I need help creating forest trusts

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have two Windows 2000 Server domains. One company joined with the
other and now they have two domains, two different forests. Both are
Windows 2000 Server platforms.

How do I create a forest trust between them? Do I need to do this
before I create secondary DNS (both host their own DNS services and I
want both forests to share resourses and users.)

I've not done this before. Any assistance is greatly appreciated.

-Fran-
 
In
I have two Windows 2000 Server domains. One company joined with the
other and now they have two domains, two different forests. Both are
Windows 2000 Server platforms.

How do I create a forest trust between them? Do I need to do this
before I create secondary DNS (both host their own DNS services and I
want both forests to share resourses and users.)

I've not done this before. Any assistance is greatly appreciated.

-Fran-

Unfortunately, Forests trusts are not available with Win2000 forests. It's
only a feature with Win2003. For trusts between the forests, you would
actually create individual NT4 style trusts between specific domains in each
forest. They are not transitive either. For each domain you want to trust
you must do them individually. They are called external trusts. Also, they
do not require DNS resolution, but rather absolutely require NetBIOS
resolution since the authentication is NTLM based. Win2003 forest trusts are
DNS based.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
Thanks for that info. So how do I go about creating the trusts, then?
I tried using AD D&T but I get an error that the domain cannot be
contacted (even though I can access either one through explorer.)

I'm sure I"m missing something (probably small) in doing this but it's
new to me.

Thanks for any help.

-Fran-
 
In
Thanks for that info. So how do I go about creating the trusts, then?
I tried using AD D&T but I get an error that the domain cannot be
contacted (even though I can access either one through explorer.)

I'm sure I"m missing something (probably small) in doing this but it's
new to me.

Thanks for any help.

-Fran-

Like I said authentication is NTLM based, which is NetBIOS based. This means
you must have NetBIOS resolution support between both domains. They must be
able to resolve each other by NetBIOS name resolution. The easiest way is to
use WINS. If both domains are using WINS, you can partner each WINS server
to the other. Once done, you should be able to create the trusts.

Ace
 
I have two Windows 2000 Server domains. One company joined
with the
other and now they have two domains, two different forests.
Both are
Windows 2000 Server platforms.

How do I create a forest trust between them? Do I need to do
this
before I create secondary DNS (both host their own DNS
services and I
want both forests to share resourses and users.)

I've not done this before. Any assistance is greatly
appreciated.

-Fran

you can only create a forest trust between 2 windows 2003 forests.
With Windows 2000 forest you need to use external trusts between the
domains that need to "communicate with each other) (as in
authentication and data access)

http://www.windowsitpro.com/Article/ArticleID/41268/41268.html
http://www.microsoft.com/technet/pr...elp/7b075a25-9f29-4856-883c-f230a8ccd681.mspx
 
Sorry, I don't mean to be thick headed. I'll install Wins (which was
not installed) and try that.

Thanks for the help ( and patience! )

-Fran-
 
In
Sorry, I don't mean to be thick headed. I'll install Wins (which was
not installed) and try that.

Thanks for the help ( and patience! )

-Fran-

No problem, Fran. Give it a shot and report back with your results, please.

Ace
 
As you suggested I installed WINS on both DC's in each of the domains.
When I went into AD Domains and Trusts I right clicked on the domain
and went to properties, then the TRUSTS tab. I tried to add a domain
to trust and I got an error that the RPC service wasn't running and I
needed to check the PDC emulator. I don't know what to check on the
PDC emulator as this is a single server domain...it holds all 5 FSMO
roles.

Is this normally a pretty simple process? I would really like to get
this to work so I don't have to create the same user accounts on BOTH
domains.

Thanks again, Ace, for your help.

-Fran-
 
As you suggested I installed WINS on both DC's in each of the domains.
When I went into AD Domains and Trusts I right clicked on the domain
and went to properties, then the TRUSTS tab. I tried to add a domain
to trust and I got an error that the RPC service wasn't running and I
needed to check the PDC emulator. I don't know what to check on the
PDC emulator as this is a single server domain...it holds all 5 FSMO
roles.

Is this normally a pretty simple process? I would really like to get
this to work so I don't have to create the same user accounts on BOTH
domains.

Thanks again, Ace, for your help.

-Fran-

Usually this is rather easy. Did you make the WINS servers replication
partners?

If you did, check the records in WINS and see which one has the __MSBROWSE__
role. That should be the master browser, which in turn should be the PDC
Emulator. Each domain has one. See if the record is correct.

Ace
 
Usually this is rather easy. Did you make the WINS servers replication
partners?

If you did, check the records in WINS and see which one has the __MSBROWSE__
role. That should be the master browser, which in turn should be the PDC
Emulator. Each domain has one. See if the record is correct.

Ace

Other than enabling WINS on both servers I did nothing else. These two
domains are single-server domains. This is what has me confused as all
5 FSMO roles are on each server.

How would I make them "replication partners" ?

-Fran-
 
Fran stated:
Other than enabling WINS on both servers I did nothing else. These two
domains are single-server domains. This is what has me confused as all
5 FSMO roles are on each server.

How would I make them "replication partners" ?

-Fran-


Simple, all you have do is go into each WINS server's WINS console, click on
repliction partners, add the other's IP address.

Ace
 
Simple, all you have do is go into each WINS server's WINS console, click on
repliction partners, add the other's IP address.

Ace


Done (that WAS simple ;) What's next? Should I retry the trust
relationships? What if I have users from Domain A duplicated in Domain
B? (e.g. SallyA.DomainA.Com also has a login account
SallyA.DomainB.com.? Should I remove these duplicate users?) Should I
upgrade the Domain type to 2000 NATIVE instead of Mixed? Will that
allow me to use Universal Groups across these trusts? (That would be
the ideal situation as I can create rights easily and manage both sets
of users properly and efficiently.)

