Trust to nt 4 domain from w2k3 forest

[Craig Hackl]

well i tried that and same thing... i'm not sure it's a setting on the w2k3
server, since on the nt 4 domain, if i go into user manager, i can switch
domains to the w2k3 domain and view everything (i can't edit obviously since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing this... but
i could be way off here...


"Ace Fekay [MVP]"

 

[Derek Melber [MVP]]

Craig,

How about WINS? Also, do you have a "browse master"? you can run browmon.exe
from the reskit to see who is in charge.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

ok i found something else interesting...
i created a local group on my nt 4 domain, and i added the domain admin
group from the w2k3 domain.
i gave that local group the access this computer from network user right and
while i still can't browse i can now manually type in domaina\username and
add them to file permisions, i still can't add them to a group or anything
but i can manually assign file permisions...

so i definatly think it's something on the nt 4 side that is causing this,
and once i can browse the user list, i think all my problems will be
solved....

well i tried that and same thing... i'm not sure it's a setting on the w2k3
server, since on the nt 4 domain, if i go into user manager, i can switch
domains to the w2k3 domain and view everything (i can't edit obviously since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing this... but
i could be way off here...


"Ace Fekay [MVP]"

In Cary Shultz [A.D. MVP] <[email protected]> posted their thoughts, then I
offered mine
Ace,

Great thought. I thought of that as well. Please correct me if I am
incorrect but that would affect WINNT 4 SP3 and lower? I think that
Craig stated that he has WINNT 4.0 SP6a. Does this still apply? Or
am I completely off-base here? Have not dome much of anything with
WIN2003 yet.

Cary


Cary, I honestly don't remember if the NT4 SP level affects this or not.
I've seen this issue, especially with MACs and DOS. DOS since I use a DOS
setup method for my classrooms and they won't connect to the DC at the DOS
level unless I disable that setting. When I saw this post and read

thru
it,

I thought, hmm... just maybe this may work! But can't remember about

the
NT4

SP level... sorry!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Craig Hackl]

ok i found something else interesting...
i created a local group on my nt 4 domain, and i added the domain admin
group from the w2k3 domain.
i gave that local group the access this computer from network user right and
while i still can't browse i can now manually type in domaina\username and
add them to file permisions, i still can't add them to a group or anything
but i can manually assign file permisions...

so i definatly think it's something on the nt 4 side that is causing this,
and once i can browse the user list, i think all my problems will be
solved....

well i tried that and same thing... i'm not sure it's a setting on the w2k3
server, since on the nt 4 domain, if i go into user manager, i can switch
domains to the w2k3 domain and view everything (i can't edit obviously since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing this... but
i could be way off here...


"Ace Fekay [MVP]"

 

[Craig Hackl]

i have wins and dns setup on the 2003 dc, everything is pointing to them.
the nt 4 pdc is the master browser for my nt 4 domain, and the 2003 dc is
the master browser for the w2k3 domain.

Craig,

How about WINS? Also, do you have a "browse master"? you can run browmon.exe
from the reskit to see who is in charge.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

ok i found something else interesting...
i created a local group on my nt 4 domain, and i added the domain admin
group from the w2k3 domain.
i gave that local group the access this computer from network user right and
while i still can't browse i can now manually type in domaina\username and
add them to file permisions, i still can't add them to a group or anything
but i can manually assign file permisions...

so i definatly think it's something on the nt 4 side that is causing this,
and once i can browse the user list, i think all my problems will be
solved....

well i tried that and same thing... i'm not sure it's a setting on the w2k3
server, since on the nt 4 domain, if i go into user manager, i can switch
domains to the w2k3 domain and view everything (i can't edit obviously since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing

this...
but

i could be way off here...


"Ace Fekay [MVP]"
message In Cary Shultz [A.D. MVP] <[email protected]> posted their thoughts,

then

I a
DOS the
DOS

 

[Derek Melber [MVP]]

I wonder if this is due to the added "anonymous" restrictions that 2003 has?
2000 is not as secure and not as granular. Might want to tweak the
"anonymous" restrictions and see if that helps. Especially the one related
to "SAM".

