Trust relationships between sites.

  • Thread starter Thread starter ichi.brown
  • Start date Start date
I

ichi.brown

All,

I have searched through the usenet archives as well as most searches on
google for quite awhile. I'm making this post, because frankly, I'm at
a loss.

I'm a Unix Administrator, turned Windows + Unix administrator for the
past couple years I've been deploying, and maintaining active directory
at a 2003 domain functional level.

We have this weird setup, where one of our departments is located on a
different floor, on a different ad forest on totally different subnets
seperated by routers. These are facts that can not change. I can not
add the users to the forest they are trying to contact. However I did
setup a one way transitive trust with the domain they are bound to, and
the domain forest we have on the other floors in the building.

Users when trying to map network drives are always unable to, or they
happen spurratically. One of the other gentleman in systems' was a
windows administrator back when NT was rampant and sets up LMHOST files
on the machines to obtain access to some of our servers on the other
floors.

I want an end-all solution using existing technologies to rid the
problem of "No logon servers currently available to meet your request"
when users try to map shared drives located on the other forest.
Allow me to type things out more clearly.

ad01 = first forest
ad02 = second forest

pc01 = client machine on forest 01
srv02 = server located on second forest seperated broadcast segment.
srv02b = 2nd server on second forest
srv01 = server on first forest.

pc01 needs to map a drive to srv01.ad01 and srv02.ad02.
pc01 can currently map a drive to the servers in the domain it's bound
to srv01.ad01. but always spits out the error no logon servers
available with srv02.ad02 and srv02b.ad02.

Is there something more in depth that needs setup other than what I
have?

I have tried LMHOSTS to some avail, however maintaining a hosts file is
rather out-dated i would assume. i have setup WINS servers on both
networks. the ad01 has entries for domain ad02 and it's domain
controllers. ad02 does not have WINS entries for ad01 and it's
associated machines.

Unfortunately because of the way administration is on these domains,
the trust is one way transitive. ad02 trusts users in ad01 but not
vice versa. This is to protect various corporate interests and
resources.

I only have full control over the ad02 domain which is somewhat a
"rogue" domain we're told but I dont see any reason why this shouldn't
work a lot more smoothly. If you need further information please let
me know I'll be quick to respond. If i've violated any FAQ or posting
guidelines I apologize ahead of time, and flaming isn't required.

Thanks in advance,

Robb O'Driscol
 
I just skimmed this but it sounds more like name resolution issues than
domain issues. You need a consolidated name resolution schema. There
absolutely should not be a need for lmhosts or hosts file, that is what
DNS and WINS is for.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
All,

I have searched through the usenet archives as well as most searches on
google for quite awhile. I'm making this post, because frankly, I'm at
a loss.
Click to expand...

There is no such thing a "trusts...between sites". Trusts are between
DOMAINS (always, except in the Win2003 Server Native mode case
of trusts between forests -- but even that is implemented between the
root forest domains of each forest.)
I'm a Unix Administrator, turned Windows + Unix administrator for the
past couple years I've been deploying, and maintaining active directory
at a 2003 domain functional level.

We have this weird setup, where one of our departments is located on a
different floor, on a different ad forest on totally different subnets
seperated by routers.
Click to expand...

Then likely you have a NetBIOS resolution issue since external trusts are
usually dependent on NetBIOS (you might also have a DNS resolution issue).

For NetBIOS to work across routers you need WINS Server(s)
and every machine to be a WINS "client" of the same replicated
WINS database.
These are facts that can not change. I can not
add the users to the forest they are trying to contact. However I did
setup a one way transitive trust with the domain they are bound to, and
the domain forest we have on the other floors in the building.
Click to expand...

External trusts are never transitive so this must be a Forest Level
Trust, right?

Users when trying to map network drives are always unable to, or they
happen spurratically. One of the other gentleman in systems' was a
windows administrator back when NT was rampant and sets up LMHOST files
on the machines to obtain access to some of our servers on the other
floors.
Click to expand...

Technically LMHosts files are an alternative to WINS Server(s)
but they are practically unworkable in all but the very simplest
cases.

Dump the LMHosts file and setup one or more WINS Server -- if you
use more than one, make sure they are all fully replicated with each
other.
I want an end-all solution using existing technologies to rid the
problem of "No logon servers currently available to meet your request"
when users try to map shared drives located on the other forest.
Allow me to type things out more clearly.

ad01 = first forest
ad02 = second forest
Click to expand...

Each DNS should also be able to resolve all other domains, DCs, and
(relevant) computers from the other domain.

Use conditional forwarding or another cross zone resoluton mechanism
so that the DNS of Ad01 can resolve Ad02 and vice versa.
pc01 = client machine on forest 01
srv02 = server located on second forest seperated broadcast segment.
srv02b = 2nd server on second forest
srv01 = server on first forest.

pc01 needs to map a drive to srv01.ad01 and srv02.ad02.
pc01 can currently map a drive to the servers in the domain it's bound
to srv01.ad01. but always spits out the error no logon servers
available with srv02.ad02 and srv02b.ad02.

Is there something more in depth that needs setup other than what I
have?
Click to expand...

You need to get your name resolution right. DNS for sure, and WINS
almost for certain.
I have tried LMHOSTS to some avail, however maintaining a hosts file is
rather out-dated i would assume. i have setup WINS servers on both
networks. the ad01 has entries for domain ad02 and it's domain
controllers. ad02 does not have WINS entries for ad01 and it's
associated machines.
Click to expand...

Getting all of the entries right for LMHosts is practically impossible
for a domain of any significant size and way more trouble than it is
worth.

Use WINS Server and make EVERY MACHINE a WINS client.
(Every machine means DCs and all other servers too!)
Unfortunately because of the way administration is on these domains,
the trust is one way transitive. ad02 trusts users in ad01 but not
vice versa. This is to protect various corporate interests and
resources.
Ok.

I only have full control over the ad02 domain which is somewhat a
"rogue" domain we're told but I dont see any reason why this shouldn't
work a lot more smoothly. If you need further information please let
me know I'll be quick to respond. If i've violated any FAQ or posting
guidelines I apologize ahead of time, and flaming isn't required.
Click to expand...

You will need admins from both (all) domains to get this right.
 
Back
Top