2003 Forest Trust Issues - Please Help

Tutorials Win: Microsoft Windows Forum

Dear All,

We have two native Windows 2003 Forests with a two way non-transitive trust
configured between them.

Certainly functionality especially within AD isn't available i.e we cannot
add groups/users from Domain A to Domain B or vica-versa. The only
exception is local groups we can add users or groups from Domain A and
Domain B to the other. But this functionality isn't available for global or
universal groups which would enable us to effectively share resources
between both organisations.

DCDIAG's result in the Outbound Secure Channels test failing. There was an
issue with time synchronisation between the two forests an approximate four
minute difference. This has now been addressed but upon rerunning the
DCDIAG the exact same errors occur.

I believe it could be DNS related, even though we have secondary zones for
Domain A in Domain B and vica-verca. Can anyone advise?

Below are the errors we receive in a DCDIAG:

Could not Check secure channel from DC1 Domain A to Domain B Win32 Error
1355
Could not Query Trusted Domain :Win32 Error 2

Any help or advice is greatly received.

Regards,

Darren
Top

Re: 2003 Forest Trust Issues - Please Help by Marcin

Marcin
Thu May 08 07:47:51 PDT 2008

Darren,
fixing your trust issue asside, what exactly are you trying to accomplish?
Global and Universal groups can only contain accounts from the same domain
and forest, respectively. If you intend to facilitate cross-forest resource
access, you should be using domain local groups...
Btw. you mentioned that your existing forest trust is non-transitive. Can
you clarify that (it sounds like you are operating on Windows Server 2003
Forest functional level)? Where in the forests hierarchy are your domains A
and B?

hth
Marcin

Top

Re: 2003 Forest Trust Issues - Please Help by Darren

Darren
Fri May 09 00:06:50 PDT 2008

Hi Marcin,

We have several resources we would like to share between the two forests
including a Helpdesk System which will require groups of users from both
Forests to have access rights. We also need to update records in the
Helpdesk System so we need the Domain Admin in one Forest Domain to be able
to perform AD Extracts (CSVDE) from the other Forest Domain.

If I refer to them as Domain A and Domain B to make this easier to explain
again. We do not have issues adding Share & NTFS permissions for users or
global groups in Domain A to access files or folders in Domain B. It is
only within Active Directory that it is more restrictive and we cannot use
Global or Universal Groups.

Can you advise how we can facilitate what I require using local groups
across Trusted Forests?

You are correct we are at Windows 2003 Forest Functional Level. I will also
point out that both Forests are single domain. So when I say Domain A and
Domain B one belongs to each Forest. I hope this clarifies things a bit
better.

Regards,

Darren

I can add global groups from both domains to local groups in the other.
But are you saying I
"Marcin" <marcin@community.nospam> wrote in message
news:38648930-80B7-425B-82F4-2F13CAE0F25D@microsoft.com...
> Darren,
> fixing your trust issue asside, what exactly are you trying to accomplish?
> Global and Universal groups can only contain accounts from the same domain
> and forest, respectively. If you intend to facilitate cross-forest
> resource access, you should be using domain local groups...
> Btw. you mentioned that your existing forest trust is non-transitive. Can
> you clarify that (it sounds like you are operating on Windows Server 2003
> Forest functional level)? Where in the forests hierarchy are your domains
> A and B?
>
> hth
> Marcin


Top

Re: 2003 Forest Trust Issues - Please Help by Paul

Paul
Fri May 09 06:12:44 PDT 2008

Couple of thoughts...
netdiag /fix
dcdiag /v /s:dcname /test:outboundsecurechannels /testdomain:yourdomainname

Post the ipconfig /all of your dc's

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Darren King" <darren.king@newhamhealth.nhs.uk> wrote in message
news:%23IrxKcRsIHA.4560@TK2MSFTNGP03.phx.gbl...
> Dear All,
>
> We have two native Windows 2003 Forests with a two way non-transitive
> trust configured between them.
>
> Certainly functionality especially within AD isn't available i.e we cannot
> add groups/users from Domain A to Domain B or vica-versa. The only
> exception is local groups we can add users or groups from Domain A and
> Domain B to the other. But this functionality isn't available for global
> or universal groups which would enable us to effectively share resources
> between both organisations.
>
> DCDIAG's result in the Outbound Secure Channels test failing. There was
> an issue with time synchronisation between the two forests an approximate
> four minute difference. This has now been addressed but upon rerunning
> the DCDIAG the exact same errors occur.
>
> I believe it could be DNS related, even though we have secondary zones for
> Domain A in Domain B and vica-verca. Can anyone advise?
>
> Below are the errors we receive in a DCDIAG:
>
> Could not Check secure channel from DC1 Domain A to Domain B Win32
> Error 1355
> Could not Query Trusted Domain :Win32 Error 2
>
> Any help or advice is greatly received.
>
> Regards,
>
> Darren
>
>
>