--
Derek Melber
BrainCore.Net
(e-mail address removed)

i have wins and dns setup on the 2003 dc, everything is pointing to them.
the nt 4 pdc is the master browser for my nt 4 domain, and the 2003 dc is
the master browser for the w2k3 domain.

Craig,

How about WINS? Also, do you have a "browse master"? you can run browmon.exe
from the reskit to see who is in charge.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

ok i found something else interesting...
i created a local group on my nt 4 domain, and i added the domain admin
group from the w2k3 domain.
i gave that local group the access this computer from network user

right
and

while i still can't browse i can now manually type in domaina\username and
add them to file permisions, i still can't add them to a group or anything
but i can manually assign file permisions...

so i definatly think it's something on the nt 4 side that is causing this,
and once i can browse the user list, i think all my problems will be
solved....

well i tried that and same thing... i'm not sure it's a setting on the
w2k3
server, since on the nt 4 domain, if i go into user manager, i can switch
domains to the w2k3 domain and view everything (i can't edit obviously
since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing this...
but
i could be way off here...


"Ace Fekay [MVP]"
message In Cary Shultz [A.D. MVP] <[email protected]> posted their thoughts,

then

I
offered mine
Ace,

Great thought. I thought of that as well. Please correct me if

I
am

incorrect but that would affect WINNT 4 SP3 and lower? I think that
Craig stated that he has WINNT 4.0 SP6a. Does this still apply? Or
am I completely off-base here? Have not dome much of anything with
WIN2003 yet.

Cary


Cary, I honestly don't remember if the NT4 SP level affects this

or
not.

I've seen this issue, especially with MACs and DOS. DOS since I

use

a about
the

 

[Craig Hackl]

i don't think it's on the 2003 side, since from the nt 4 domain, i can
completly browse and do whatever i want on the 2003 domain, the only problem
is when i am on the 2003 domain, trying to give permisions to the nt 4
domain users...
so i think it's something in the nt4 domain that is preventing me from
reading the domain user list...

I wonder if this is due to the added "anonymous" restrictions that 2003 has?
2000 is not as secure and not as granular. Might want to tweak the
"anonymous" restrictions and see if that helps. Especially the one related
to "SAM".

--
Derek Melber
BrainCore.Net
(e-mail address removed)

i have wins and dns setup on the 2003 dc, everything is pointing to them.
the nt 4 pdc is the master browser for my nt 4 domain, and the 2003 dc is
the master browser for the w2k3 domain.

Craig,

How about WINS? Also, do you have a "browse master"? you can run browmon.exe
from the reskit to see who is in charge.

--
Derek Melber
BrainCore.Net
(e-mail address removed)
ok i found something else interesting...
i created a local group on my nt 4 domain, and i added the domain admin
group from the w2k3 domain.
i gave that local group the access this computer from network user right
and
while i still can't browse i can now manually type in

domaina\username
and

add them to file permisions, i still can't add them to a group or anything
but i can manually assign file permisions...

so i definatly think it's something on the nt 4 side that is causing this,
and once i can browse the user list, i think all my problems will be
solved....

well i tried that and same thing... i'm not sure it's a setting on the
w2k3
server, since on the nt 4 domain, if i go into user manager, i can
switch
domains to the w2k3 domain and view everything (i can't edit obviously
since
i don't have permissions but i can see the full list)
so i'm kinda thinking it may be an nt 4 setting that is causing this...
but
i could be way off here...


"Ace Fekay [MVP]"
message In Cary Shultz [A.D. MVP] <[email protected]> posted their

thoughts,
then

I
offered mine
Ace,

Great thought. I thought of that as well. Please correct me

if

I think
that apply?
Or use at
the

 

[Ace Fekay [MVP]]

In

i don't think it's on the 2003 side, since from the nt 4 domain, i can
completly browse and do whatever i want on the 2003 domain, the only
problem is when i am on the 2003 domain, trying to give permisions to
the nt 4 domain users...
so i think it's something in the nt4 domain that is preventing me from
reading the domain user list...

