Connecting two Server 2003 Forests - insights gratefully received.

Hi,

I have two server 2003 forests at 2003 domain and forest functional levels
and I wish to allow users in one forest to be allowed access to resources in
the other forest.

My understanding is that this is a one way trust. However when I create the
trust (which works) I find that my XP users in the trusted forest have the
choice of logging into the local machine, forest 1 (local) and forest 2
(trusting).

Is there any way of establishing the trust whilst hiding or not displaying
the trusted domain name.

I hope that makes sense! - Desired state below!

Forest 1
users access resources on forest 1 and forest 2
users can only login to forest 1 and local machine

Forest 2
users access resources on forest 2 only
users can only login to forest 2 and local machine

Internet access for both domains is provided by an ISA server in forest 2. I
wish to turn on authentication without users in forest 1 being prompted for
authentication.

Additionally we have a IIS server containing sensitive information that
users from both forests need to access, my users currently have to login
using forest2\username and our Exchange 2003 OWA is the same. It would be
nice if we could drop the forest2\ bit.

Comments appreciated.

Andy.

Users can only log into the domain where their accounts are. If someone in
forest 1 tried to log into their account but specified forest 2, the login
would fail since their account doesn't exist in forest 2.

For the IIS/OWA servers, which forest are they in?

Steve Riley
(E-Mail Removed)



> Hi,
>
> I have two server 2003 forests at 2003 domain and forest functional
> levels and I wish to allow users in one forest to be allowed access to
> resources in the other forest.
>
> My understanding is that this is a one way trust. However when I
> create the trust (which works) I find that my XP users in the trusted
> forest have the choice of logging into the local machine, forest 1
> (local) and forest 2 (trusting).
>
> Is there any way of establishing the trust whilst hiding or not
> displaying the trusted domain name.
>
> I hope that makes sense! - Desired state below!
>
> Forest 1
> users access resources on forest 1 and forest 2
> users can only login to forest 1 and local machine
> Forest 2
> users access resources on forest 2 only
> users can only login to forest 2 and local machine
> Internet access for both domains is provided by an ISA server in
> forest 2. I wish to turn on authentication without users in forest 1
> being prompted for authentication.
>
> Additionally we have a IIS server containing sensitive information
> that users from both forests need to access, my users currently have
> to login using forest2\username and our Exchange 2003 OWA is the same.
> It would be nice if we could drop the forest2\ bit.
>
> Comments appreciated.
>
> Andy.
>

"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Users can only log into the domain where their accounts are. If someone in
> forest 1 tried to log into their account but specified forest 2, the login
> would fail since their account doesn't exist in forest 2.
>
> For the IIS/OWA servers, which forest are they in?
>
> Steve Riley
> (E-Mail Removed)
>
>
>
Our Exchange/OWA and IIS servers are in forest 2.

Thanks for the comment re cross forest logins, what I don't understand is
why both forests are available in the pull down menu when the user can only
login to one forest.

Andy.

It is showing "all Domains",...it is not attempting to show only Domains the
user can use.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Andy" <(E-Mail Removed)> wrote in message
news:cu04du$7ih$(E-Mail Removed)...
>
> "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Users can only log into the domain where their accounts are. If someone
in
> > forest 1 tried to log into their account but specified forest 2, the
login
> > would fail since their account doesn't exist in forest 2.
> >
> > For the IIS/OWA servers, which forest are they in?
> >
> > Steve Riley
> > (E-Mail Removed)
> >
> >
> >
> Our Exchange/OWA and IIS servers are in forest 2.
>
> Thanks for the comment re cross forest logins, what I don't understand is
> why both forests are available in the pull down menu when the user can
only
> login to one forest.
>
> Andy.
>
>

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> It is showing "all Domains",...it is not attempting to show only Domains
the
> user can use.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>

Phillip,

Is there a way of restricting the list of domains displayed? or perhaps
permanently setting it to one fixed domain?

Andy.

Andy>Is there a way of restricting the list of domains displayed?

Not unless you instruct users logon with a UPN suffix which will gray out
this domain field.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights