External Trust - unable to assign permissions

I have setup a 2 way external trust to a recently acquired domain(B) from our
domain(A). Both domains are Windows 2003 Server and in mixed mode. Domain
Controllers are pointed to a common WINS database.
Issue- I am unable to assign permissions on a share to Global groups or
users between Domain(A) and Domain(B). I have relied on Netbios to setup the
share as the seperate DNS's are not talking to each other yet.
I can \\Fileserver\sharename from a fileserver in Domain(A) from Domain(B)
but I am unable to assign NTFS permissions on the share on
Domain(A)\\Fileserver\sharename. I get there error (Name not found)
Question: Is Netbios sufficient to establish the share permissions for an
external domain?

Hi,

Some of my comments are in-line...

"Wayne" <(E-Mail Removed)> wrote in message
news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
>I have setup a 2 way external trust to a recently acquired domain(B) from
>our
> domain(A). Both domains are Windows 2003 Server and in mixed mode. Domain
> Controllers are pointed to a common WINS database.
> Issue- I am unable to assign permissions on a share to Global groups or
> users between Domain(A) and Domain(B).

Proper and recommended way for doing this would be to create a Domain Local
Group in Domain B and assign this group permissions on resources. Then add
Global group from domain A to Domain Local Group in Domain B.

> I have relied on Netbios to setup the share as the seperate DNS's are not
> talking to each other yet.
> I can \\Fileserver\sharename from a fileserver in Domain(A) from Domain(B)
> but I am unable to assign NTFS permissions on the share on
> Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> Question: Is Netbios sufficient to establish the share permissions for an
> external domain?

It looks like you will have to fix some resolution problems. My advice is to
use DNS. Since you are running Windows Server 2003 you can use conditional
forwarding to configure DNS server in domains A and B to point to correct
servers for resolution. Personally I would fix name resolution (DNS) issue
first -- and then work on other issues that might remain.

Let me know if you need more help with this.

--
Mike
Microsoft MVP - Windows Security

Hi Mike,
Domain local groups
Our policy and I know it is not text book, is to not use Domain Local
groups. We have been assigning Global Groups to the resources for other
domain trusts and this works. This is our only "External" trust. Technically
it should work to assign the permissions on the resource using a global
group, even tough it is not best practice.

DNS- I may have to configure DNS,but we have an issue with this. The
Domain(B) used a domain name that is registered (by someone else) on the
internet.
Is there any reason why the external trust would not work using Netbios
(WINS) name resolution or does an external trust "require DNS". From what I
have read, it does not, it can use Netbios. This will limit security to ntlm
(no Kerberos)

Please comment,
Regards, Wayne


"Miha Pihler [MVP]" wrote:

> Hi,
>
> Some of my comments are in-line...
>
> "Wayne" <(E-Mail Removed)> wrote in message
> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> >I have setup a 2 way external trust to a recently acquired domain(B) from
> >our
> > domain(A). Both domains are Windows 2003 Server and in mixed mode. Domain
> > Controllers are pointed to a common WINS database.
> > Issue- I am unable to assign permissions on a share to Global groups or
> > users between Domain(A) and Domain(B).
>
> Proper and recommended way for doing this would be to create a Domain Local
> Group in Domain B and assign this group permissions on resources. Then add
> Global group from domain A to Domain Local Group in Domain B.
>
> > I have relied on Netbios to setup the share as the seperate DNS's are not
> > talking to each other yet.
> > I can \\Fileserver\sharename from a fileserver in Domain(A) from Domain(B)
> > but I am unable to assign NTFS permissions on the share on
> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> > Question: Is Netbios sufficient to establish the share permissions for an
> > external domain?
>
> It looks like you will have to fix some resolution problems. My advice is to
> use DNS. Since you are running Windows Server 2003 you can use conditional
> forwarding to configure DNS server in domains A and B to point to correct
> servers for resolution. Personally I would fix name resolution (DNS) issue
> first -- and then work on other issues that might remain.
>
> Let me know if you need more help with this.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
>

Hi,

Even if domain name was used that is registered -- you can still use
conditional forwarding on your DNS servers to query your new domain (domain
B) DNS servers. Another option would be to create a secondary zone and
replicate it from domain B DNS to your DNS server in domain A. Any queries
from any of your clients for domain B will get answered either by records in
secondary zone or by conditional forwarder if you decide to use it (I
recommend it).

Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
(as you are figuring it out already)...

--
Mike
Microsoft MVP - Windows Security

"Wayne" <(E-Mail Removed)> wrote in message
news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> Hi Mike,
> Domain local groups
> Our policy and I know it is not text book, is to not use Domain Local
> groups. We have been assigning Global Groups to the resources for other
> domain trusts and this works. This is our only "External" trust.
> Technically
> it should work to assign the permissions on the resource using a global
> group, even tough it is not best practice.
>
> DNS- I may have to configure DNS,but we have an issue with this. The
> Domain(B) used a domain name that is registered (by someone else) on the
> internet.
> Is there any reason why the external trust would not work using Netbios
> (WINS) name resolution or does an external trust "require DNS". From what
> I
> have read, it does not, it can use Netbios. This will limit security to
> ntlm
> (no Kerberos)
>
> Please comment,
> Regards, Wayne
>
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Some of my comments are in-line...
>>
>> "Wayne" <(E-Mail Removed)> wrote in message
>> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
>> >I have setup a 2 way external trust to a recently acquired domain(B)
>> >from
>> >our
>> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
>> > Domain
>> > Controllers are pointed to a common WINS database.
>> > Issue- I am unable to assign permissions on a share to Global groups or
>> > users between Domain(A) and Domain(B).
>>
>> Proper and recommended way for doing this would be to create a Domain
>> Local
>> Group in Domain B and assign this group permissions on resources. Then
>> add
>> Global group from domain A to Domain Local Group in Domain B.
>>
>> > I have relied on Netbios to setup the share as the seperate DNS's are
>> > not
>> > talking to each other yet.
>> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
>> > Domain(B)
>> > but I am unable to assign NTFS permissions on the share on
>> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
>> > Question: Is Netbios sufficient to establish the share permissions for
>> > an
>> > external domain?
>>
>> It looks like you will have to fix some resolution problems. My advice is
>> to
>> use DNS. Since you are running Windows Server 2003 you can use
>> conditional
>> forwarding to configure DNS server in domains A and B to point to correct
>> servers for resolution. Personally I would fix name resolution (DNS)
>> issue
>> first -- and then work on other issues that might remain.
>>
>> Let me know if you need more help with this.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>>

Hi Mike,

This may be the best soution. If I create a conditional forward for
DomainB.com, won't this prevent the users from surfing to the outside
DomainB.com?

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Even if domain name was used that is registered -- you can still use
> conditional forwarding on your DNS servers to query your new domain (domain
> B) DNS servers. Another option would be to create a secondary zone and
> replicate it from domain B DNS to your DNS server in domain A. Any queries
> from any of your clients for domain B will get answered either by records in
> secondary zone or by conditional forwarder if you decide to use it (I
> recommend it).
>
> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
> (as you are figuring it out already)...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Wayne" <(E-Mail Removed)> wrote in message
> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> > Hi Mike,
> > Domain local groups
> > Our policy and I know it is not text book, is to not use Domain Local
> > groups. We have been assigning Global Groups to the resources for other
> > domain trusts and this works. This is our only "External" trust.
> > Technically
> > it should work to assign the permissions on the resource using a global
> > group, even tough it is not best practice.
> >
> > DNS- I may have to configure DNS,but we have an issue with this. The
> > Domain(B) used a domain name that is registered (by someone else) on the
> > internet.
> > Is there any reason why the external trust would not work using Netbios
> > (WINS) name resolution or does an external trust "require DNS". From what
> > I
> > have read, it does not, it can use Netbios. This will limit security to
> > ntlm
> > (no Kerberos)
> >
> > Please comment,
> > Regards, Wayne
> >
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> Some of my comments are in-line...
> >>
> >> "Wayne" <(E-Mail Removed)> wrote in message
> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> >> >I have setup a 2 way external trust to a recently acquired domain(B)
> >> >from
> >> >our
> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
> >> > Domain
> >> > Controllers are pointed to a common WINS database.
> >> > Issue- I am unable to assign permissions on a share to Global groups or
> >> > users between Domain(A) and Domain(B).
> >>
> >> Proper and recommended way for doing this would be to create a Domain
> >> Local
> >> Group in Domain B and assign this group permissions on resources. Then
> >> add
> >> Global group from domain A to Domain Local Group in Domain B.
> >>
> >> > I have relied on Netbios to setup the share as the seperate DNS's are
> >> > not
> >> > talking to each other yet.
> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
> >> > Domain(B)
> >> > but I am unable to assign NTFS permissions on the share on
> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> >> > Question: Is Netbios sufficient to establish the share permissions for
> >> > an
> >> > external domain?
> >>
> >> It looks like you will have to fix some resolution problems. My advice is
> >> to
> >> use DNS. Since you are running Windows Server 2003 you can use
> >> conditional
> >> forwarding to configure DNS server in domains A and B to point to correct
> >> servers for resolution. Personally I would fix name resolution (DNS)
> >> issue
> >> first -- and then work on other issues that might remain.
> >>
> >> Let me know if you need more help with this.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >>
> >>
>
>
>

