AD domain management

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have 2 domains. Domain A is Windows 2000 with Active Directory. Domain B
was Windows NT4. There is a one way trust between the domain (Domain A is
the accounts (trusted) domain and domain B is the resource (trusting)
domain). I converted domain B to Windows 2003 with AD. From "AD Domain
Domains and Trusts", I see that the converted trust is an "external,
non-transitive" trust (as expected). All cross domain functionality appear
to work fine, except for the below.

I currently log onto a machine in Domain A under my personal account (which
also had Domain Admin rights in domain A). I want to use "AD Users and
Computer" from domain A to manage Domain B, but I cannot see the domain B as
a choice. It also can't find Domain B when I entered it in the "location"
portion. Domain A's "Domain Admin" is a member of domain B's "Administrator
group" as is my personal account.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I followed Mr. Herb Martin's procedure and still no
success.

I reinstalled the DNS server.

When I run te different Diag I get these errors:

netdiag /fix

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/fserv2.myDomainName.local.


dcdiag /fix

Starting test: frsevent
There are warning or error events within the last 24
hours after the
SYSVOL has been shared. Failing SYSVOL replication
problems may cause
Group Policy problems.
......................... FSERV2 failed test frsevent

I did erase manually a folder yesterday in sysvol, ooops.

I followed the procedure to reinstall DNS ( I see the
Active Directory DNS records _msdcs, _sites, _tcp, _udp)

The AD settings in sites and services seem ok.

How could I re-emit a Kerberos Key? Fix the sysvol?

Can anybody shed some light, please.

Thanks again
Dora

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sorry, messed up my post.

Dora

>-----Original Message-----
>I followed Mr. Herb Martin's procedure and still no
>success.
>
>I reinstalled the DNS server.
>
>When I run te different Diag I get these errors:
>
>netdiag /fix
>
>Kerberos test. . . . . . . . . . . : Failed
> [FATAL] Kerberos does not have a ticket for
>host/fserv2.myDomainName.local.
>
>
>dcdiag /fix
>
> Starting test: frsevent
> There are warning or error events within the last 24
>hours after the
> SYSVOL has been shared. Failing SYSVOL replication
>problems may cause
> Group Policy problems.
> ......................... FSERV2 failed test frsevent
>
>I did erase manually a folder yesterday in sysvol, ooops.
>
>I followed the procedure to reinstall DNS ( I see the
>Active Directory DNS records _msdcs, _sites, _tcp, _udp)
>
>The AD settings in sites and services seem ok.
>
>How could I re-emit a Kerberos Key? Fix the sysvol?
>
>Can anybody shed some light, please.
>
>Thanks again
>Dora
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
news:F20848E5-B818-4BBE-A1F0-FCC35A425FB9@microsoft.com...
> I have 2 domains. Domain A is Windows 2000 with Active Directory. Domain
B
> was Windows NT4. There is a one way trust between the domain (Domain A is
> the accounts (trusted) domain and domain B is the resource (trusting)
> domain). I converted domain B to Windows 2003 with AD. From "AD Domain
> Domains and Trusts", I see that the converted trust is an "external,
> non-transitive" trust (as expected). All cross domain functionality
appear
> to work fine, except for the below.

Can we presume you did NOT put the new AD domain in
the same forest?

> I currently log onto a machine in Domain A under my personal account
(which
> also had Domain Admin rights in domain A).

Onto Domain A at (or from) a Domain A machine, right?

> I want to use "AD Users and
> Computer" from domain A to manage Domain B, but I cannot see the domain B
as
> a choice. It also can't find Domain B when I entered it in the "location"
> portion. Domain A's "Domain Admin" is a member of domain B's
"Administrator
> group" as is my personal account.

External trusts still require NetBIOS name resolution.

"Seeing" is not usually about permissions directly, although
it can be about authentication, it is usually about name resolution.

Do you have more than one subnet?

Do you use WINS Servers?

IF so, did you make ALL of the machines -- especially all DCs--
WINS clients?

DNS might also play a role at times so review DNS as well:


--
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Herb. More info for you below ...

"Herb Martin" wrote:

> "Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
> news:F20848E5-B818-4BBE-A1F0-FCC35A425FB9@microsoft.com...
> > I have 2 domains. Domain A is Windows 2000 with Active Directory. Domain
> B
> > was Windows NT4. There is a one way trust between the domain (Domain A is
> > the accounts (trusted) domain and domain B is the resource (trusting)
> > domain). I converted domain B to Windows 2003 with AD. From "AD Domain
> > Domains and Trusts", I see that the converted trust is an "external,
> > non-transitive" trust (as expected). All cross domain functionality
> appear
> > to work fine, except for the below.
>
> Can we presume you did NOT put the new AD domain in
> the same forest?
>
Yes. We didn't want them in the same forest on purpose!

> > I currently log onto a machine in Domain A under my personal account
> (which
> > also had Domain Admin rights in domain A).
>
> Onto Domain A at (or from) a Domain A machine, right?
>
Yes

> > I want to use "AD Users and
> > Computer" from domain A to manage Domain B, but I cannot see the domain B
> as
> > a choice. It also can't find Domain B when I entered it in the "location"
> > portion. Domain A's "Domain Admin" is a member of domain B's
> "Administrator
> > group" as is my personal account.
>
> External trusts still require NetBIOS name resolution.
>
> "Seeing" is not usually about permissions directly, although
> it can be about authentication, it is usually about name resolution.
>
> Do you have more than one subnet?
>
Yes

> Do you use WINS Servers?
>
Yes. The WINS Server is in Domain A and all servers point there.

