Questions about Trusts

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

I've got a question or two (maybe more) about trusts. At my company we
wanted to join the domain that we have here in the office to another
(off-site) domain that does not share a contiguous DNS namespace. The
office domain is running Win2k and the off-site domain is running Win2k3.
They are connected via a VPN tunnel. When I created the trust I used the
Create trust wizard in Win2k3 and it made a two-way (actually two one-way
trusts) non-transitive external trust. I can ping each domain from the
other successfully and I can even enter in \\computer.domain.com to the RUN
box and the share will open up. That's cool, because that's basically what
we need. However, I'm not sure if I set up the correct kind of
relationship. I'm shooting for two domain trees in the same forest. Right
now, I think that I set up a trust between two forests. Is that correct?
If so, then how do I make it so that they are two trees in the same forest?

The ideal situation would be one where we could browse each domain and use
resources. That is not happening right now. I know that I'm not
understanding something correctly here, so any help would be great. I'd
appreciate it.

Thanks,
John

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"greyseal96" wrote:
> Hi,
>
> I've got a question or two (maybe more) about trusts. At my
> company we
> wanted to join the domain that we have here in the office to
> another
> (off-site) domain that does not share a contiguous DNS
> namespace. The
> office domain is running Win2k and the off-site domain is
> running Win2k3.
> They are connected via a VPN tunnel. When I created the trust
> I used the
> Create trust wizard in Win2k3 and it made a two-way (actually
> two one-way
> trusts) non-transitive external trust. I can ping each domain
> from the
> other successfully and I can even enter in
> \computer.domain.com to the RUN
> box and the share will open up. That's cool, because that's
> basically what
> we need. However, I'm not sure if I set up the correct kind
> of
> relationship. I'm shooting for two domain trees in the same
> forest. Right
> now, I think that I set up a trust between two forests. Is
> that correct?
> If so, then how do I make it so that they are two trees in the
> same forest?
>
> The ideal situation would be one where we could browse each
> domain and use
> resources. That is not happening right now. I know that I'm
> not
> understanding something correctly here, so any help would be
> great. I'd
> appreciate it.
>
> Thanks,
> John

Hi,

What you have created is all you can do. You cannot merge two
pre-existing Forests. To make one a Domain Tree in an existing forest
you would essentially have to uninstall the Domain completely deleting
all users etc and then re-add it specifying to make it a tree in an
Existing Forest.

You can browse and share resources right now, but you would have to
create identical accounts with the same username and passwords in both
domains to do so. This would still be the case if you had one single
forest. However, with one forest, you may be able to use Universal
Groups. (not sure because I haven’t ever used them).

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740913

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

John,

Lara is correct in saying that there is no easy way to do this. You can't
simply bring a domain under the scope of a new forest. If you really feel
the need to have them in the same forest, then you would either have to
destroy the domain and re-start, as she suggests, or do a domain migration
to a new domain in the target forest. This is not something to be done
lightly and would take a lot of planning. I would suggest that you at least
look at the ADMT to get an idea of its power -- if not now, you may need it
some day.

If your goal is to make resources available between domains, then you are on
the right track and there isn't a real need to do anything to the domains.
Rather than creating identical user names and passwords, you will need to
create new groups local to your domain to hold the foreign users. Then
assign privileges to these groups. So, if you needed to allow the
AccountingDept group in the foreign domain access to a folder. Create a
group, say DomainNameAccountingDept, add the users/ groups from the foreign
domain, then assign the new group to the folder.

Take a look at the article below under Foreign Security Principals for more
info:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/adusers.mspx

Hope this helps.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"John Rosenlof" <greyseal96@hotmail.com> wrote in message
news:O3S3udg7EHA.3236@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I've got a question or two (maybe more) about trusts. At my company we
> wanted to join the domain that we have here in the office to another
> (off-site) domain that does not share a contiguous DNS namespace. The
> office domain is running Win2k and the off-site domain is running Win2k3.
> They are connected via a VPN tunnel. When I created the trust I used the
> Create trust wizard in Win2k3 and it made a two-way (actually two one-way
> trusts) non-transitive external trust. I can ping each domain from the
> other successfully and I can even enter in \\computer.domain.com to the
RUN
> box and the share will open up. That's cool, because that's basically
what
> we need. However, I'm not sure if I set up the correct kind of
> relationship. I'm shooting for two domain trees in the same forest.
Right
> now, I think that I set up a trust between two forests. Is that correct?
> If so, then how do I make it so that they are two trees in the same
forest?
>
> The ideal situation would be one where we could browse each domain and use
> resources. That is not happening right now. I know that I'm not
> understanding something correctly here, so any help would be great. I'd
> appreciate it.
>
> Thanks,
> John
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for the responses. They helped quite a bit. I think that since the
domain that we were trying to join is so small, we're just going to wipe the
Active Directory and make a new one, but this time making it a tree in the
forest. I think that this will make things easier from a configuration
standpoint, and the added benefit is that things may get cleaned up a bit.
The other person who did the installation made some mistakes and some errors
may have been made in the configuration of AD and with the DNS and DHCP. I
may also have to do some cleanup on our domain here as well... How will the
wiping of AD and the domain affect users' files? Will they still be able to
access them? I've got an idea of the implications, but I'm not completely
sure.

