creating one way trust

Discussion in 'Active Directory' started by dkblee, Jun 8, 2009.

  1. dkblee

    dkblee Guest

    hi! both...thanks for the reply and explanation.

    I'll start to move out the schema owner and domain role owner from the win2k
    svr.

    For the trust, the headoffice is trusting us. So, in my AD domain and trust,
    should i raise the Forest Functional Level or Domain functional level?
     
    dkblee, Jun 10, 2009
    #21
    1. Advertisements

  2. FYI: Forest trusts (two-way forest trust) require minimal 2003 Functional
    levels on both forests.
    FYI: A one way trust is an NTLM trust between two domains, not forests, so
    it doesn't require raising the levels, but I would still raise it once the
    2000 DCs are gone.

    If you still have a 2000 DC in your network, you can't raise the domain
    level to 2003 until it's gone. Then I would suggest raising it whether it's
    needed for a trust or not.

    Also, the procedure is raise all domains up first, then the forest. if you
    try to do the forest first, it will tell you it can't until all domains in
    the forest have been raised.

    But the 2000 DC has to be gone before raising it, and since you only want a
    one way, it's not a requirement in your case.

    If they are trusting you, then you can access their resources.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 10, 2009
    #22
    1. Advertisements

  3. dkblee

    Jorge Silva Guest

    Hi
    I will not "stress" the conversation with one more opinion, I'll wait and
    hope that everything goes ok based on the help that you're getting from
    others, just keep in mind the basic stuff, DNS must be properly setup, if
    FWs active between the Forests you must open the proper ports, after this,
    everything should run ok. Remember this is very easy thing to do (although
    does not sound with all these recommendations:) ).
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services
     
    Jorge Silva, Jun 11, 2009
    #23
  4. dkblee

    dkblee Guest

    hi! I've setup a lab to simulate the roles transfer before doing it on the
    actual system. I've successfully moved all the 5 roles from the win2k DC to
    one of the win2003 DC. (Have not run dcpromo to demote the win2k dc).


    The problem i noticed now is that, the replication between site prompted me
    the error
    Erro1
    "the following error occured during the attempt to syn from dc1 to dc2"
    The naming context is in process of being removed or is not replicated from
    the specified svr. (not sure what's this)

    Error2
    The following error occured during the attempt to contact the dc dc3. The
    RPC server is unavailable.
    This Condition may be caused by a DNS lookup problem. (I did a nslookup in
    all the DCs and it has no probkem resolving the name.

    When the test user i created try to login into the test domain PCs. It
    prompted me the message "The local policy of this system does not permit you
    to logon interactively" (it was ok before i move the roles)

    I've no problem joining PCs to the domain...and the user created manually in
    the ADs are also "replicated" to the rest of the AD. Just that when i do a
    manual replicate, it failed with 2 of the errors above.

    Pls advise. Thanks.
     
    dkblee, Jun 12, 2009
    #24
  5. dkblee

    dkblee Guest

    hi! I've setup a lab to simulate the roles transfer before doing it on the
    actual system. I've successfully moved all the 5 roles from the win2k DC to
    one of the win2003 DC. (Have not run dcpromo to demote the win2k dc).


    The problem i noticed now is that, the replication between site prompted me
    the error
    Erro1
    "the following error occured during the attempt to syn from dc1 to dc2"
    The naming context is in process of being removed or is not replicated from
    the specified svr. (not sure what's this)

    Error2
    The following error occured during the attempt to contact the dc dc3. The
    RPC server is unavailable.
    This Condition may be caused by a DNS lookup problem. (I did a nslookup in
    all the DCs and it has no probkem resolving the name.

    When the test user i created try to login into the test domain PCs. It
    prompted me the message "The local policy of this system does not permit you
    to logon interactively" (it was ok before i move the roles)

    I've no problem joining PCs to the domain...and the user created manually in
    the ADs are also "replicated" to the rest of the AD. Just that when i do a
    manual replicate, it failed with 2 of the errors above.

    Pls advise. Thanks.
     
    dkblee, Jun 12, 2009
    #25
  6. Hello dkblee,

    Please post an unedited ipconfig /all from all DCs. See here about on of
    the errors:
    http://support.microsoft.com/kb/319202

    It sounds like DNS issue.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 12, 2009
    #26

  7. It sure sounds like traffic is being blocked or affected between the DCs.

    With error2, what is the record it's trying to lookup? It should be in the
    error message. Do an nslookup for THAT record. It may be a GUID alias it is
    looking for.

    After 3 weeks now, do you think your boss will change his mind to go for a
    Microsoft support call? You have to get this working... What location are
    you in? It's only USD $250 for the call and they will take as much time as
    they need to fix it for you all for the one charge.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 12, 2009
    #27
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.