Cross Domain Authentication Problem

Please excuse the cross posting but I received no response from Windows 2000
Networking.

I have 2 Domains/Forrests in one physical location joined through an internal
router. My first Domain (Domain A) was originally set up with a W2K and
Exchange 2K single DC (DCA1). Later on a second W2K DC was added (DCA2).

My second Domain (Domain B) was originally set up with a single NT 4.0 DC
and a trust was set up between Domain A and Domain B. Domain B was
eventually upgraded to W2K with no problems.

Recently we decided to migrate to Exchange 2003 on a W2K3 server in Domain
A. Rather than an upgrade we added a completely new server for W2K3/Exch2003
(DCA3) and migrated everything from the W2K/Exch2000 server to the new
W2K3/Exch2003 server including all the AD Master roles. The original DCA1
server was also the only WINS server in the Domain so we set up WINS and WINS
Replication on DCA2. DNS is set up on all DC's.

We want to remove DCA1 from the network and redeploy for other use.
However, when I shut down DCA1 neither Domain can authenticate to the other.
The network communication is still there as you can ping across Domains by
machine name but no Domain A user can authenticate to Domain B and Vice
Versa. Turn DCA1 back on and everything is fine again.

In an attempt to fix the problem, with DCA1 up and running I deleted the
Trust on both sides. I then shut down DCA1 and recreated the trust on the
Domain A side on DCA3 which gave me no errors. I went to create the trust on
the Domain B side and received the error "RPC Server Unavailable" and I could
not create that side of the trust. I restarted DCA1 and was able to create
the Domain B side with no problem.

For some reason Domain B seems to only want to authenticate Domain A users
through DCA1 even though we have removed all reference to DCA1.

Any assistance would be GREATLY appreciated.

"Patrick G." <(E-Mail Removed)> wrote in message
news:2B889594-332A-43F9-A58A-(E-Mail Removed)...
> We want to remove DCA1 from the network and redeploy for other use.
> However, when I shut down DCA1 neither Domain can authenticate to the
> other.
> The network communication is still there as you can ping across Domains by
> machine name but no Domain A user can authenticate to Domain B and Vice
> Versa. Turn DCA1 back on and everything is fine again.

You don't "shut down" DCs to remove them. You have to DCPromo them down to
member servers first,..then make them Workgroup Servers,..then shut them
down.

> For some reason Domain B seems to only want to authenticate Domain A
> users through DCA1 even though we have removed all reference to DCA1.

Before a user logs in look at the third line on their machines,...they are
probably still logging into the old Domain instead of the new one. Also
they can't log into the new one if their machines, their user accounts and
their SID history has not been migrated to the new Domain. If you don't
know what I mean by that then you need to get help. Screwing this up will
make a disaster out of everything that is very difficult and sometimes
impossible to recover from "cleanly".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Thanks for your response but I don't think you understood my
question/situation. First, I am aware that you need to run dcpromo to
permanently remove the machine as a domain controller but I also know that
other domain controllers in the domain should be able to authenticate users
from a trusted domain when this one is shut down.

Second, there is no old domain or new domain, there are 2 trusted/trusting
domains. Users from DomainA should be able to (and can when DCA1 is running)
authenticate to resources in DomainB from their DomainA user and machine
accounts.

"Phillip Windell" wrote:

> "Patrick G." <(E-Mail Removed)> wrote in message
> news:2B889594-332A-43F9-A58A-(E-Mail Removed)...
> > We want to remove DCA1 from the network and redeploy for other use.
> > However, when I shut down DCA1 neither Domain can authenticate to the
> > other.
> > The network communication is still there as you can ping across Domains by
> > machine name but no Domain A user can authenticate to Domain B and Vice
> > Versa. Turn DCA1 back on and everything is fine again.
>
> You don't "shut down" DCs to remove them. You have to DCPromo them down to
> member servers first,..then make them Workgroup Servers,..then shut them
> down.
>
> > For some reason Domain B seems to only want to authenticate Domain A
> > users through DCA1 even though we have removed all reference to DCA1.
>
> Before a user logs in look at the third line on their machines,...they are
> probably still logging into the old Domain instead of the new one. Also
> they can't log into the new one if their machines, their user accounts and
> their SID history has not been migrated to the new Domain. If you don't
> know what I mean by that then you need to get help. Screwing this up will
> make a disaster out of everything that is very difficult and sometimes
> impossible to recover from "cleanly".
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------
>
>
>

Ok, I see.

Well I haven't done a lot in that area. But I know that DNS is a big issue.
Maybe you need to setup Zone Transfers between the DCs of the two domains so
that the DCs of each domain are aware of the Active Directory Tree of the
opposite Domain.

I currently have a trust between two Forests due to a migration from the
"old" to the "new" and the interaction between the two was not all that
smooth or dependable. I could live with it for a brief period during the
migration but would never want it to be a permanent situation. It was like
this even with another very skilled IT guy helping and an outside Consultant
also involved.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------


"Patrick G." <(E-Mail Removed)> wrote in message
news:C5F5401F-2481-4339-AEFC-(E-Mail Removed)...
> Thanks for your response but I don't think you understood my
> question/situation. First, I am aware that you need to run dcpromo to
> permanently remove the machine as a domain controller but I also know that
> other domain controllers in the domain should be able to authenticate
> users
> from a trusted domain when this one is shut down.
>
> Second, there is no old domain or new domain, there are 2
> trusted/trusting
> domains. Users from DomainA should be able to (and can when DCA1 is
> running)
> authenticate to resources in DomainB from their DomainA user and machine
> accounts.
>
> "Phillip Windell" wrote:
>
>> "Patrick G." <(E-Mail Removed)> wrote in message
>> news:2B889594-332A-43F9-A58A-(E-Mail Removed)...
>> > We want to remove DCA1 from the network and redeploy for other use.
>> > However, when I shut down DCA1 neither Domain can authenticate to the
>> > other.
>> > The network communication is still there as you can ping across Domains
>> > by
>> > machine name but no Domain A user can authenticate to Domain B and Vice
>> > Versa. Turn DCA1 back on and everything is fine again.
>>
>> You don't "shut down" DCs to remove them. You have to DCPromo them down
>> to
>> member servers first,..then make them Workgroup Servers,..then shut them
>> down.
>>
>> > For some reason Domain B seems to only want to authenticate Domain A
>> > users through DCA1 even though we have removed all reference to DCA1.
>>
>> Before a user logs in look at the third line on their machines,...they
>> are
>> probably still logging into the old Domain instead of the new one. Also
>> they can't log into the new one if their machines, their user accounts
>> and
>> their SID history has not been migrated to the new Domain. If you don't
>> know what I mean by that then you need to get help. Screwing this up
>> will
>> make a disaster out of everything that is very difficult and sometimes
>> impossible to recover from "cleanly".
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>>
>>
>>