> IF so, did you make ALL of the machines -- especially all DCs--
> WINS clients?
>
Yes.

> DNS might also play a role at times so review DNS as well:
>
>
> --
> DNS for AD
> 1) Dynamic for the zone supporting AD
Yes

> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
Yes

> 3) DCs and even DNS servers are DNS clients too -- see #2

> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or indirectly)
>
All Servers and Clients are set to use Domain B's DNS server. DomainB's DNS
Servers are set to forward DNS request to DomainA's DNS servers for name
resolution that it does not understand.

> netdiag /fix
>
> ....or maybe:
>
> dcdiag /fix
>
I have used those tools before and they didn't do anything for me.


> (Win2003 can do this from Support tools):
> nltest /dsregdns /serverC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
> Single Label domain zone names are a problem Google:
> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
>
> --
> Herb Martin

How does one domain "see" another domain. What sub protocols are used (TCP,
UDP, ?) I assume it's some sort of broadcast?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
news:170824DE-27D5-4D2A-A036-5CE00984D08E@microsoft.com...
> Thanks Herb. More info for you below ...
>
> > "Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
> > news:F20848E5-B818-4BBE-A1F0-FCC35A425FB9@microsoft.com...
> > > I have 2 domains. Domain A is Windows 2000 with Active Directory.
Domain
> > B
> > > was Windows NT4. There is a one way trust between the domain (Domain
A is
> > > the accounts (trusted) domain and domain B is the resource (trusting)
> > > domain). I converted domain B to Windows 2003 with AD. From "AD
Domain
> > > Domains and Trusts", I see that the converted trust is an "external,
> > > non-transitive" trust (as expected). All cross domain functionality
> > appear
> > > to work fine, except for the below.
> >
> > Can we presume you did NOT put the new AD domain in
> > the same forest?
> >
> Yes. We didn't want them in the same forest on purpose!

Usually a mistake if you actually plan to share resource or
admins but that is your choice.

Different domains means that the external trusts likely need
NetBIOS for the TRUSTS.

Probably still need DNS for general name resolution.


> > > I want to use "AD Users and
> > > Computer" from domain A to manage Domain B, but I cannot see the
domain B
> > as
> > > a choice. It also can't find Domain B when I entered it in the
"location"
> > > portion. Domain A's "Domain Admin" is a member of domain B's
> > "Administrator
> > > group" as is my personal account.
> >
> > External trusts still require NetBIOS name resolution.
> >
> > "Seeing" is not usually about permissions directly, although
> > it can be about authentication, it is usually about name resolution.
> >
> > Do you have more than one subnet?
> >
> Yes
>
> > Do you use WINS Servers?
> >
> Yes. The WINS Server is in Domain A and all servers point there.

So all servers in all domains are clients of this SAME
WINS server? (That's good.)

And all other machines probably should be too. And NetBIOS
must be on for the machines. (But that should gray out the
WINS server setting if you did that so likely you didn't.)

But if true, it doesn't solve the problem since it pretty much
eliminates the NetBIOS issue.

> > IF so, did you make ALL of the machines -- especially all DCs--
> > WINS clients?
> >
> Yes.
>
> > DNS might also play a role at times so review DNS as well:
> >
> >
> > --
> > DNS for AD
> > 1) Dynamic for the zone supporting AD
> Yes
>
> > 2) All internal DNS clients NIC\IP properties must specify SOLELY
> > that internal, dynamic DNS server (set.)
> Yes
>
> > 3) DCs and even DNS servers are DNS clients too -- see #2
>
> > 4) If you have more than one Domain, every DNS server must
> > be able to resolve ALL domains (either directly or
indirectly)
> >
> All Servers and Clients are set to use Domain B's DNS server. DomainB's
DNS
> Servers are set to forward DNS request to DomainA's DNS servers for name
> resolution that it does not understand.

Are you really using Dynamic Update for Domain A DNS
on a Domain DNS machine?

That is an awkward method but if you didn't create any
mistakes it SHOULD work.


> > netdiag /fix
> >
> > ....or maybe:
> >
> > dcdiag /fix
> >
> I have used those tools before and they didn't do anything for me.

Humor me and run

DCDIAG /Fix > nameOfDC.txt

....on each DC. Fix or report all errors by loading the txt to this
thread.

> > (Win2003 can do this from Support tools):
> > nltest /dsregdns /serverC-ServerNameGoesHere
> > http://support.microsoft.com/kb/q260371/
> >
> > Ensure that DNS zones/domains are fully replicated to all DNS
> > servers for that (internal) zone/domain.
> >
> > Also useful may be running DCDiag on each DC, sending the
> > output to a text file, and searching for FAIL, ERROR, WARN.
> >
> > Single Label domain zone names are a problem Google:
> > [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
> >
> > --
> > Herb Martin
>
> How does one domain "see" another domain. What sub protocols are used
(TCP,
> UDP, ?) I assume it's some sort of broadcast?

For external Trusts, they broadcast NetBIOS on same subnet,
OR rendevous through WINS (if you set them up) for those
on other subnets.

For a single Forest, they rendezvous through DNS.