External Trust Between W2K and Server 2003

  • Thread starter Thread starter AC
  • Start date Start date
A

AC

I am attempting to set up a two-way external trust between a Windows 2000 AD
domain and a Server 2003 domain. They are on different subnets, accessible
to one another via VPN. They can see each other's DNSs, and WINS is up and
running and they can see each other that way.

Everything on the Server 2003 side works fine. Verifying the trust works
without a hitch. However, on the Windows 2000 server, when I go to verify
the trust, I get a dialog stating "The credentials supplied conflict with an
existing set of credentials". I'm at logger heads here. I have no idea
what's wrong.
 
Hi
Check if KB 106211 and 197987 help.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
I recall this is a problem if you are logged into the Windows 2000 DC and
you have a connection of sort to the Windows 2003 domain. e.g unc path
open, mapped network drive or possible terminal server connection open.

Make sure you are logged on to the Windows 2000 DC without it having
connection to the Windows 2003 DC or other mapped network resource.


Regards
John
 
I recall this is a problem if you are logged into the Windows 2000 DC and
you have a connection of sort to the Windows 2003 domain. e.g unc path
open, mapped network drive or possible terminal server connection open.

Make sure you are logged on to the Windows 2000 DC without it having
connection to the Windows 2003 DC or other mapped network resource.
Click to expand...

That was the problem. Thanks!

Now I've got a different one, and probably due more to my ignorance than
anything else, but when I try to add the trusted domains' users or groups to
groups on the other end, I can only see the ones in the builtin Users, and
not any of the ones in my other organizational units. I have tried the
delegation wizard, but it makes no difference.
 
You can use local security groups from each end of the trust.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
You can use local security groups from each end of the trust.
Click to expand...

The problem is that if I go into the local group, the other domain does not
show up in the Location list. I can go into resources on either end and add
groups to my hearts content, but I would prefer to consolidate everything
into some universal groups so I don't go mad.
 
To implement access to a resource across a forest, add universal groups from
trusted forests to the domain local groups in the trusting forests, when a
new user account needs access to a resource in a different forest, add the
account to the respective global group in the domain of the user. When a new
resource needs to be shared across forests, add the appropriate domain local
group to the ACL for that resource. In this way, access is enabled across
forests for resources on the basis of group membership.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
To implement access to a resource across a forest, add universal groups from
trusted forests to the domain local groups in the trusting forests, when a
new user account needs access to a resource in a different forest, add the
account to the respective global group in the domain of the user. When a new
resource needs to be shared across forests, add the appropriate domain local
group to the ACL for that resource. In this way, access is enabled across
forests for resources on the basis of group membership.
Click to expand...

The problem I'm having here is that I can happily put the other domain's
users and groups directly into ACLs, but when I go to AD Users and
Computers, I can only view the other domain's built-in groups, and that's
only adding them in the "Member Of" tab. If I go into the "Members" tab, I
can only pick users and groups from the domain I'm working in.

I could accomplish what I want through the ACLs, but it would be a gawdawful
thing to have to administer. I'll do it if I have to, but everything I've
read so far tells me I should be able to view these universal groups from
the other domain.
 
To implement access to a resource across a forest, add universal groups from
trusted forests to the domain local groups in the trusting forests, when a
new user account needs access to a resource in a different forest, add the
account to the respective global group in the domain of the user. When a new
resource needs to be shared across forests, add the appropriate domain local
group to the ACL for that resource. In this way, access is enabled across
forests for resources on the basis of group membership.
Click to expand...

Having played around this a bit more, it's quite likely that my poor ol'
brain isn't quite gathering what you're saying.

Say I want a universal group BigTest. Does that mean I have to create the
group in both forests? At that point do I then make BigTest a member of
domain local groups?
 
Between forests you must use local groups in the other end of the forest.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
Back
Top