W2k3 Forest to Forest trust

Discussion in 'Active Directory' started by NetNut, Feb 24, 2006.

  1. NetNut

    NetNut Guest

    I have:
    * 2 Windows 2003 Forests
    * Both Domain and Functional levels are at Windows 2003 mode
    * The production domain, lets call it CORP is the trusted domain (names are
    just for reference)
    * The development domain, lets call DEV is the trusting domain (names are
    just for reference)
    * Both Forests are in the same campus on the same lan and in the same server

    I have created the forest trust, one way with Selective Authentication. I
    can validate the trust on both sides with no issue. In both domains I had
    Standard Secondary DNS zone of the remote DNS domains. However when I created
    the trusts I followed and example of such a task and I decided to use
    conditional forwarding. Seemed to work fine as I have CNAME records in the AD
    Integrated DNS zones pointing to servers in each remote domain and all worked
    fine after making the conditional forwarder change.

    However I have this issue now:

    1) I have a server called FS in the DEV domain. From the CORP domain I used
    to be able to navigate to it via "\\FS\Sharename". Now I can not. I have to
    do so with this syntax: "\\FS.Dev.com\Sharename". I can still goto a cmd
    prompt and ping by the cname of "FS" and it works with no issues. If I remove
    the conditinal forwarding and replace it back with the Standard Secondary DNS
    zone than it works back to the "\\FS\Sharename" syntax.

    2) I have created global groups with accounts in the CORP domain. I also
    created universal groups and placed these global groups into them as members.
    On the DEV domain I have given applied the universal groups to a share and
    that share's NTFS permissions. I set the uni group's share level permissions
    to full control and then gave it modify NTFS level permissions to the
    directory that this share is for. When a user in CORP.com, who is a member of
    the global group, who is a member of this universal group, attempts to
    navigate to this share via "\\FS\Sharename" or "\\FS.Dev.com\Sharename" they
    get an error and a dialog box stating that there is "no text found for
    message...." . They can not get access to this share in the development

    Now the odd thing.. Me, an enterprise admin in the corp domain, can access
    the location. I am a member of one of three Universal groups for this test.
    We will call it DEV_ADMINS. I added DEV_ADMINS to this DEV member servers
    administrator group and that is why I pass straight through.

    I thought I would, as a test, add the group the normal use above is in to
    the local Administrators group on this same member server. Well they get the
    same error. They can not pass through. No access.

    2nd odd thing. If I change the authentication level of the trust on the
    trusting domain, the DEV doman in this case, to be a full forrest trust (of
    the trusted domain) than the user who was originally denied above is granted

    My Goal.. I need to keep authentication set as selective authentication.

    Thank you in advance for your help.
    NetNut, Feb 24, 2006
    1. Advertisements

  2. Seemed to work fine as I have CNAME records in the AD
    CNAME records pointing to other servers in each remote domain???? Not

    conditional forwarding is OK, but make sure the DNS suffix search list
    contains both DNS domains meaning the DNS suffix search list should contain
    DEV.COM and CORP.COM so that it is able to search a non-FQDN name (just
    server instead of server.domain.com) in both zones.
    So if I'm in CORP and I want to access FS in DEV.COM I can enter FS.DEV.COM
    and it will go through my DNS server to the other DNS server through
    conditial forwarding.
    If I just enter FS it does not know where it is but it will append the
    suffixes in the DNS suffix search list. If my search list only contains
    CORP.COM it will append CORP.COM and search for FS.CORP.COM... Result...
    does not exist... the query fails. If it contains both CORP.COM and DEV.COM
    (depending on the order) it will first try FS.CORP.COM and if that fails it
    will try FS.DEV.COM



    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    Jorge de Almeida Pinto [MVP], Feb 25, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.