How was this solved for users in domainb.com? My guess is they added some
records that enabled them to surf the web and send e-mails (WWW A record and
MX records)... If it works for them -- it should also work for your domain
since you will be using conditional forwarding.
Later you can still think about renaming the domain...

--
Mike
Microsoft MVP - Windows Security

"Wayne" <(E-Mail Removed)> wrote in message
news:E12889F4-BB32-4128-A79F-(E-Mail Removed)...
> Hi Mike,
>
> This may be the best soution. If I create a conditional forward for
> DomainB.com, won't this prevent the users from surfing to the outside
> DomainB.com?
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Even if domain name was used that is registered -- you can still use
>> conditional forwarding on your DNS servers to query your new domain
>> (domain
>> B) DNS servers. Another option would be to create a secondary zone and
>> replicate it from domain B DNS to your DNS server in domain A. Any
>> queries
>> from any of your clients for domain B will get answered either by records
>> in
>> secondary zone or by conditional forwarder if you decide to use it (I
>> recommend it).
>>
>> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
>> (as you are figuring it out already)...
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Wayne" <(E-Mail Removed)> wrote in message
>> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
>> > Hi Mike,
>> > Domain local groups
>> > Our policy and I know it is not text book, is to not use Domain Local
>> > groups. We have been assigning Global Groups to the resources for other
>> > domain trusts and this works. This is our only "External" trust.
>> > Technically
>> > it should work to assign the permissions on the resource using a global
>> > group, even tough it is not best practice.
>> >
>> > DNS- I may have to configure DNS,but we have an issue with this. The
>> > Domain(B) used a domain name that is registered (by someone else) on
>> > the
>> > internet.
>> > Is there any reason why the external trust would not work using Netbios
>> > (WINS) name resolution or does an external trust "require DNS". From
>> > what
>> > I
>> > have read, it does not, it can use Netbios. This will limit security to
>> > ntlm
>> > (no Kerberos)
>> >
>> > Please comment,
>> > Regards, Wayne
>> >
>> >
>> > "Miha Pihler [MVP]" wrote:
>> >
>> >> Hi,
>> >>
>> >> Some of my comments are in-line...
>> >>
>> >> "Wayne" <(E-Mail Removed)> wrote in message
>> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
>> >> >I have setup a 2 way external trust to a recently acquired domain(B)
>> >> >from
>> >> >our
>> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
>> >> > Domain
>> >> > Controllers are pointed to a common WINS database.
>> >> > Issue- I am unable to assign permissions on a share to Global groups
>> >> > or
>> >> > users between Domain(A) and Domain(B).
>> >>
>> >> Proper and recommended way for doing this would be to create a Domain
>> >> Local
>> >> Group in Domain B and assign this group permissions on resources. Then
>> >> add
>> >> Global group from domain A to Domain Local Group in Domain B.
>> >>
>> >> > I have relied on Netbios to setup the share as the seperate DNS's
>> >> > are
>> >> > not
>> >> > talking to each other yet.
>> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
>> >> > Domain(B)
>> >> > but I am unable to assign NTFS permissions on the share on
>> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
>> >> > Question: Is Netbios sufficient to establish the share permissions
>> >> > for
>> >> > an
>> >> > external domain?
>> >>
>> >> It looks like you will have to fix some resolution problems. My advice
>> >> is
>> >> to
>> >> use DNS. Since you are running Windows Server 2003 you can use
>> >> conditional
>> >> forwarding to configure DNS server in domains A and B to point to
>> >> correct
>> >> servers for resolution. Personally I would fix name resolution (DNS)
>> >> issue
>> >> first -- and then work on other issues that might remain.
>> >>
>> >> Let me know if you need more help with this.
>> >>
>> >> --
>> >> Mike
>> >> Microsoft MVP - Windows Security
>> >>
>> >>
>> >>
>>
>>
>>