So a few more questions, if you don't mind. I'm somewhat new at this, but
I'm learning pretty quickly and I really want to do things right. I need to
know about correctly configuring DNS and DHCP. Any good articles or advice
on how to do that in regards to this particular situation? Should I just
search TechNet on those words?

Also, in regards to external trusts, if, by virtue of the trust, access is
granted between the two trusting domains simply by logging onto one of the
domains; and foreign security prinicpals can be placed in each respective
AD, what is the purpose of having the two domains listed on the logon
screens? If I'm in the home office here, and I log onto the homeoffice.com
domain and can access the resources on the other network from this domain,
why would I need/want to log onto remoteoffice.com? I guess that this
question is also applicable to having any sort of multiple trusted domains.
If I can get access to resources from one domain, why the need to log onto
any of the different ones?
Thanks for the help with the questions.
-John


"John Rosenlof" <greyseal96@hotmail.com> wrote in message
news:O3S3udg7EHA.3236@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I've got a question or two (maybe more) about trusts. At my company we
> wanted to join the domain that we have here in the office to another
> (off-site) domain that does not share a contiguous DNS namespace. The
> office domain is running Win2k and the off-site domain is running Win2k3.
> They are connected via a VPN tunnel. When I created the trust I used the
> Create trust wizard in Win2k3 and it made a two-way (actually two one-way
> trusts) non-transitive external trust. I can ping each domain from the
> other successfully and I can even enter in \\computer.domain.com to the
RUN
> box and the share will open up. That's cool, because that's basically
what
> we need. However, I'm not sure if I set up the correct kind of
> relationship. I'm shooting for two domain trees in the same forest.
Right
> now, I think that I set up a trust between two forests. Is that correct?
> If so, then how do I make it so that they are two trees in the same
forest?
>
> The ideal situation would be one where we could browse each domain and use
> resources. That is not happening right now. I know that I'm not
> understanding something correctly here, so any help would be great. I'd
> appreciate it.
>
> Thanks,
> John
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ryan,

You mentioned something here that I would like clarification on as I
haven’t ever been able to do this. How did you actually do it?

> you will need to create new groups local to your domain to hold the
> foreign users. Then assign privileges to these groups. Create a
group,
> say DomainNameAccountingDept, add the users/ groups from the
foreign
> domain, then assign the new group to the folder.

I have two Domains in a trust (two separate Forests of 2K). However,
there is no Option to add the groups from the Foreign Domain. It
isn’t in the list anywhere. The Only way that I have heard that this
can be done is simply by creating Universal Groups which is the
benefit of a single Forest rather than two separate Forest/domains. I
would be curious to know how you found the foreign domain to add the
users or groups?

Thanks

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=742521

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"lforbes" wrote:
> Hi Ryan,
>
> You mentioned something here that I would like clarification
> on as I haven't ever been able to do this. How did you
> actually do it?
>
>

you will need to create new groups local to
> your domain to hold the foreign users. Then assign privileges
> to these groups. Create a group, say DomainNameAccountingDept,
> add the users/ groups from the foreign domain, then assign the
> new group to the folder.

>
> I have two Domains in a trust (two separate Forests of 2K).
> However, there is no Option to add the groups from the Foreign
> Domain. It isn't in the list anywhere. The Only way that I
> have heard that this can be done is simply by creating
> Universal Groups which is the benefit of a single Forest
> rather than two separate Forest/domains. I would be curious to
> know how you found the foreign domain to add the users or
> groups?
>
> Thanks
>
> Lara

Hi John,

In answer to your question. I have my website which specifies how to
setup DNS properly. http://www.sd61.bc.ca/windows2000

I wouldn’t wipe out the User accounts in the one domain. I would use
the Active Directory Migration Tool available free to download from MS
(just search for it) and migrate them across. If you don’t the
permissions to their files will be all screwed up as permissions are
set via SID and not username so even if the users had the same name,
the permissions would be screwy.