Top

Re: 2003 Forest Trust Issues - Please Help by Marcin

Marcin
Fri May 09 07:04:21 PDT 2008

Darren,
you should be able to add global/universal groups from DomainA/ForestA to
any of domain local groups in DomainB - and vice versa. Doesn't this satisfy
your requirement? If so, are you saying that you can not perform this action
(even though you can assign permissions to your resources to
global/universal groups from the other domain/forest)?

hth
Marcin

Top

Re: 2003 Forest Trust Issues - Please Help by Darren

Darren
Mon May 12 01:53:28 PDT 2008

Hi Marcin,

No we can perform that action. For example we have added an account which
is a Domain Administrator on ForestA/DomainA to the Local Administrators
Group on ForestB/DomainB but we are unable then to perform AD extractions on
that domain using that account.

Can you advise?

Regards,

Darren

"Marcin" <marcin@community.nospam> wrote in message
news:10435FDF-9050-4C15-8548-739B440A8D61@microsoft.com...
> Darren,
> you should be able to add global/universal groups from DomainA/ForestA to
> any of domain local groups in DomainB - and vice versa. Doesn't this
> satisfy your requirement? If so, are you saying that you can not perform
> this action (even though you can assign permissions to your resources to
> global/universal groups from the other domain/forest)?
>
> hth
> Marcin


Top

Re: 2003 Forest Trust Issues - Please Help by Darren

Darren
Mon May 12 04:17:52 PDT 2008

Hi Paul,

I tried netdiag /fix on all of the DCs involved on both Forests and the
results were fairly good. One thing I noticed is the PDC Emulator in both
Forest Domains skipped the Trust Relationship test the other DC's passed
that test pointing to the PDC Emulator in their Forest Domain. WINS tests
were failed as we do not run WINS all DNS Tests passed though.

I ran the DCDIAG as you indicated it failed the Outbound Secure Channels
test as before:

Could not query Trusted Domain: Win32 Error2

I have tried to send you the screen shots but the message is too large even
as JPGs to post up to the newsgroup do you have an alternate place I can
send them to for you?

I appreciate your help with this.

Regards,

Darren


"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:epelfZdsIHA.6096@TK2MSFTNGP06.phx.gbl...
> Couple of thoughts...
> netdiag /fix
> dcdiag /v /s:dcname /test:outboundsecurechannels
> /testdomain:yourdomainname
>
> Post the ipconfig /all of your dc's
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Darren King" <darren.king@newhamhealth.nhs.uk> wrote in message
> news:%23IrxKcRsIHA.4560@TK2MSFTNGP03.phx.gbl...
>> Dear All,
>>
>> We have two native Windows 2003 Forests with a two way non-transitive
>> trust configured between them.
>>
>> Certainly functionality especially within AD isn't available i.e we
>> cannot
>> add groups/users from Domain A to Domain B or vica-versa. The only
>> exception is local groups we can add users or groups from Domain A and
>> Domain B to the other. But this functionality isn't available for global
>> or universal groups which would enable us to effectively share resources
>> between both organisations.
>>
>> DCDIAG's result in the Outbound Secure Channels test failing. There was
>> an issue with time synchronisation between the two forests an approximate
>> four minute difference. This has now been addressed but upon rerunning
>> the DCDIAG the exact same errors occur.
>>
>> I believe it could be DNS related, even though we have secondary zones
>> for
>> Domain A in Domain B and vica-verca. Can anyone advise?
>>
>> Below are the errors we receive in a DCDIAG:
>>
>> Could not Check secure channel from DC1 Domain A to Domain B Win32
>> Error 1355
>> Could not Query Trusted Domain :Win32 Error 2
>>
>> Any help or advice is greatly received.
>>
>> Regards,
>>
>> Darren
>>
>>
>>
>
>



Top