Re: Permissions across 2 Forrest
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 28 Nov 2006 13:33:50 -0600
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:lr_ah.240$Ga1.154@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This is whats bizare.
From Forrest A-DC1 I can ping, net view, and even access stuff on the
Forrest B-DC1 Server when I use the correct account info. But if I try to
validate the trust it immediatly says it cant find the logon server.
So you are saying that the trust FUNCTIONS for
purposes of resource access, but only fails the
"validation"?
If so the problem seems very small -- but still
interesting -- and tends to make me think that the
validation may be insisting on NetBIOS resolution
or using some port not used otherwise, while the
actual trust referrals are getting away with DNS
resolution.
There is NO firewalls between the 2 servers.
Or on the servers themselves, or any type of filtering
on any intermediate routers (people don't typically
call such router filterin "firewalls" today but they are
in fact a form of firewalling.)
When I get on Forrest B-DC1 I can ping, and I can net view but the results
of the new view are "Access Denied"
During Validation it also gives no logon server available.
Sounds very much like a NetBIOS resolution problem
although that is not a definitive or confirmed diagnoses.
I would surely look back to the WINS server and to
ALL DCs being WINS clients.
And I would surely double check for ANY form of
filtering (firewall or otherwise.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:OxpR%23jgEHHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:5YD8h.17546$B31.17044@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I went back through it again and the only troubleshooting problem I have
is with the Net View.
Net View? Or browsing too?
If it is only Net View then you have to ask yourself exactly what
is going on there which is different from other commands....?
Net View must first resolve name to address (either DNS or
NetBIOS name) and then ask that particular server what
shares it offers.
Net View will only succeed if these things work:
1) Name resolves (or you use IP address in request)
2) IP connectivity, i.e., routing, works (which it must
for 'other' things to work, e.g., ping
3) The server IS a FILE Server and has at least one
share offered
4) No firewalls are interferring with server even though
in general routing is working.
5) Authentication/access permission itself is literally failing
You can eliminate or confirm #1 as the problem by
trying Net View with the IP:
net view \\IP.Address.Of.Server
#2 can be checked (as noted) by pingin and using other
commands.
#3 can be checked by doing a "net share" command ON
THAT file server (doesn't work remotely even when
things are working correctly.)
#4 should be checked again the local firewall especially,
to ensure that the XP (or Server BASIC) firewall allows
File and Print sharing etc.
#5 can (best) be checked after proving that 1-4 are ok by
using explicit credentials to connect to the server IPC$
share.
Net View \\ServerNameOrIP\IPC$ * /user:Domain\Username
"Domain" here can be the TARGET domain (and user there)
to eliminate trust issues OR a "local domain\user" to prove
that the trust authentication is working.
Forrest A can Net View B and get results. If Forrest B Net View A i get
access Denied. How do I fix that? I am not sure what authentication its
trying to do in order to fix it.
It is trying to follow either the implicit Domain
trusts (within a single forest) or the explicit trust
(forest or external) for domains outside the users
own forest.
Forrest A still says it cant find a DC in Forrest B. I have a fealing I
am just going to have to break down and spend the money to call
Microsoft. *sigh*
You can do that but the odds are pretty good you
just have a name resolution issue (either DNS or
WINS or even both) OR a firewall problem.
Oh there are NO firewalls between the servers. All ports are open.
I was traveling for Thanksgiving
with family a lot last week and so must apologize for
answering slowly and intermittently.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:OBnLp$SDHHA.4992@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:d2n8h.5526$yE6.368@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok went through all the troubleshooting you provided and Microsoft. It
still doesnt work and I have no clue why. Regardless what I changed or
tried the results are always the same from both sides.
I can ping each other using the ip address and name. I did New View
from Forrest A to Forrest B and instead of showing access denied like
the white papers said it actually showed information. However When I
did Net View from B to A it gave the access denied as shown in the
white papers. It didnt say what the results your suppose to get it
just says that its expected.
So whats the next step?
Go back through everything again since if you
really get it right it will work.
WINS Server, (replicated if multiples), all Servers/DCs
and workstations as WINS clients on BOTH sides.
Share something from both sides.
Check for firewalls -- both personal/basic and intermediate
firewalls on routers/devices.
Check WINS server(s) for full registration of all machines,
especially DCs and file servers -- use both the WINS MMC
and BrowStat from the resource kit.
Check NBTStat - to see if NetBIOS names are being
resolved (before and after trying things.)
nbtstat -r
nbtstat -c
Do Manual "Net View" commands to determine if
anything is shared.
Do manual authentications to determine if authentication
works at all.