Thanks again, Ace for all the help! I'm learning a great deal here,
too.

-Fran-
 
In
Done (that WAS simple ;) What's next? Should I retry the trust
relationships? What if I have users from Domain A duplicated in Domain
B? (e.g. SallyA.DomainA.Com also has a login account
SallyA.DomainB.com.? Should I remove these duplicate users?) Should I
upgrade the Domain type to 2000 NATIVE instead of Mixed? Will that
allow me to use Universal Groups across these trusts? (That would be
the ideal situation as I can create rights easily and manage both sets
of users properly and efficiently.)

Thanks again, Ace for all the help! I'm learning a great deal here,
too.

-Fran-

No prob for the help. :-)

I wouldn't create duplicate entries. The trust will allow each domain
accounts into the other domain. If you do not have any NT4 domain
controllers in either domain, then yes, raise it to 2000 Native mode, which
will give you Universal groups.

Depending on what is required, and if I have control of both domains, I
would add the domain admins of the one domain into the other domain's Local
Administrators group. Then I would add specif users or groups from the other
domain into whatever resources they need access to.

Ace
 
No prob for the help. :-)

I wouldn't create duplicate entries. The trust will allow each domain
accounts into the other domain. If you do not have any NT4 domain
controllers in either domain, then yes, raise it to 2000 Native mode, which
will give you Universal groups.

Depending on what is required, and if I have control of both domains, I
would add the domain admins of the one domain into the other domain's Local
Administrators group. Then I would add specif users or groups from the other
domain into whatever resources they need access to.

Ace

Ok. Thanks. I'll try raising the levels tomorrow. As for the dupe
users. They already exist (needed to before I thought about the domain
trusts ;) What should I do first? I need to remove them, of course,
but will it interfer with anything? i.e. I have (e-mail address removed) and
(e-mail address removed). They are the same person (passwords, etc are the
same so they could connect and use resources without having to
constantly authenticate manually.) Should I create the universal
groups first then add them to the groups and connect those universal
groups in DomainA.com to domain local groups in Domainb.com before I
delete the dupe user accounts on Domainb? (this is the part I get
confused with...that is, of course, after I figure out HOW to get the
trusts to work! I haven't retried that yet. I'll do that tomorrow,
too.

-Fran-
 
In
Ok. Thanks. I'll try raising the levels tomorrow. As for the dupe
users. They already exist (needed to before I thought about the domain
trusts ;) What should I do first? I need to remove them, of course,
but will it interfer with anything? i.e. I have (e-mail address removed) and
(e-mail address removed). They are the same person (passwords, etc are the
same so they could connect and use resources without having to
constantly authenticate manually.) Should I create the universal
groups first then add them to the groups and connect those universal
groups in DomainA.com to domain local groups in Domainb.com before I
delete the dupe user accounts on Domainb? (this is the part I get
confused with...that is, of course, after I figure out HOW to get the
trusts to work! I haven't retried that yet. I'll do that tomorrow,
too.

-Fran-

Don't delete the dupes yet. As soon as you get the trust to work, add your
primary domain user accounts to the resources in the other domain. Then
instruct your users to just connect to them without using the other acount.
Ensure a smooth transition and that it works prior to deleting them a few
weeks from now.

Ace
 
Don't delete the dupes yet. As soon as you get the trust to work, add your
primary domain user accounts to the resources in the other domain. Then
instruct your users to just connect to them without using the other acount.
Ensure a smooth transition and that it works prior to deleting them a few
weeks from now.

Ace


You make this sound so easy ;). To add my primary domain accounts to
the resources of the other domain I do what? Is this the universal
group thing?

-Fran-
 
Don't delete the dupes yet. As soon as you get the trust to work,
You make this sound so easy ;). To add my primary domain accounts to
the resources of the other domain I do what? Is this the universal
group thing?

-Fran-

I would use Universal groups, yes. You can also use Global Groups. Just add
them either to the Domain Local Group you created and added to the resource,
or add the groups directly to the resource ACL.

Ace
 
You make this sound so easy ;). To add my primary domain accounts to
the resources of the other domain I do what? Is this the universal
group thing?


Oh, yes. It really isn't that hard... :-)
 
I'm hitting new heights! I got DomainB to trust DomainA (in both
windows ... trusting and trusted in AD Domains & Trusts on DomainB
PDC.)

However, when I go to DomainA and try to establlish the two way trust
I get an error when I hit VERIFY:
-----------------------------------------
"Information from the PDC for DomainB cannot be obtained because: The
RPC server is unavailable.

Make sure that the PDC is operating properly and then try again."
-----------------------------------------

I also tried to set up a secondary DNS zone on both (read somewhere
that this will help speed up both sides, too.) I was able to set up
the secondary zone on DomainB (for DomainA) but when I tried to set up
the secondary DNS zone on DomainA for DomainB I get an error (big red
X) as follows:
-----------------------------------------
The DNS server encountered an error while attempting to load the zone.
The transfer of the data from the master server failed.

Plese correct the problem then either press F5, or on the Action menu,
Click Refresh.
-----------------------------------------

Naturally there's a problem here somewhere but how can I tell? I check
both PDC's and the RPC service is running on both servers. I ran
DCDiag /Fix and NetDiag /Fix on both servers and they're both fine.

What can I run to see why DNS won't transfer? Do you think this is the
same problem of the trusts?

-Fran-
 
Back
Top