Domains are a security Boundary. Therefore you cannot have access to
another domain resources unless you are given access. This is by
design. The Use of Universal Groups in Windows 2000 Native Mode is the
way for users to get access to multiple domains resources. This is the
benefit of a single forest vs. two forests. I have never figured out a
way to access multiple domain resources without using either Universal
Groups OR the same Username/Pwd in both domains that I mentioned. I
have been at this some 15 years through NT 3.1/NT4 W2K and now W2003.
I used to have 4 NT domains and I couldn’t even get the users to be
able to print cross-domain. Therefore the benefit of being able to
login to either domain is clear.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=742522

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Lara,

You can do this by creating a foreign security principal in the target
domain that references the object in the host domain. Then the Foreign
Security Principal can be added to the target groups.

This is something that I do when I am doing domain migrations as you need
the admins of one domain to be in the Domain Admins group of the other in
order to process the workstation migrations correctly.

You're right in that its tricky. My IP agreements will not let me share my
internal working docs, but I would refer you to the links I posted as they
were built from those.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d4be0e$1_5@alt.athenanews.com...
> Hi Ryan,
>
> You mentioned something here that I would like clarification on as I
> haven't ever been able to do this. How did you actually do it?
>
> > you will need to create new groups local to your domain to hold the
> > foreign users. Then assign privileges to these groups. Create a
> group,
> > say DomainNameAccountingDept, add the users/ groups from the
> foreign
> > domain, then assign the new group to the folder.
>
> I have two Domains in a trust (two separate Forests of 2K). However,
> there is no Option to add the groups from the Foreign Domain. It
> isn't in the list anywhere. The Only way that I have heard that this
> can be done is simply by creating Universal Groups which is the
> benefit of a single Forest rather than two separate Forest/domains. I
> would be curious to know how you found the foreign domain to add the
> users or groups?
>
> Thanks
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=742521

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Lara,

Thanks for the link. It's going to prove helpful. I was wondering about
something concerning ADMT. Is what you're suggesting that we migrate the
users and groups from domain2 to domain1, then demote the dc of domain2 and
remove Active Directory, then repromote the dc of domain2 and migrate the
users and groups back? I have been doing some reading on TechNet about ADMT
and Domain Restructuring and this seems to be a possibility. Of course,
there's always the possibility that I didn't understand it completely

The potential problem with the migration is that we don't have another
computer to use that we could make a dc (to make another tree in the forest)
and then migrate everything from domain2's dc to it. If this would prevent
migration, what would prevent the users from backing files up to disk to
protect against data loss?

Thanks for any clarification that you can offer.

-John
"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d4be70$1_4@alt.athenanews.com...
> "lforbes" wrote:
> > Hi Ryan,
> >
> > You mentioned something here that I would like clarification
> > on as I haven't ever been able to do this. How did you
> > actually do it?
> >
> >

you will need to create new groups local to
> > your domain to hold the foreign users. Then assign privileges
> > to these groups. Create a group, say DomainNameAccountingDept,
> > add the users/ groups from the foreign domain, then assign the
> > new group to the folder.

> >
> > I have two Domains in a trust (two separate Forests of 2K).
> > However, there is no Option to add the groups from the Foreign
> > Domain. It isn't in the list anywhere. The Only way that I
> > have heard that this can be done is simply by creating
> > Universal Groups which is the benefit of a single Forest
> > rather than two separate Forest/domains. I would be curious to
> > know how you found the foreign domain to add the users or
> > groups?
> >
> > Thanks
> >
> > Lara
>
> Hi John,
>
> In answer to your question. I have my website which specifies how to
> setup DNS properly. http://www.sd61.bc.ca/windows2000
>
> I wouldn't wipe out the User accounts in the one domain. I would use
> the Active Directory Migration Tool available free to download from MS
> (just search for it) and migrate them across. If you don't the
> permissions to their files will be all screwed up as permissions are
> set via SID and not username so even if the users had the same name,
> the permissions would be screwy.
>
> Domains are a security Boundary. Therefore you cannot have access to
> another domain resources unless you are given access. This is by
> design. The Use of Universal Groups in Windows 2000 Native Mode is the
> way for users to get access to multiple domains resources. This is the
> benefit of a single forest vs. two forests. I have never figured out a
> way to access multiple domain resources without using either Universal
> Groups OR the same Username/Pwd in both domains that I mentioned. I
> have been at this some 15 years through NT 3.1/NT4 W2K and now W2003.
> I used to have 4 NT domains and I couldn't even get the users to be
> able to print cross-domain. Therefore the benefit of being able to
> login to either domain is clear.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=742522

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> You can do this by creating a foreign security principal in the
target
> domain that references the object in the host domain. Then the
Foreign
> Security Principal can be added to the target groups.

