RE: Two way forest trust fails only in one direction
- From: John Kolodziejski <JohnKolodziejski@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Feb 2007 09:26:30 -0800
Ok, we have an answer.
once WINs was corrected, both sides could see each other, but Company was
being challenged by a log on box every time they tried to create or verify
the trust.
After deep research of the SMB signing, we saw that both servers need Reg Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\
needed to match on both servers on both sides of the trust.
Our server and their server did not match so we change Company A's server to
match Company B's server.
change enablesecuritysignature=1 to 0.
Also, a Policy had to be changed so the setting would not be constantly
changed back.
Once both sides matched, Company B was no long challenged by a log on box.
Trust was created on their side and verified on both sides and everything
worked fine.
Microsoft, you should make note of this!!!!!!
"John Kolodziejski" wrote:
I am re-posting a different question than a post I did a few days ago "Trust.
between two forest fail" because much has changed since that posting. The
trust only fails in one direction. Company A can access everything in Company
B's Forest, but Company B can not access Company As forest at all. When they
try they are confronted with a Log on Box. No user name or password from
either Forest will work.
Here is a detail explanation .
I work for a company that has just been purchased by another company. As per
Microsoft Technet “When to create a Forest Trust” a Forest trust fits our
situation perfectly. We are attempting to create a Forest level-two-way
trust. We have run the complete check list “ Checklist: Creating a forest
trust “.
Both companies are running only Windows 2003 Servers. Both Domain and Forest
Functional Levels are set to the highest Level. Company A is running all
services under Windows Active Directory (DNS, WINS and so on), Company B is
running DNS and WINS under Windows Active Directory. We have set up on each
side the other company as a secondary zones in our DNS name space and we have
established Zone transfers between our two DNS Servers. A DNS lookup does
work for both sides. WINS is working and replicating on both sides.
Company A can complete a two way transitive Forest Level Trust, and when it
is validated the response is "THE trust has been validated. It is in place
and active"
The trust from company A show up in Company B's trust listing, but when they
attemp to validate the trust, they are prompted with a Log-On box. No matter
what user name and password they put in from either domain, the log on fails.
They recieve an error "To complete this operation, you must log on to domain
AAA.AAA.COM as a person with permission to modify trusts. We try
administrator and we try users in the administrative group and nothing works,
the box just keeps coming back. It seems the the remote site (Company B is
not connecting to a DC in Company A's domain)
If company B clicks on "Save As" the file with details about the status of
names associated with this trust on thier side, it reflects the approiate
information as compaired to the same file on company A's side.
Also, when a user enters a FQDN in Windows explorer on Company A's Side for
a computer on Company B's side, they connect to the computer and can see
public shares. They can also connect to shares that have had thier user names
added to. If company B trys the same thing for Company A, they are challenged
with a log on box.
As per above, for a folder, on Company B's side, if setting up permissions
and security, under locations, Both Domains/Forests show up. If a user in
Company A is given access to the folder/Share in company B's side they can
get to it. If Comapny A creates a share to a folder on one of their servers,
they can see Compay B's users and groups, and grant Company B's users access,
but when the user from Company B trys to access the share, the are prompted
with a log on box.
If we tear down the trust and Company B trys to build it from their side
with the Wizard, after they enter a user name with Administrative Privileges
on Company A's domain, the get an error box back very fast that says "Access
Denied".
So, in a nut shell, A two-way Forest Level trust is created between two
Companys. Company A can do everything on Company B's Forest, but Company B is
not being Authenticated in company A's Forest even though Company A can see
Company B's Forest under locations, can add company B's users and groups to
their resourses.
Can anyone point us to a resolution of our problem?
- Prev by Date: RE: Trust between two Forests Fail
- Next by Date: Re: Domain access time
- Previous by thread: NNTP help
- Next by thread: Re: UserEnv Log
- Index(es):
Relevant Pages
|
