Re: Trust Validation
- From: Mark R. <MarkR@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 1 Nov 2007 05:59:01 -0700
There is a logged event of each user logging in under the opposing domains
credentials and it says that cross policy is being applied to their account.
I read some more on the message and that's when I went in and made sure the
group policy allowed Everyone to access the domain resources. I refreshed the
policy and still no luck, but I may need to hit on it some more and also run
dcdiag. I have another resource helping, so we will to reestablishing the
trust again to see what happens. We have done this several times, but it
might clear it up like you said worked for you.
"Paul Bergson [MVP-DS]" wrote:
Not sure, but I have had similar issues where I just removed and added a.
trust and things cleared up.
When you say they have the right permissions I assume you have added
domainb\userb to domaina resources, correct? Have you tried running any
diagnostics such as dcdiag? You could see if there are any issues pointed
out there. I assume you have dns secondary's of each others forests. How
about any errors listed in the Event logs?
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mark R." <MarkR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9AB1AB5D-A6EB-4701-8CC7-833CF1F0634D@xxxxxxxxxxxxxxxx
I've been doing quite a bit of testing. The portqry tool showed to test
with
no problem. We are using DNS instead of WINS so the tool will show it not
listening which is fine. P2P is a point to point and my firewalls should
not
be causing any problems. I actually am getting the trust to validate now.
I
found that if you add an entry in the LMHOSTS file of the domain
controller
and point it to the DC you are trying to validate it will help in the
validation. So, I can validate the trust, resolve DNS names, and view
resources on each end namely SYSVOL and any other shares on each network.
My
problem now is that when a user in DOMAIN A logs into DOMAIN B with the
credentials of DOMAIN A, I can't view any resources such as mapping a
drive
to a share in DOMAIN A, etc. The shares have the correct permissions, etc.
I
checked Group Policy and it has the proper groups to allow Access from a
Remote Computer. This all worked before is what is so frustrating. For
some
reason, DOMAIN B is not letting DOMAIN A accounts work. I don't know what
I
can test for this issue. Any ideas?
"Paul Bergson [MVP-DS]" wrote:
I am not a network guy, I don't know what a p2p circuit is (Other than
assumption of point to point). If you are using WINS as the naming
resolution for the External Forest Trust then this would be your problem.
Are you using WINS or DNS?
If you have secondary dns servers of each others forest in your dns
server
then you are using dns.
Do you have high ports blocked? If so then unless you have specified a
range for RPC then you won't be able to get communications through.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Mark R." <MarkR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9CD83236-439E-4040-9230-A3A7E42AD473@xxxxxxxxxxxxxxxx
I ran the portqryui and I can't get Port 42 (WINS) to listen. It comes
up
with Not Listening on each end. Also, the ntfrsutl command says it
can't
make
an RPC call to the specified machine. Our trust is setup on a P2P. Can
my
Internet firewalls still cause trouble?
"Paul Bergson [MVP-DS]" wrote:
All dc's (I'm making the assumption that your PDC is really your PDCe
and
that there are no BDC's since this is all 2000 or 2003) should only
use a
single nic and not be multihomed. Whether or not it works shouldn't
matter
and one of them should be disabled.
Are you sure there haven't been any changes to a firewall that is now
blocking some key traffic, that corrulated with the outage?
If you would like to validate connectivity between the PDCe's use the
tool
PortQryUI
Download PortQryUI and run the tool
Select the destination DC or PDC
Select Domains and Trusts
Validate the ports that should be open in fact
are
via the output provided by the tool.
For additional info on this tool
see
PortQry features, this is the backend tool for PortQryUI
If you would like to test connectivity to validate FRS communication
(This
communication is for Windows 2003 to Windows 2003 communications only)
NTFRSUTL version server_name
If the two can communicate through the
firewall
via
FRS the response will provide the current version number
Also on each domain
If you don't have the support tools installed, install them from your
server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
**Note: Using the /E switch in dcdiag will run diagnostics against ALL
dc's
in the forest. If you have significant numbers of DC's this test
could
generate significant detail and take a long time. You also want to
take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and
run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be
output
in notepad text files that pop up automagically.
The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just select both dcdiag and netdiag make sure verbose is set. (Leave
the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Mark R." <MarkR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:36A1714E-C5C0-469E-A954-C573804DAAE5@xxxxxxxxxxxxxxxx
Recently, with some assistance, I setup a P2P circuit between our
two
sites.
An external trust was setup between our two domains. The trust
worked
without
issue until a power outage occurred this past Monday at one of the
sites.
After the power came back on, the circuit worked fine, but the trust
will
not
validate. DNS updates properly after a force transfer, nslookup
commands
work
fine, and resolution by hostname to IP address completes. At one
site,
if
you
try to validate the trust, it comes up quickly and says that windows
cannot
find a domain controller in the domain. On the other end, when
validation
is
tried, it validates, but asks for the login and password to be
updated.
After
that is entered, it doesn't complete. This trust worked fine for the
past
few
weeks. Now, you can access our terminal servers using the FQ domain
name
as
before, but you cannot view any resources while logged in with
trusted
domain
AD account. If I use a local account in AD, it works fine. I can
view
shared
folders, etc. One difference between the two sites is that the site
that
says
it can't find a domain controller has dual NICs in the PDC and BDC.
While
the
other site only has single NICS in each server. Could this be an
issue?
- References:
- Re: Trust Validation
- From: Mark R.
- Re: Trust Validation
- From: Paul Bergson [MVP-DS]
- Re: Trust Validation
- Prev by Date: Re: problems opening AD Users & Computers
- Next by Date: Workstation Rebuild - Guidance?
- Previous by thread: Re: Trust Validation
- Next by thread: Re: worst case scenario - added DC
- Index(es):
Relevant Pages
|
