Re: External Trust - unable to assign permissions

I have resolved the unable to assign permissions problem.
The domain that was responding with "no authority could be contacted
for authentication" is in NTEmulation mode.

nltest /dsgetdc:domain.com /pdc was failing from the clients that were not
able to find objects.

The NeutralizeNT4Emulator key con the client resolved this.


"Wayne" wrote:

Mike,
Just to recap,
I put in the domain conditional forwarders for domainB and domainA
respectively.
On a Domain controller for Domain A, I am able to assign permisions to a
share from DomainB. On a workstation in DomainA I can do the same.
On a Domain Controller for DomainB, I am able to assign permisions to a
share from DomainA. On a workstation in DomainB, I get the error:"The local
security authority cannot be contacted", and no objects can be found. If it
is on a windows 2000 server, I get the error "no authority could be contacted
for authentication".
These computers are able to query (nslookup) for all srv records in DomainA.

Any advise at this point would be appreciated.
Regards, Wayne

"Wayne" wrote:

Fixed named resolution in DNS using forwarders
Can resolve domainA.com from domainB.com
can resolve srv records for domains both ways
I have validated the trust both ways.
I am now only able to assign permissions to resources, one-way
Error:The local security authority cannot be contact

I beginning to think that name resolution is not the problem.




"Wayne" wrote:

Mike,
I was reluctant to get into the DNS configuration due to the fact they we
are using different DNS solutions for each forest and I have limited
knowledge of configuring DNS. After creating forwarders for each domain, I
re-established the trust in the lab and it is working pefectly. The
configuration in Active Directory DNS was easy. The Nortel NetID was much
more difficult and not very intuitive, but I did manage to make it work.
Thanks for your advice.
\Wayne

"Miha Pihler [MVP]" wrote:

How was this solved for users in domainb.com? My guess is they added some
records that enabled them to surf the web and send e-mails (WWW A record and
MX records)... If it works for them -- it should also work for your domain
since you will be using conditional forwarding.
Later you can still think about renaming the domain...

--
Mike
Microsoft MVP - Windows Security

"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E12889F4-BB32-4128-A79F-80F944C9B613@xxxxxxxxxxxxxxxx
Hi Mike,

This may be the best soution. If I create a conditional forward for
DomainB.com, won't this prevent the users from surfing to the outside
DomainB.com?

"Miha Pihler [MVP]" wrote:

Hi,

Even if domain name was used that is registered -- you can still use
conditional forwarding on your DNS servers to query your new domain
(domain
B) DNS servers. Another option would be to create a secondary zone and
replicate it from domain B DNS to your DNS server in domain A. Any
queries
from any of your clients for domain B will get answered either by records
in
secondary zone or by conditional forwarder if you decide to use it (I
recommend it).

Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
(as you are figuring it out already)...

--
Mike
Microsoft MVP - Windows Security

"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:76AEA43A-41C0-450D-99B0-00CCF293B0CF@xxxxxxxxxxxxxxxx
Hi Mike,
Domain local groups
Our policy and I know it is not text book, is to not use Domain Local
groups. We have been assigning Global Groups to the resources for other
domain trusts and this works. This is our only "External" trust.
Technically
it should work to assign the permissions on the resource using a global
group, even tough it is not best practice.

DNS- I may have to configure DNS,but we have an issue with this. The
Domain(B) used a domain name that is registered (by someone else) on
the
internet.
Is there any reason why the external trust would not work using Netbios
(WINS) name resolution or does an external trust "require DNS". From
what
I
have read, it does not, it can use Netbios. This will limit security to
ntlm
(no Kerberos)

Please comment,
Regards, Wayne


"Miha Pihler [MVP]" wrote:

Hi,

Some of my comments are in-line...

"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:26FB1715-08AE-4397-9298-3B4964C37EC6@xxxxxxxxxxxxxxxx
I have setup a 2 way external trust to a recently acquired domain(B)
from
our
domain(A). Both domains are Windows 2003 Server and in mixed mode.
Domain
Controllers are pointed to a common WINS database.
Issue- I am unable to assign permissions on a share to Global groups
or
users between Domain(A) and Domain(B).

Proper and recommended way for doing this would be to create a Domain
Local
Group in Domain B and assign this group permissions on resources. Then
add
Global group from domain A to Domain Local Group in Domain B.

I have relied on Netbios to setup the share as the seperate DNS's
are
not
talking to each other yet.
I can \\Fileserver\sharename from a fileserver in Domain(A) from
Domain(B)
but I am unable to assign NTFS permissions on the share on
Domain(A)\\Fileserver\sharename. I get there error (Name not found)
Question: Is Netbios sufficient to establish the share permissions
for
an
external domain?

It looks like you will have to fix some resolution problems. My advice
is
to
use DNS. Since you are running Windows Server 2003 you can use
conditional
forwarding to configure DNS server in domains A and B to point to
correct
servers for resolution. Personally I would fix name resolution (DNS)
issue
first -- and then work on other issues that might remain.

Let me know if you need more help with this.

--
Mike
Microsoft MVP - Windows Security









.

Relevant Pages

  • Re: External Trust - unable to assign permissions
    ... Microsoft MVP - Windows Security ... DNS servers. ... Issue- I am unable to assign permissions on a share to Global groups ...
    (microsoft.public.windows.server.networking)
  • Re: External Trust - unable to assign permissions
    ... DNS servers. ... it should work to assign the permissions on the resource using a global ... It looks like you will have to fix some resolution problems. ...
    (microsoft.public.windows.server.networking)
  • Microsoft Secure DNS and Authenticated Users group interdependencies
    ... I would really appreciate anyone who considers themselves DNS experts to take a good look at this post. ... Only if Authenticated Users group has a write access will the record update. ... If the a record is set with default permissions and Authenticated Users has elevated permissions set, after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. ...
    (microsoft.public.windows.server.dns)
  • Re: External Trust - unable to assign permissions
    ... conditional forwarding on your DNS servers to query your new domain (domain ... DNS servers. ... it should work to assign the permissions on the resource using a global ...
    (microsoft.public.windows.server.networking)
  • Re: Microsoft Secure DNS and Authenticated Users group interdependencies
    ... I really like to understand how MS secure DNS process works and WHY does MS DNS in such an interesting relationship with Authenticated Users group. ... If the a record is set with default permissions and Authenticated Users has elevated permissions set, after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. ...
    (microsoft.public.windows.server.dns)
Quantcast