Re: Cannot add users from trusted external Domain.

In news:1189978448.041638.131830@xxxxxxxxxxxxxxxxxxxxxxxxxxx,
todd.eckles@xxxxxxxxx <todd.eckles@xxxxxxxxx> typed:
All,

I have a w2k3 domain (domain A) that trusts another w2k3 domain
(domain b). The domains are in seperate and unrelated forests and the
trust would be considered to be a one-way, external trust where domain
A trusts Domain B.

My problem is this: I'm trying to give users from domain B access to
a domain local group in domain A, but I am prompted to enter
credentials for an account from domain B. I'm not sure how this is
supposed to work. Domain B is a third party company and I'd like to
give them access to resources in my domain (domain a). Does it make
sense that I would need to type in credentials from an account from
domain b in order to do this?

These are w2k3 forests both running in w2k3 native mode. We are using
lmhosts files for the trust as it is a requirement from the third
party company. The trust is working and can be validated on both
sides.

Any help would be greatly appreciated.

Todd

Domain and Forest levels do not matter with external trusts. Domain and
forest levels (and requiring DNS resolution), are for Forest trusts only.

Just to get this straight in your case, if you have A trusting B, (whereas A
is the trusting domain, and B is the trusted domain - and B shows up in the
top part of the domain trusts tab in your case I assume), then you should
be able to allow B's accounts to A's resources.

YOu may want to look at this article to help you diagnose this. Don;t let
the title alarm you. An external trust is the same as a trust between NT4
and 2003. That's why I was saying domain and/or forests levels have nothing
to do with an external trusts. Also follow what is says about SMB and LM &
NTLM negotiation. I mentioned a few thing below from memory concerning
disabling SMB, RestrictAnonymous and the Pre Windows 2000 Compatible access
group, and they are things I would look at in looking for trust problems,
but this article goes into all of that and more.

Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/default.aspx?scid=kb;en-us;889030




===================
A factor that A*may* affect a trust and authentication is SMB signing and
may want to disable it. The following is from
http://support.microsoft.com/?id=811497:
1. Open the Default Domain Controllers Policy.
2. Open the Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options folder.
3. Locate the Microsoft network server: Digitally sign communications
(always) policy setting, and then click Disabled or Do Not Configure.

===================
Also possibly you may want to disable the RestrictAnonymous setting in the
reg. The following is from
http://osdir.com/ml/org.activedir/2006-03/msg00117.html
Make sure that the "RestrictAnonymous" is set to "0" on both the NT PDC and
the 2003 PDCE. Key should be located under the following path, create it if
its not there:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
===================
Has the Pre-Windows 2000 Compatible Acecss Group been deleted or restricted?
===================




--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your *** tomorrow." - Garfield


.