External trust and a member server

  • Thread starter Thread starter NetGear
  • Start date Start date
N

NetGear

Hi,

We have two forests. The trusting domain A is a Windows 2000 mixed mode
domain and the trusted domain B is a Windows 2003 domain. So we created an
external one-way trust between them.

Now I can add users from domain B to domain A's domain local group. But I
can not add users from domain B to a member servers local group in domain A.

When I start to manage local groups on the member server I can select the
trusted domain "from this location" field but then it just says that "the
server is not operational".

We have created standard secondary dns zones in both domain's dns servers
that refer to the other domain and the zone transfers do work. We do not
have wins replication between the domains but there are corresponding
lmhosts entries in both domain's domain controllers and in the member
server's lmhosts file. I also have created a static domain name entry in our
wins server database that refers to the domain B's domain controller.

Could it be an firewall issue or what should I do to resolve the problem?
 
Hello NetGear,

Thank you for posting.

Based on my experience, this issue is usually caused by DNS name resolving.
Therefore, please first double check that the DNS name of the trusted
domain can be resolved on the member server. You may use ping and nslookup
command to test.

Please also verify whether this issue only occurs on one member server or
on multiple member servers, whether this issue occurs on other domain
members.

In addition, the following KB articles may also be helpful for you:

You may receive a "The server is not operational" error message when you
try to add a trusted domain user to a trusting domain
http://support.microsoft.com/?id=837328

Error Message: Cannot Display Objects from This Location Because of the
Following Error: The Server Is Not Operational
http://support.microsoft.com/?id=306980

Hope this helps.

Have a nice day!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

--------------------
 
Thank you for your reply.

I can ping the the trusted domains DC and nslookup also gives the correct
answer.

I tried the connection from an ancient Windows NT member server that is used
for a legacy application. It's user manager also complains that it can not
connect to the trusted domain.

I've read these KB articles. We have secondary dns zones created and a guest
account is disabled in the trusted domain.
 
Hi,

Thank you for your prompt reply.

Based on the current situation, I would suggest we perform the following
test:

When you manage local groups on the member server and select the trusted
domain "from this location" field, and then click on Advanced button, click
Find Now button, whether there is any users and groups can be listed?

If there are users and groups can be listed, I think everything works fine.

In addition, for the best practice, it is not recommended that add a
trusted domain's user directly to a member server's local group. We may
add the trusted domain's user to a domain local group, and then add this
domain local group to the member server's local group.

Hope this helps.

Kind regards,
Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

--------------------
From: "NetGear" <[email protected]>
References: <[email protected]>
Click to expand...
 
Thanks for your reply.

Find Now button gives just the same error.

I know that it is not the best practice to add trusted domain's user
directly to a member server's local group. Perhaps I've already mentioned
that we have a mixed mode domain, however. So I can not use group nesting.
And I can not raise any functional levels just now.

What next? Closed ports on firewall? Maybe I did not mention the exact
situation when I sent my question firstly. We have a firewall between the
forests.
 
Hi NetGear,

I am sorry for my delayed response due to the complexity of this issue. I
hope this has not caused you too much inconvenience. I appreciate your
understanding and patience.

I have performed a lot of research, also discussed with my colleagues.
Based on our further research, I would suggest we perform the following
steps to narrow down the problem:

1. On this member server of domain A, please log on as a domain user
account of domain B. Please test whether the user account of domain B can
log on this member server successfully. If so, please test the issue again.

2. Please double check the DNS Server secondary zone settings. Please
ensure that the SRV records are transferred from the primary zone correctly.

3. Please refer to the following KB article to verify the RestrictAnonymous
registry value is set to 0 on the Windows 2000 Server Domain Controller.

How to use the RestrictAnonymous registry value in Windows 2000
http://support.microsoft.com/?id=246261

4. Please refer to the following KB article to set the value of the
DsHeuristics attribute to 0000002 on the Windows Server 2003 Domain
Controller.

Anonymous LDAP operations to Active Directory are disabled on Windows
Server 2003 domain controllers
http://support.microsoft.com/?id=326690

If the issue still exists, please help me to capture a screen shot of the
error message. To capture a screen shot, you can:

1. When the screen appears, press the Print Screen key several times, which
is to the right of the F12 key on the keyboard.
2. Open Paint or Microsoft Word or WordPad.
3. Click Edit (menu) -> Paste or press Ctrl + V.
4. Click File (menu) -> Save. Save it to a file and attach it in email to
send it to me at (e-mail address removed).

