Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
news:170824DE-27D5-4D2A-A036-5CE00984D08E@microsoft.com...
> Thanks Herb. More info for you below ...
>
> > "Serverdude" <Serverdude@discussions.microsoft.com> wrote in message
> > news:F20848E5-B818-4BBE-A1F0-FCC35A425FB9@microsoft.com...
> > > I have 2 domains. Domain A is Windows 2000 with Active Directory.
Domain
> > B
> > > was Windows NT4. There is a one way trust between the domain (Domain
A is
> > > the accounts (trusted) domain and domain B is the resource (trusting)
> > > domain). I converted domain B to Windows 2003 with AD. From "AD
Domain
> > > Domains and Trusts", I see that the converted trust is an "external,
> > > non-transitive" trust (as expected). All cross domain functionality
> > appear
> > > to work fine, except for the below.
> >
> > Can we presume you did NOT put the new AD domain in
> > the same forest?
> >
> Yes. We didn't want them in the same forest on purpose!
Usually a mistake if you actually plan to share resource or
admins but that is your choice.
Different domains means that the external trusts likely need
NetBIOS for the TRUSTS.
Probably still need DNS for general name resolution.
> > > I want to use "AD Users and
> > > Computer" from domain A to manage Domain B, but I cannot see the
domain B
> > as
> > > a choice. It also can't find Domain B when I entered it in the
"location"
> > > portion. Domain A's "Domain Admin" is a member of domain B's
> > "Administrator
> > > group" as is my personal account.
> >
> > External trusts still require NetBIOS name resolution.
> >
> > "Seeing" is not usually about permissions directly, although
> > it can be about authentication, it is usually about name resolution.
> >
> > Do you have more than one subnet?
> >
> Yes
>
> > Do you use WINS Servers?
> >
> Yes. The WINS Server is in Domain A and all servers point there.
So all servers in all domains are clients of this SAME
WINS server? (That's good.)
And all other machines probably should be too. And NetBIOS
must be on for the machines. (But that should gray out the
WINS server setting if you did that so likely you didn't.)
But if true, it doesn't solve the problem since it pretty much
eliminates the NetBIOS issue.
> > IF so, did you make ALL of the machines -- especially all DCs--
> > WINS clients?
> >
> Yes.
>
> > DNS might also play a role at times so review DNS as well:
> >
> >
> > --
> > DNS for AD
> > 1) Dynamic for the zone supporting AD
> Yes
>
> > 2) All internal DNS clients NIC\IP properties must specify SOLELY
> > that internal, dynamic DNS server (set.)
> Yes
>
> > 3) DCs and even DNS servers are DNS clients too -- see #2
>
> > 4) If you have more than one Domain, every DNS server must
> > be able to resolve ALL domains (either directly or
indirectly)
> >
> All Servers and Clients are set to use Domain B's DNS server. DomainB's
DNS
> Servers are set to forward DNS request to DomainA's DNS servers for name
> resolution that it does not understand.
Are you really using Dynamic Update for Domain A DNS
on a Domain DNS machine?
That is an awkward method but if you didn't create any
mistakes it SHOULD work.
> > netdiag /fix
> >
> > ....or maybe:
> >
> > dcdiag /fix
> >
> I have used those tools before and they didn't do anything for me.
Humor me and run
DCDIAG /Fix > nameOfDC.txt
....on each DC. Fix or report all errors by loading the txt to this
thread.
> > (Win2003 can do this from Support tools):
> > nltest /dsregdns /server
C-ServerNameGoesHere
> > http://support.microsoft.com/kb/q260371/
> >
> > Ensure that DNS zones/domains are fully replicated to all DNS
> > servers for that (internal) zone/domain.
> >
> > Also useful may be running DCDiag on each DC, sending the
> > output to a text file, and searching for FAIL, ERROR, WARN.
> >
> > Single Label domain zone names are a problem Google:
> > [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
> >
> > --
> > Herb Martin
>
> How does one domain "see" another domain. What sub protocols are used
(TCP,
> UDP, ?) I assume it's some sort of broadcast?
For external Trusts, they broadcast NetBIOS on same subnet,
OR rendevous through WINS (if you set them up) for those
on other subnets.
For a single Forest, they rendezvous through DNS.