Re: Windows 2000 --> 2003 Trust

From: Glenn L (the.only_at_gmail.com)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 11:50:53 -0700

Install network monitor on the PDC in both domains.
It is included on the server CD for each OS.
Then start tracing on both sides and reproduce the error.
stop the traces and analyze.

You really need to know what you are looking for to make use of a network
trace.
Ethereal does a good job of identifying the highest level protocol of frames
and what the frame is for.
I would be looking for LDAP traffic and kerberos in the trace.

You may consider opening a case with PSS on this. 

-- 
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
"Jonathan" <Jonathan@discussions.microsoft.com> wrote in message
news:DC577D2C-DF67-477A-87E4-7E7B088B4CD7@microsoft.com...
> Glenn,
>
> Thank you for your help so far.
>
> I have checked the time between the two domains and they are within 30
> seconds of each other, this may be a stupid question but how do I do a
> simultaneous network trace?
>
> TIA
>
> Jonathan
>
>
> "Glenn L" wrote:
>
> > My experience with cross domain trust object picker errors like this
have
> > either been DNS related or kerberos related.
> > Looks like name resolution is fine.
> > First thing is to make sure the systems on each side of the trust are
within
> > 5 minutes of each other.
> > A simultaneous network trace from both sides while re-proing the error
will
> > be very helpful in this case.
> >
> >
> > -- 
> > Glenn L
> > CCNA, MCSE 2000, MCSE 2003 + Security
> >
> >
> > "Jonathan" <Jonathan@discussions.microsoft.com> wrote in message
> > news:177F8E8D-DD18-43B6-97E2-35F827B671D4@microsoft.com...
> > > Glenn,
> > >
> > > I can see the 2000 domain as an option on the security tab, but when I
try
> > > and browse it I can not view any groups or users.  But I can if I do
the
> > same
> > > on the 2000 domain.
> > >
> > > Error I get on the 2003 server is "Server not operational".
> > >
> > > I have been using these external trusts with 2000 --> 2000 for a while
> > with
> > > no problem.
> > >
> > > So I set the DNS up in the same way as before.
> > > I created a new forward lookup zone on each server and names the zone
to
> > be
> > > the same as the other servers domainname.  Then put a new host record
in
> > the
> > > zone to point to the servername.
> > >
> > > The above has been working perfectly with just 2000 servers, is there
> > > anything different to how Windows 2003 handles DNS?
> > >
> > > Jonathan (same company as Rich)
> > >
> > > "Glenn L" wrote:
> > >
> > > > When you say you can't see AD objects, are you talking about the the
> > > > security tab of an object and attempting to add a user of group from
the
> > > > trusted domain.
> > > > Is this what is failing.  Does the trusted domain not show up as an
> > option,
> > > > or does it show up as an option.
> > > > What is the exact error you are seeing?
> > > > If this is so, then this is a DNS issue.
> > > >
> > > >
> > > >
> > > >
> > > > -- 
> > > > Glenn L
> > > > CCNA, MCSE 2000, MCSE 2003 + Security
> > > >
> > > >
> > > > "Rich" <ihate@spammers.com> wrote in message
> > > > news:e2dNINotEHA.636@TK2MSFTNGP09.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I am trying to create an external trust between a 2000 forest and
a 20
> > 03
> > > > > forest.  The trusts seem to create fine, I can even see the 2003
> > active
> > > > > directory objects on the 2000 server.  But not the other way
around on
> > the
> > > > > 2003 server (which is what I need).
> > > > > The trusts are set to two-way non-transitive and the DNS appears
to be
> > > > > correct.
> > > > >
> > > > > I was using this method two join a couple of 2000 forests together
and
> > > > that
> > > > > works ok, but I can't seem to do it using 2003, even to another
2003
> > > > forest.
> > > > >
> > > > > Just incase, I have tried different domain and forest modes, at
the
> > moment
> > > > I
> > > > > am using 2003 native mode.
> > > > >
> > > > > This is not a forest trust, and I cannot use one due to the other
> > forest
> > > > > being 2000, it has to be an external trust.
> > > > >
> > > > > TIA
> > > > >
> > > > > Rich
> > > > >
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >

Relevant Pages

  • Re: Windows 2000 --> 2003 Trust
    ... > A simultaneous network trace from both sides while re-proing the error will ... > Glenn L ... >> I created a new forward lookup zone on each server and names the zone to ...
    (microsoft.public.windows.server.general)
  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)