trust between forest - windows 2000

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
Does windows 2000 active directory allow to establish trust between forest?
or is there a trick to allow that ??? Thanks.
Seeker01

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

seeker01 wrote:
> Hi,
> Does windows 2000 active directory allow to establish trust between
> forest? or is there a trick to allow that ??? Thanks.
> Seeker01

No, domain to domain trusts between forests (uswa NTLM for
authentication and is non-transitive) are supported but that doesn't
equate to the two entire forests trusting one another. It is supported
with Windows Server 2003 (uses Kerberos for authentication and is
transitive between the domains in either forest) assuming something
known as the "forest functional level" is set to Windows 2003 Native.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Dean. this is so disappointing. I was obviously misled by technet
artilce "managing trusts".

"Dean Wells [MVP]" wrote:

> seeker01 wrote:
> > Hi,
> > Does windows 2000 active directory allow to establish trust between
> > forest? or is there a trick to allow that ??? Thanks.
> > Seeker01
>
> No, domain to domain trusts between forests (uswa NTLM for
> authentication and is non-transitive) are supported but that doesn't
> equate to the two entire forests trusting one another. It is supported
> with Windows Server 2003 (uses Kerberos for authentication and is
> transitive between the domains in either forest) assuming something
> known as the "forest functional level" is set to Windows 2003 Native.
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Dean,
My company still uses NT4 domain, & I have setup a Windows 2000 AD that
merely runs Cisco Radius Servers as shared service application that
authenticates many other companies. I cant run Windows 2003 AD because Cisco
Radius Server not supporting Windows 2003. It is a 1 way trust I have setup
between the NT4 domain & Windows 2000AD. Few months later, NT4 domain will be
upgraded to Windows 2003AD. Do you know if I can setup forest trust between
Windows 20003AD & Windows2000AD? Thanks heaps. Rgds, seeker01

"seeker01" wrote:

> Thanks Dean. this is so disappointing. I was obviously misled by technet
> artilce "managing trusts".
>
> "Dean Wells [MVP]" wrote:
>
> > seeker01 wrote:
> > > Hi,
> > > Does windows 2000 active directory allow to establish trust between
> > > forest? or is there a trick to allow that ??? Thanks.
> > > Seeker01
> >
> > No, domain to domain trusts between forests (uswa NTLM for
> > authentication and is non-transitive) are supported but that doesn't
> > equate to the two entire forests trusting one another. It is supported
> > with Windows Server 2003 (uses Kerberos for authentication and is
> > transitive between the domains in either forest) assuming something
> > known as the "forest functional level" is set to Windows 2003 Native.
> >
> > --
> > Dean Wells [MVP / Directory Services]
> > MSEtechnology
> > [[ Please respond to the Newsgroup only regarding posts ]]
> > R e m o v e t h e m a s k t o s e n d e m a i l
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> No, domain to domain trusts between forests (uswa NTLM for
> authentication and is non-transitive) are supported but that doesn't
> equate to the two entire forests trusting one another. It is
> supported with Windows Server 2003 (uses Kerberos for authentication
> and is transitive between the domains in either forest) assuming
> something known as the "forest functional level" is set to Windows
> 2003 Native.

<GRIN> uswa = uses (missed by 1 column)

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

seeker01 wrote:
> Thanks Dean. this is so disappointing. I was obviously misled by
> technet artilce "managing trusts".
>
> "Dean Wells [MVP]" wrote:
>
>> seeker01 wrote:
>>> Hi,
>>> Does windows 2000 active directory allow to establish trust between
>>> forest? or is there a trick to allow that ??? Thanks.
>>> Seeker01
>>
>> No, domain to domain trusts between forests (uswa NTLM for
>> authentication and is non-transitive) are supported but that doesn't
>> equate to the two entire forests trusting one another. It is
>> supported with Windows Server 2003 (uses Kerberos for authentication
>> and is transitive between the domains in either forest) assuming
>> something known as the "forest functional level" is set to Windows
>> 2003 Native.
>>
>> --
>> Dean Wells [MVP / Directory Services]
>> MSEtechnology
>> [[ Please respond to the Newsgroup only regarding posts ]]
>> R e m o v e t h e m a s k t o s e n d e m a i l

Which aspects of cross-forest trust do you require that are not met by
domain to domain trusts between forests? This may simply be a
mis-understanding of terminology ... feel free to paste the pertinent
piece(s) of the article you're referencing.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

from "Table 1.20 Trust Management Tasks and Procedures"

Tasks
====
Create an external trust (between a Windows 2000 domain and a Windows NT 4.0
domain, or between domains in different forests).
Procedures
=======
Create a One-way Trust (MMC Method).
Create a One-way Trust (Netdom.exe Method).
Create a Two-way Trust (MMC Method).
Create a Two-way Trust (Netdom.exe Method).
Tools
===
Active Directory Domains and Trusts (Windows 2000)
-Or-
Netdom.exe
User Manager for Domains (Windows NT 4.0)
Frequency
=======
As needed

"Dean Wells [MVP]" wrote:

> seeker01 wrote:
> > Thanks Dean. this is so disappointing. I was obviously misled by
> > technet artilce "managing trusts".
> >
> > "Dean Wells [MVP]" wrote:
> >
> >> seeker01 wrote:
> >>> Hi,
> >>> Does windows 2000 active directory allow to establish trust between
> >>> forest? or is there a trick to allow that ??? Thanks.
> >>> Seeker01
> >>
> >> No, domain to domain trusts between forests (uswa NTLM for
> >> authentication and is non-transitive) are supported but that doesn't
> >> equate to the two entire forests trusting one another. It is
> >> supported with Windows Server 2003 (uses Kerberos for authentication
> >> and is transitive between the domains in either forest) assuming
> >> something known as the "forest functional level" is set to Windows
> >> 2003 Native.
> >>
> >> --
> >> Dean Wells [MVP / Directory Services]
> >> MSEtechnology
> >> [[ Please respond to the Newsgroup only regarding posts ]]
> >> R e m o v e t h e m a s k t o s e n d e m a i l
>
> Which aspects of cross-forest trust do you require that are not met by
> domain to domain trusts between forests? This may simply be a
> mis-understanding of terminology ... feel free to paste the pertinent
> piece(s) of the article you're referencing.
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

seeker01 wrote:
> from "Table 1.20 Trust Management Tasks and Procedures"
>
> Tasks
> ====
> Create an external trust (between a Windows 2000 domain and a Windows
> NT 4.0 domain, or between domains in different forests).
> Procedures
> =======
> Create a One-way Trust (MMC Method).
> Create a One-way Trust (Netdom.exe Method).
> Create a Two-way Trust (MMC Method).
> Create a Two-way Trust (Netdom.exe Method).
> Tools
> ===
> Active Directory Domains and Trusts (Windows 2000)
> -Or-
> Netdom.exe
> User Manager for Domains (Windows NT 4.0)
> Frequency
> =======
> As needed
>
> "Dean Wells [MVP]" wrote:

The article is entirely accurate. As I mentioned in my original reply,
you CAN create trusts between domains in different forests using Windows
2000 but not between entire forests ... it is possible that there's an
aspect of the Windows 2003 Cross-forest trust capability that you
require but you haven't eluded to it as yet. My guess is that the
standard domain to domain trusts (external) between forests supported by
Windows 2000 will suffice ... but, without further information, that is
just a guess.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

seeker01 wrote:
> Hi Dean,
> My company still uses NT4 domain, & I have setup a Windows 2000 AD
> that merely runs Cisco Radius Servers as shared service application
> that authenticates many other companies. I cant run Windows 2003 AD
> because Cisco Radius Server not supporting Windows 2003. It is a 1
> way trust I have setup between the NT4 domain & Windows 2000AD. Few
> months later, NT4 domain will be upgraded to Windows 2003AD. Do you
> know if I can setup forest trust between Windows 20003AD &
> Windows2000AD? Thanks heaps. Rgds, seeker01
>
> "seeker01" wrote:
>
>> Thanks Dean. this is so disappointing. I was obviously misled by
>> technet artilce "managing trusts".
>>
>> "Dean Wells [MVP]" wrote:
>>
>>> seeker01 wrote:
>>>> Hi,
>>>> Does windows 2000 active directory allow to establish trust between
>>>> forest? or is there a trick to allow that ??? Thanks.
>>>> Seeker01
>>>
>>> No, domain to domain trusts between forests (uswa NTLM for
>>> authentication and is non-transitive) are supported but that doesn't
>>> equate to the two entire forests trusting one another. It is
>>> supported with Windows Server 2003 (uses Kerberos for
>>> authentication and is transitive between the domains in either
>>> forest) assuming something known as the "forest functional level"
>>> is set to Windows 2003 Native.
>>>
>>> --
>>> Dean Wells [MVP / Directory Services]
>>> MSEtechnology
>>> [[ Please respond to the Newsgroup only regarding posts ]]
>>> R e m o v e t h e m a s k t o s e n d e m a i l

Again, no ... but this is almost certainly a question of terminology and
nothing more at this point. You CAN create a trust (near identical to
the one you currently have) between a single domain in the 2000 forest
and a single domain in the proposed 2003 forest. If either forest has
more than one domain and trust relationships are required for those also
then you'll need to create additional trust relationships.

PS - Does the RADIUS server you're using impose a requirement that it
MUST run on a Domain Controller?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Dean. It is not a requirement for Radius Server to run on DC.
Management prefers that because they want to safe hardware cost.

"Dean Wells [MVP]" wrote:

> seeker01 wrote:
> > Hi Dean,
> > My company still uses NT4 domain, & I have setup a Windows 2000 AD
> > that merely runs Cisco Radius Servers as shared service application
> > that authenticates many other companies. I cant run Windows 2003 AD
> > because Cisco Radius Server not supporting Windows 2003. It is a 1
> > way trust I have setup between the NT4 domain & Windows 2000AD. Few
> > months later, NT4 domain will be upgraded to Windows 2003AD. Do you
> > know if I can setup forest trust between Windows 20003AD &
> > Windows2000AD? Thanks heaps. Rgds, seeker01
> >
> > "seeker01" wrote:
> >
> >> Thanks Dean. this is so disappointing. I was obviously misled by
> >> technet artilce "managing trusts".
> >>
> >> "Dean Wells [MVP]" wrote:
> >>
> >>> seeker01 wrote:
> >>>> Hi,
> >>>> Does windows 2000 active directory allow to establish trust between
> >>>> forest? or is there a trick to allow that ??? Thanks.
> >>>> Seeker01
> >>>
> >>> No, domain to domain trusts between forests (uswa NTLM for
> >>> authentication and is non-transitive) are supported but that doesn't
> >>> equate to the two entire forests trusting one another. It is
> >>> supported with Windows Server 2003 (uses Kerberos for
> >>> authentication and is transitive between the domains in either
> >>> forest) assuming something known as the "forest functional level"
> >>> is set to Windows 2003 Native.
> >>>
> >>> --
> >>> Dean Wells [MVP / Directory Services]
> >>> MSEtechnology
> >>> [[ Please respond to the Newsgroup only regarding posts ]]
> >>> R e m o v e t h e m a s k t o s e n d e m a i l
>
> Again, no ... but this is almost certainly a question of terminology and
> nothing more at this point. You CAN create a trust (near identical to
> the one you currently have) between a single domain in the 2000 forest
> and a single domain in the proposed 2003 forest. If either forest has
> more than one domain and trust relationships are required for those also
> then you'll need to create additional trust relationships.
>
> PS - Does the RADIUS server you're using impose a requirement that it
> MUST run on a Domain Controller?
>
> --
> Dean Wells [MVP / Directory Services]
> MSEtechnology
> [[ Please respond to the Newsgroup only regarding posts ]]
> R e m o v e t h e m a s k t o s e n d e m a i l
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

seeker01 wrote:
> Thanks Dean. It is not a requirement for Radius Server to run on DC.
> Management prefers that because they want to safe hardware cost.
>
>>
>> Again, no ... but this is almost certainly a question of terminology
>> and nothing more at this point. You CAN create a trust (near
>> identical to the one you currently have) between a single domain in
>> the 2000 forest and a single domain in the proposed 2003 forest. If
>> either forest has more than one domain and trust relationships are
>> required for those also then you'll need to create additional trust
>> relationships.
>>
>> PS - Does the RADIUS server you're using impose a requirement that it
>> MUST run on a Domain Controller?
>>
>> --
>> Dean Wells [MVP / Directory Services]
>> MSEtechnology
>> [[ Please respond to the Newsgroup only regarding posts ]]
>> R e m o v e t h e m a s k t o s e n d e m a i l

That being the case, a Windows 2000 domain member could continue to run
the RADIUS service while both forests run with solely Windows 2003
Domain Controllers thereby allowing a Cross-forest trust to be created.
However, I'll take your lack of response to my other questions as
indication that an external trust will suffice.

Hope all this was of use.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l