Not sure if this has anything to do with it since funcitonal level usually
deals with what sort of DCs are part of the domain and whether certain group
and other features are available, but curious, what mode is the W2k3 domain
in? Maybe trying to add someone or group from the NT4 side into a Domain
Local Group may not be allowed but rather into a Global Group? Just hashing
out some ideas....

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Derek Melber [MVP]]

Ace,

I thought about that too... which is why I went with "anonymous". The mode
should not have an affect. However, "anonymous" or another setting like it
would. Basically, if 2k3 can see NT, the NT setting is allowing the
enumeration of the SAM. If NT can't see 2k3, then 2k3 is not allowing
enumeration of the SAM.

I am leaning towards a 2k3 security setting that is causing the issue.

 

[Ace Fekay [MVP]]

In

Ace,

I thought about that too... which is why I went with "anonymous". The
mode should not have an affect. However, "anonymous" or another
setting like it would. Basically, if 2k3 can see NT, the NT setting
is allowing the enumeration of the SAM. If NT can't see 2k3, then 2k3
is not allowing enumeration of the SAM.

I am leaning towards a 2k3 security setting that is causing the issue.

I thought so as well. The only other thing other than what I posted earlier
and what you just mentioned are:
Change "Send NTLM responses Only" to "Send LM and NTLM responses"
or
Disable "Digitally Encrypt or sign Secure Data Channel (always)",

But I don't see these as an issue since IIRC, W2k has these settings enabled
and can interact with NT4 domains with SP6. But at this point, I would try
these changes as well as what you suggested and see if it works.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Craig Hackl]

the domain and forest are at the 2003 level functionality...
i've tried creating a local, global, and universal group and i can't add
anyone from the nt 4 domain in... it's the same problem, i can't search the
nt 4 domain user list. and if i type in the fqdn it comes up and says it
can't find it.

but if i try to give file/share permisions and type in the fqdn it does
(even though i still can't browse those yet)



"Ace Fekay [MVP]"

 

[Craig Hackl]

ok i apparently thought i created a local group and tried it... doing it
now, if i create a local group, i now can see the domains, i can select the
nt domain, go to advanced and hit search and it brings up the full list.

so can you only add users from another domain to a domain local group?
and can you just not browse the domain list the same way as you can a 2000
domain, you have to search? i have what i need now, it's just not as nice
as i want it...

the domain and forest are at the 2003 level functionality...
i've tried creating a local, global, and universal group and i can't add
anyone from the nt 4 domain in... it's the same problem, i can't search the
nt 4 domain user list. and if i type in the fqdn it comes up and says it
can't find it.

but if i try to give file/share permisions and type in the fqdn it does
(even though i still can't browse those yet)



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

ok i apparently thought i created a local group and tried it... doing
it now, if i create a local group, i now can see the domains, i can
select the nt domain, go to advanced and hit search and it brings up
the full list.

so can you only add users from another domain to a domain local group?
and can you just not browse the domain list the same way as you can a
2000 domain, you have to search? i have what i need now, it's just
not as nice as i want it...

As per the AGLP (Add Users to a Global Group, then add the groups to a Local
Group or add the users directly into the local grops and assign Perms to the
Local group to a resource) backward-compatible rules, that's pretty much
it. Global groups cannot contain objects outside of the domain, since they
are designed to be user "buckets" of user objects from it's own domain where
it was created. That rule still follows from the NT4 days and W2k3 follows
those rules. So yes, create a domain local group in AD, then you have to
search in NT4 thru the W2k3 interface, since that's the way the new
interface works. You can just hit Advanced and select object types (users,
groups, etc) and hit search and they show up. Unfortunately, that's the way
it works.

Hope that helps...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory