Problems with 2003 <=> 2003 External Trust

Tutorials Win: Microsoft Windows Forum

I am trying to setup a trust between two 2003 forests/domains, Domain
A and Domain B. They are on different subnets and have a firewall
(Smoonthwall) between them (single firewall...not one on each side).
Domain A is on the near side of the firewall and Domain B is on the
far side. The firewall handles the routing between the subnets and has
been configured to forward the ports listed in the following KB
article to a Domain Controller in Domain A.

http://support.microsoft.com/kb/179442

A two-way external trust was setup between the forests/domains and
validates just fine. Also, I can add users or groups from Domain B to
groups in Domain A, thus giving them access to resoures in that
domain. There are no problems at all doing this. It prompts me for
authentication but when I type in a username/pw from Domain B, I can
see all the users and groups and am able to assign them to groups in
Domain A without any trouble. When I am in Domain B and I try to add
users from Domain A to a group in Domain B, I cannot see Domain A.

I've tried typing in names as user@DomainA.local, DomainA\user hoping
that I could get around not being able to browse/select users/groups
but it's not working.

Something else to note, DNS on each side has been configured to
forward for the other domain. I can resolve names both ways at a
command prompt. I can only ping one way b/c ICMP is blocked from
outside of the firewall but I can't imagine that causing the problem.

Any ideas?
Top

Re: Problems with 2003 <=> 2003 External Trust by Ace

Ace
Sun Mar 30 20:45:12 PDT 2008

In news:4827b1ad-972c-4c3b-966c-6bd1d5de78f2@2g2000hsn.googlegroups.com,
Scoop <imscoop22@gmail.com> typed:
> I am trying to setup a trust between two 2003 forests/domains, Domain
> A and Domain B. They are on different subnets and have a firewall
> (Smoonthwall) between them (single firewall...not one on each side).
> Domain A is on the near side of the firewall and Domain B is on the
> far side. The firewall handles the routing between the subnets and has
> been configured to forward the ports listed in the following KB
> article to a Domain Controller in Domain A.
>
> http://support.microsoft.com/kb/179442
>
> A two-way external trust was setup between the forests/domains and
> validates just fine. Also, I can add users or groups from Domain B to
> groups in Domain A, thus giving them access to resoures in that
> domain. There are no problems at all doing this. It prompts me for
> authentication but when I type in a username/pw from Domain B, I can
> see all the users and groups and am able to assign them to groups in
> Domain A without any trouble. When I am in Domain B and I try to add
> users from Domain A to a group in Domain B, I cannot see Domain A.
>
> I've tried typing in names as user@DomainA.local, DomainA\user hoping
> that I could get around not being able to browse/select users/groups
> but it's not working.
>
> Something else to note, DNS on each side has been configured to
> forward for the other domain. I can resolve names both ways at a
> command prompt. I can only ping one way b/c ICMP is blocked from
> outside of the firewall but I can't imagine that causing the problem.
>
> Any ideas?

Trusts use NTLM authentication, which is NetBIOS based, not DNS. So there
must be NetBIOS resolution established between both sides. Plus the firewall
ports opened up based on that article have to be setup on both sides. Then
you would add the Domain Users Global from A to B's Domain Local Users
Group, and likewise for Domain Administrators, as well as in reverse.

So if you are in B trying to access A, then apparently either you are not
being authenticated to A, meaning A's trust may have failed to B, or simply
there is a lack of NetBIOS resolution from A to B, but apparently B to A
works.

What are you using for NetBIOS resolution? WINS? LMHOSTS?

WINS makes it easy. Simply create a replication partner between the two WINS
servers in both domans.
Using lmhosts is a little different:
How to write an Lmhosts file for domain validation and other name resolution
issues:
http://support.microsoft.com/kb/180094

Setting up LMHOSTS
http://www.babinszki.com/winnt/trusts/lmhosts.htm


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations


Top