External Trust Between W2K and Server 2003

I am attempting to set up a two-way external trust between a Windows 2000 AD
domain and a Server 2003 domain. They are on different subnets, accessible
to one another via VPN. They can see each other's DNSs, and WINS is up and
running and they can see each other that way.

Everything on the Server 2003 side works fine. Verifying the trust works
without a hitch. However, on the Windows 2000 server, when I go to verify
the trust, I get a dialog stating "The credentials supplied conflict with an
existing set of credentials". I'm at logger heads here. I have no idea
what's wrong.


--
Aaron Clausen mightymartianca@gmail.com

fnor

Jorge
Tue Mar 11 12:24:09 PDT 2008

Hi
Check if KB 106211 and 197987 help.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

John
Tue Mar 11 13:37:43 PDT 2008

I recall this is a problem if you are logged into the Windows 2000 DC and
you have a connection of sort to the Windows 2003 domain. e.g unc path
open, mapped network drive or possible terminal server connection open.

Make sure you are logged on to the Windows 2000 DC without it having
connection to the Windows 2003 DC or other mapped network resource.


Regards
John

"AC" <mightymartianca@gmail.com> wrote in message
news:slrnftdihp.3su.mightymartianca@rotten.egg.sandwich...
> I am attempting to set up a two-way external trust between a Windows 2000
> AD
> domain and a Server 2003 domain. They are on different subnets,
> accessible
> to one another via VPN. They can see each other's DNSs, and WINS is up
> and
> running and they can see each other that way.
>
> Everything on the Server 2003 side works fine. Verifying the trust works
> without a hitch. However, on the Windows 2000 server, when I go to verify
> the trust, I get a dialog stating "The credentials supplied conflict with
> an
> existing set of credentials". I'm at logger heads here. I have no idea
> what's wrong.
>
>
> --
> Aaron Clausen mightymartianca@gmail.com
>
> fnor

AC
Wed Mar 12 11:02:46 PDT 2008

On Tue, 11 Mar 2008 20:37:43 -0000,
John McManus <johnxmcmanus@hotmail.com> wrote:
> I recall this is a problem if you are logged into the Windows 2000 DC and
> you have a connection of sort to the Windows 2003 domain. e.g unc path
> open, mapped network drive or possible terminal server connection open.
>
> Make sure you are logged on to the Windows 2000 DC without it having
> connection to the Windows 2003 DC or other mapped network resource.

That was the problem. Thanks!

Now I've got a different one, and probably due more to my ignorance than
anything else, but when I try to add the trusted domains' users or groups to
groups on the other end, I can only see the ones in the builtin Users, and
not any of the ones in my other organizational units. I have tried the
delegation wizard, but it makes no difference.

--
Aaron Clausen mightymartianca@gmail.com

Jorge
Wed Mar 12 11:22:03 PDT 2008

You can use local security groups from each end of the trust.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

AC
Wed Mar 12 11:39:18 PDT 2008

On Wed, 12 Mar 2008 18:22:03 -0000,
Jorge Silva <jorgesilva_pt@hotmail.com> wrote:
> You can use local security groups from each end of the trust.

The problem is that if I go into the local group, the other domain does not
show up in the Location list. I can go into resources on either end and add
groups to my hearts content, but I would prefer to consolidate everything
into some universal groups so I don't go mad.

--
Aaron Clausen mightymartianca@gmail.com

fnor

Jorge
Wed Mar 12 11:49:57 PDT 2008

check
http://technet2.microsoft.com/windowsserver/en/library/517b4fa4-5266-419c-9791-6fb56fabb85e1033.mspx?mfr=true

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Jorge
Wed Mar 12 11:49:29 PDT 2008

To implement access to a resource across a forest, add universal groups from
trusted forests to the domain local groups in the trusting forests, when a
new user account needs access to a resource in a different forest, add the
account to the respective global group in the domain of the user. When a new
resource needs to be shared across forests, add the appropriate domain local
group to the ACL for that resource. In this way, access is enabled across
forests for resources on the basis of group membership.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

AC
Wed Mar 12 13:54:50 PDT 2008

On Wed, 12 Mar 2008 18:49:29 -0000,
Jorge Silva <jorgesilva_pt@hotmail.com> wrote:
> To implement access to a resource across a forest, add universal groups from
> trusted forests to the domain local groups in the trusting forests, when a
> new user account needs access to a resource in a different forest, add the
> account to the respective global group in the domain of the user. When a new
> resource needs to be shared across forests, add the appropriate domain local
> group to the ACL for that resource. In this way, access is enabled across
> forests for resources on the basis of group membership.

The problem I'm having here is that I can happily put the other domain's
users and groups directly into ACLs, but when I go to AD Users and
Computers, I can only view the other domain's built-in groups, and that's
only adding them in the "Member Of" tab. If I go into the "Members" tab, I
can only pick users and groups from the domain I'm working in.

I could accomplish what I want through the ACLs, but it would be a gawdawful
thing to have to administer. I'll do it if I have to, but everything I've
read so far tells me I should be able to view these universal groups from
the other domain.

--
Aaron Clausen mightymartianca@gmail.com

fnor

AC
Thu Mar 13 15:24:27 PDT 2008

On Wed, 12 Mar 2008 18:49:29 -0000,
Jorge Silva <jorgesilva_pt@hotmail.com> wrote:
> To implement access to a resource across a forest, add universal groups from
> trusted forests to the domain local groups in the trusting forests, when a
> new user account needs access to a resource in a different forest, add the
> account to the respective global group in the domain of the user. When a new
> resource needs to be shared across forests, add the appropriate domain local
> group to the ACL for that resource. In this way, access is enabled across
> forests for resources on the basis of group membership.

Having played around this a bit more, it's quite likely that my poor ol'
brain isn't quite gathering what you're saying.

Say I want a universal group BigTest. Does that mean I have to create the
group in both forests? At that point do I then make BigTest a member of
domain local groups?

--
Aaron Clausen mightymartianca@gmail.com

fnor

Jorge
Mon Mar 17 07:04:49 PDT 2008

Between forests you must use local groups in the other end of the forest.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

AC
Mon Mar 17 08:42:00 PDT 2008

On Mon, 17 Mar 2008 14:04:49 -0000,
Jorge Silva <jorgesilva_pt@hotmail.com> wrote:
> Between forests you must use local groups in the other end of the forest.

Thank you very much! That did the trick!

--
Aaron Clausen mightymartianca@gmail.com

fnor