From A machine:
Net View * \\ServerInB\Share * /user:DomainA\UserInA
Net View * \\ServerInB\Share * /user:DomainB\UserInB
From B machine:
Net View * \\ServerInA\Share * /user:DomainA\UserInB
Net View * \\ServerInA\Share * /user:DomainA\UserInA
Use tools like Telnet (or better but not included with
Windows NetCat) to test for packet status through
firewalls. Better than PING since you can test on the
actual ports.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:e6C8nBnCHHA.144@xxxxxxxxxxxxxxxxxxxxxxx
Did you go through the troubleshooting tips in my article as well as
the link that points to Microsoft's troubleshooting tips?
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:vgj7h.26373$TV3.5311@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Yep the DC's show themselves in WINS and when I did the NBTSTAT and
it seems to work fine.
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:%23UD6qWdCHHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:Yu_6h.16010$B31.7903@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
First I want to thank everyone for helping. Ok I checked the
article you posted and it is for NT4 and 2000. Both of my Forrest
are 2000.
As for the servers being a client I went and made sure they are
clients to the wins server. Since there is only 1 wins server in
each forrest I skipped any kind of replication for now.
Did you do this for ALL DCs in BOTH domains/forests?
(It sounds like you did but I like to be explicit when the
problem seems to be hard.)
Did you go and LOOK in the WINS MMC to make sure all DCs
(at least) were registered with the WINS Server?
You might consider running NBTStat -RR on each DC and using
NBTStat to ensure the clients show themselves to be register and
able to resolve NetBIOS names....
When went back to recreate the trust from Forrest A to Forrest B
it still says it cant contact the domain. It acts like its not
even trying to.
When I went to Forrest B and tried to recreate the trust from B to
A it actually goes through the whole process of creating the trust
unlike A did. It even creates the trust for both sides. However
when you click on Validate to see if its working it first says
"Can not validate see below" but the next box says "Trust has been
validated" "There were errors contacting Forrest A. No logon
server available.
When I went Back to Forrest A and looked it does show the trust
there but if you try to validate it you still get the same error
as before. Can not contact the domain.
I am still totally lost as to what to do.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in
message news:%23pHBkDQCHHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Did you go through the link I told you? There should be help
within that.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no rights.
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:qoI6h.25614$TV3.12808@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok I installed WINS on the Primary DC in each forrest. When I
log on the DC on Forrest A and try to Validate the trust to
Forrest B it says "No DC found in Forrest B."
When i go to the DC in Forrest B and try to Validate to Forrest
A it ask for a username and password. After typing that in and
hit OK it gives an error saying "No Logon Server is available in
Forrest A"
This is the exact same problem I had before I installed WINS.
What do I do now?
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ugMZrTBCHHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in message
news:9Ml6h.25083$TV3.14521@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks everyone. We are going to install WINS on the servers
ASAP. I was just going on the basis that AD only uses DNS now
days. At least thats what Microsoft says and all the books I
read say.
"Microsoft" does not actually say that.
If you are reading books that say that then they are trash
probably.
It's one thing for an admin (like you etc.) to be confused but
anyone who writes a book without really understanding these
systems has an obligation to get such things correct.
Hopefully this will fix the problem.
Probably.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Cary Shultz" <cwshultz@xxxxxxxx> wrote in message
news:eqLAYqxBHHA.1012@xxxxxxxxxxxxxxxxxxxxxxx
Chris,
You are in good hands with Jorge and Herb. I would listen to
what they are saying (which is essentially the same....).
One thing that I might suggest that you use netdom (a part of
the Support Tools) to create the trust - once everything else
is in place - instead of using the GUI (I am assuming that
you are doing this from within the Active Directory Domains
and Trusts MMC). Netdom is a very nice tool...
If you are not familiar with the Support Tools I might
suggest that you play with them. There are lots of little
goodies in there. Oh, and check out http://www.joeware.net as
well....
--
Cary W. Shultz
Roanoke, VA 24012
"Chris Peikert" <c.peikert@xxxxxxxxxxxxxxxxxx> wrote in
message news:nBs4h.1493$6t.1150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have 2 forrest each with a single domain. We want the
administrator from both forrest be able to cross forrest for
admin purposes plus be able to assign permissions across the
forrest.
When you go to a folder on Forrest A and go to Security it
gives you the option to give someone access to the folder
from Forrest B.
However if your trying to do the opposite in Forrest B and
try to assign something to someone in Forrest A it doesnt
even see the Domain in Forrest A.
What is wrong here?
.
- Follow-Ups:
- Re: Permissions across 2 Forrest
- From: Chris Peikert
- Re: Permissions across 2 Forrest
- References:
- Re: Permissions across 2 Forrest
- From: Chris Peikert
- Re: Permissions across 2 Forrest
- Prev by Date: Re: User account not showing group membership from cross domain.
- Next by Date: Re: Sorting ADAM-Queries in Outlook
- Previous by thread: Re: Permissions across 2 Forrest
- Next by thread: Re: Permissions across 2 Forrest
- Index(es):
Relevant Pages
|
Loading
