify NewDomain\Administrator credentials? Does it
work?
FWIW, you should consider putting in a second DC regardless of the usage.
The reason is because right now if you lose that first DC/File and Print
machine, you're toast. You will have impacted the business without even
trying in that case, while adding a second DC means you *could* (assuming
name res, file and print, etc were handled elsewhere) at least allow them
back on the network while you restored files etc. d
Something to consider.
I also assume you're leaving the credentials in the newdomain vs. migrating
them right now. If that's not correct, please correct me.
Al
"CeridianMN" <amyhr674@xxxxxxxxxxx> wrote in message
news:1153247208.889850.224750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We recently acquired a small company that will be joining us in our new
building in half a year. In the meantime they will be staying in their
current location, on their current network. This decision was made as
this is a busy season for that segment of the business and we want to
disrupt work as little as possible.
Consider the primary domain to be DomainA and the new one to be
NewDomain.
We have set-up a VPN connection (Cisco pix to Cisco pix) which is
working very well. Physical layer is them on a business 1.5/768 DSL to
our multiple T-1's. They are a spoke of a hub that has our main office
as its center.
DomainA runs on 10.x.x.x while NewDomain runs on 192.168.0.x. DomainA
is spread across 5 main sites and somewhere around 9 smaller sites.
NewDomain is a single small site. Each domain has DNS forwards to the
other domain in place.
We set up a trusting relationship between the forests. The forests are
both 2003 native as are the domains. There is one domain in their
forest, and two in ours. The second domain in ours is a test bed one
only and it has a one-way trust with the primary so we can log into it.
Everything appears to be set right in the trust, but we have some small
problems.
The environment of DomainA is multiple DC's, including one at each main
site in addition to the three at the primary site (mostly for GC) with
each one being 2003. Services are spread across multiple WinDell
servers which are almost all Server 2003 standard. NewDomain runs a
single server, so their DC is also their print and file server. It
runs Server 2003 and was promoted from a 2003 mixed mode to 2003 native
mode for the merger.
When logged into NewDomain we can access network resources from DomainA
without having to do any log-in. NewDomain users and computers can be
added to DomainA's ACL's with no trouble. For the first couple days
workstations in NewDomain were unable to add domain users/groups from
DomainA to their local user groups though that does seem to have
cleared itself up just yesterday.
When logged into DomainA we are unable to access resources on the
NewDomain DC. Upon attempting to connect to a shared folder we are
greeted with a log-on box asking us for credentials. No matter what we
put in we are unable to authenticate. We can put in domain admin
credentials from either domain and get no access. In the security log
there are three entries right in a row - 576, 540, 538. From a little
research this looks like, special privileges (same list as a successful
log-in from someone in NewDomain getting to a shared folder),
successful log-on, user log-off. I am able to connect to a user's
admin share now that I have been able to add DomainA to the NewDomain
ACL's.
I have not been able to find any information on this situation. My
guess is that the problem lies in running the services off of the DC,
and that if I were to get another server there, dcpromo it, take over
services, and dcpromo the old one down to member status the problem
would be fixed. While that should be a relatively easy process I am
leery about changing the only DC in an environment which we are trying
to make as few changes as possible. (My thought is that folding the
dissolution of their domain into the office move would be the most
cost-efficient.)
My question then is what can I do? Am I stuck with deploying a new DC
there? Is there some other method that should work? What should I be
ready to see break in deploying the solutions available to me?
If this isn't enough info please let me know - I will provide
everything I can for information as needed. Also, if this would be
better served in a different group please let me know. I use Google to
search and this is my first time actually posting...
.
- Follow-Ups:
- Re: Forest Two-Way Transative Trust Problem
- From: CeridianMN
- Re: Forest Two-Way Transative Trust Problem
- References:
- Forest Two-Way Transative Trust Problem
- From: CeridianMN
- Forest Two-Way Transative Trust Problem
- Prev by Date: Re: Create New User and Home Directory
- Next by Date: Re: Changing AD property option for multiple users
- Previous by thread: Forest Two-Way Transative Trust Problem
- Next by thread: Re: Forest Two-Way Transative Trust Problem
- Index(es):
Relevant Pages
|
