External Trust between Win 2000 and Win 2003 Forest/Domains
I have an external trust created from my 2000 domain to a separate and unrelated 2003 domain. I can successfully grant 2003 users access to resources on my 2000 domain.
I cannot grant 2000 domain users access to resources on the 2003 domain. When I try to add a 2000 domain user to the permissions list of a folder on the 2003 server, I can select the 200 domain but it will never find the user I specify either just username or username@domain.com (UPN) format?
Looking for some verification of my tust settings on the 2003 server.
Thanks,
Software/Hardware used:
Software/Hardware used:
ASKED:
October 26, 2004 12:55 PM
UPDATED:
October 27, 2004 3:18 PM
Answer Wiki:
You need to set up the trust relationship between the domains.
To see all answers submitted to the Answer Wiki: View Answer History.
When you set up the domain you will need to set it up twice. With two Windows 2003 domains this could be done concurrently. With the Windows 2000 domain you will need to set up the external trust with the Windows 2003 domain first as the trusted domain and then as the trusting domain. If you had in fact done this, then the problem is likely that an appropriate domain controller from the trusted domain (in your case that would be the Windows 2000 domain) cannot be located. You should validate your name resolution for the domain from a Windows 2003 domain controller.
I was able to fix the problem by creating secondary DNS zones for the other domain on each DNS server. So the 2000 servers each have a secondary forward lookup zone for the 2003 domain and vice versa. I am guessing that the LMHOSTS file was enough to get the trust going but needed DNS resolution for AD to workk properly.
Thanks to all for your replies.
Hi SWYATT, hope this helps. It sounds as if the trust you established is not transitive. Your W2K domain trusts the W2K3 and will give access to its users, but the W2K3 domain does not trust the W2K domain and will not give access to its users. Try using AD Sites and Services from a DC (on either domain) to verify the status of the trust. You may be able to start your troubleshooting from there.