That is definitely cool! Myself and a lot of other admins I know
have been trying to do this for years. I did numerous searches in the
help files on W2K Server with no positive results. I guess it is
confusing because it isn’t obvious. eg. when you go to add users, all
you see is the current domain or local computer.

I have been a MS admin for 10 years but have avoided the MS boards
because of the terrible MS interface. Now with Windowsforumz.com I can
cross access the MS Boards and therefore all the expertise on them.

I just love to learn new tricks.

Thanks again

Cheers,

Lara

[WindowsForumz editor note: We thank Lara for her kind words. Note
that her interest on the board is solely as a user - and an expert
contributor]

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> Is what you’re suggesting that we migrate the users and groups
> from domain2 to domain1, then demote the dc of domain2 and remove
> Active Directory, then repromote the dc of domain2 and migrate the
> users and groups back?

Pretty much, yep. The other option is to just migrate the users to the
one domain and have only one domain. It really depends on how you
want your security setup.

Now, I haven’t actually used ADMT as I went from NT to 2000 with a
completely clean install and then from 2000 to 2003 with just an
upgrade. However,I know many who have used it with no problems and
been quite successful. The worst that can happen is that you would
have to delete the users. However, migration keeps the SIDs intact
which therefore keeps the security in tact. I also use xcopy to copy
all the files with permissions in tact.

Remember that you won’t have any data loss as long as you back it up
to the other computer. The worst scenario is that the permissions will
be lost. However, they are easily created again it is just a bit time
consuming.

Cheers,

Lara

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Lara, in-line....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d4be70$1_4@alt.athenanews.com...
> "lforbes" wrote:
> > Hi Ryan,
> >
> > You mentioned something here that I would like clarification
> > on as I haven't ever been able to do this. How did you
> > actually do it?
> >
> >

you will need to create new groups local to
> > your domain to hold the foreign users. Then assign privileges
> > to these groups. Create a group, say DomainNameAccountingDept,
> > add the users/ groups from the foreign domain, then assign the
> > new group to the folder.

> >
> > I have two Domains in a trust (two separate Forests of 2K).
> > However, there is no Option to add the groups from the Foreign
> > Domain. It isn't in the list anywhere. The Only way that I
> > have heard that this can be done is simply by creating
> > Universal Groups which is the benefit of a single Forest
> > rather than two separate Forest/domains. I would be curious to
> > know how you found the foreign domain to add the users or
> > groups?
> >
> > Thanks
> >
> > Lara
>
> Hi John,
>
> In answer to your question. I have my website which specifies how to
> setup DNS properly. http://www.sd61.bc.ca/windows2000
>
> I wouldn't wipe out the User accounts in the one domain. I would use
> the Active Directory Migration Tool available free to download from MS
> (just search for it) and migrate them across. If you don't the
> permissions to their files will be all screwed up as permissions are
> set via SID and not username so even if the users had the same name,
> the permissions would be screwy.

Unless I am overlooking something, the only true Security Boundary in a
WIN2000 / WIN2003 environment is the FOREST.


> Domains are a security Boundary. Therefore you cannot have access to
> another domain resources unless you are given access. This is by
> design. The Use of Universal Groups in Windows 2000 Native Mode is the
> way for users to get access to multiple domains resources. This is the
> benefit of a single forest vs. two forests. I have never figured out a
> way to access multiple domain resources without using either Universal
> Groups OR the same Username/Pwd in both domains that I mentioned. I
> have been at this some 15 years through NT 3.1/NT4 W2K and now W2003.
> I used to have 4 NT domains and I couldn't even get the users to be
> able to print cross-domain. Therefore the benefit of being able to
> login to either domain is clear.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.WindowsForumz.com/Active-Directory-Trusts-ftopict243417.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.WindowsForumz.com/eform.php?p=742522