Hope this helps.

Best regards,

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

--------------------
X-Tomcat-ID: 53450490
References: <[email protected]>
Click to expand...
<kOepK#[email protected]>
<[email protected]>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (Steven Wang [MSFT])
Organization: Microsoft
Date: Wed, 08 Feb 2006 02:31:00 GMT
Subject: Re: External trust and a member server
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 68
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.active_directory:111495
NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182

Hello

Thank you for reply.

This is a quick note to let you know that I am researching your issue and
will get back to you as soon as possible. I appreciate your patience.

Have a great day!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

--------------------
From: "NetGear" <[email protected]>
References: <[email protected]>
Click to expand...
<kOepK#[email protected]>
Subject: Re: External trust and a member server
Date: Fri, 3 Feb 2006 18:07:56 +0200
Lines: 42
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: dsl-tregw3-fe3bdc00-64.dhcp.inet.fi 80.220.59.64
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.win2000.active_directory:111383
X-Tomcat-NG: microsoft.public.win2000.active_directory

Thanks for your reply.

Find Now button gives just the same error.

I know that it is not the best practice to add trusted domain's user
directly to a member server's local group. Perhaps I've already mentioned
that we have a mixed mode domain, however. So I can not use group nesting.
And I can not raise any functional levels just now.

What next? Closed ports on firewall? Maybe I did not mention the exact
situation when I sent my question firstly. We have a firewall between the
forests.
Click to expand...
Click to expand...
 
Thank you very much.
1. On this member server of domain A, please log on as a domain user
account of domain B. Please test whether the user account of domain B can
log on this member server successfully. If so, please test the issue
again.
Click to expand...

Actually I don't know any user account's password from the trusted domain B.
There are about five different groups in the trusted domain that I should
give some permissions to our member servers shared directories.
2. Please double check the DNS Server secondary zone settings. Please
ensure that the SRV records are transferred from the primary zone
correctly.
Click to expand...

Everything seems to be allright. Except that the _msdcs subfolder is grayed
out and it is empty.

I will check the remaining things tomorrow. Is there something strange with
the DNS zones however?
 
Hi NetGear,

Thanks for your prompt reply.

Based on my experience, it is abnormal that the _msdcs subfolder is grayed
out and it is empty. The _msdcs records are SRV records and used to locate
AD services. I would suggest we refer to the following steps to recreate
the secondary zone on the DNS server of the trusting domain A to see
whether the issue can be resolved:

1. Delete the secondary zone.

2. Add a standard secondary forward lookup zone on the DNS server in the
trusting domain:

a. Start the DNS snap-in, expand the server, right-click Forward Lookup
Zones, and then click New Zone.
b. Click Next, click Standard secondary, and then click Next.
c. Type the name of the trusted domain, and then click Next.
d. Choose to create a new file named Domain.dns, and then click Next.
e. Click Finish.

3. Configure the DNS server in the trusted domain to perform zone transfers
with the DNS server in the trusting domain:

a. Start the DNS snap-in, expand the server, and then open the properties
of the trusted domain's forward lookup zone. Click the Zone Transfers tab.
b. Select the Allow zone transfers check box.
c. Click Only to the following servers, type the IP address of the trusting
domain's DNS server, and then click OK.

4. On the DNS server in the trusting domain, start the DNS snap-in, expand
the server, and then expand Forward Lookup Zones.

5. Right-click the secondary zone, and then click Transfer from master.

To verify the secondary zone and the SRV records, you may refer to the
following KB article:

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?id=241515

Hope this helps.

Have a great weekend!

Steven Wang
Microsoft Online Partner Support

--------------------
From: "NetGear" <[email protected]>
References: <[email protected]>
Click to expand...
<kOepK#[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
 
Hi Steven and NetGear,

I dont know if you have solved this, but I search for information about the
same problem.

have a win 2000 mixed mode and a Windows 2003. Have full trust between
domains, and dns works fine. Not quite sure what Wins entry needs to be set.

When I should set rights on a folder for a user on the win2k3 domain, from
my w2k dc it works fine. But, when I should set rights on a folder for a user
on the the w2k3 domain, from a workstation in the w2k domain it doesnt work.
The same message as netgear got.

I think it has to do with wins, but as I wrote, I dont know what it needs.

br
Micke
 
Back
Top