Mike,
I was reluctant to get into the DNS configuration due to the fact they we
are using different DNS solutions for each forest and I have limited
knowledge of configuring DNS. After creating forwarders for each domain, I
re-established the trust in the lab and it is working pefectly. The
configuration in Active Directory DNS was easy. The Nortel NetID was much
more difficult and not very intuitive, but I did manage to make it work.
Thanks for your advice.
\Wayne

"Miha Pihler [MVP]" wrote:

> How was this solved for users in domainb.com? My guess is they added some
> records that enabled them to surf the web and send e-mails (WWW A record and
> MX records)... If it works for them -- it should also work for your domain
> since you will be using conditional forwarding.
> Later you can still think about renaming the domain...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Wayne" <(E-Mail Removed)> wrote in message
> news:E12889F4-BB32-4128-A79F-(E-Mail Removed)...
> > Hi Mike,
> >
> > This may be the best soution. If I create a conditional forward for
> > DomainB.com, won't this prevent the users from surfing to the outside
> > DomainB.com?
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> Even if domain name was used that is registered -- you can still use
> >> conditional forwarding on your DNS servers to query your new domain
> >> (domain
> >> B) DNS servers. Another option would be to create a secondary zone and
> >> replicate it from domain B DNS to your DNS server in domain A. Any
> >> queries
> >> from any of your clients for domain B will get answered either by records
> >> in
> >> secondary zone or by conditional forwarder if you decide to use it (I
> >> recommend it).
> >>
> >> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
> >> (as you are figuring it out already)...
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "Wayne" <(E-Mail Removed)> wrote in message
> >> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> >> > Hi Mike,
> >> > Domain local groups
> >> > Our policy and I know it is not text book, is to not use Domain Local
> >> > groups. We have been assigning Global Groups to the resources for other
> >> > domain trusts and this works. This is our only "External" trust.
> >> > Technically
> >> > it should work to assign the permissions on the resource using a global
> >> > group, even tough it is not best practice.
> >> >
> >> > DNS- I may have to configure DNS,but we have an issue with this. The
> >> > Domain(B) used a domain name that is registered (by someone else) on
> >> > the
> >> > internet.
> >> > Is there any reason why the external trust would not work using Netbios
> >> > (WINS) name resolution or does an external trust "require DNS". From
> >> > what
> >> > I
> >> > have read, it does not, it can use Netbios. This will limit security to
> >> > ntlm
> >> > (no Kerberos)
> >> >
> >> > Please comment,
> >> > Regards, Wayne
> >> >
> >> >
> >> > "Miha Pihler [MVP]" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> Some of my comments are in-line...
> >> >>
> >> >> "Wayne" <(E-Mail Removed)> wrote in message
> >> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> >> >> >I have setup a 2 way external trust to a recently acquired domain(B)
> >> >> >from
> >> >> >our
> >> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
> >> >> > Domain
> >> >> > Controllers are pointed to a common WINS database.
> >> >> > Issue- I am unable to assign permissions on a share to Global groups
> >> >> > or
> >> >> > users between Domain(A) and Domain(B).
> >> >>
> >> >> Proper and recommended way for doing this would be to create a Domain
> >> >> Local
> >> >> Group in Domain B and assign this group permissions on resources. Then
> >> >> add
> >> >> Global group from domain A to Domain Local Group in Domain B.
> >> >>
> >> >> > I have relied on Netbios to setup the share as the seperate DNS's
> >> >> > are
> >> >> > not
> >> >> > talking to each other yet.
> >> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
> >> >> > Domain(B)
> >> >> > but I am unable to assign NTFS permissions on the share on
> >> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> >> >> > Question: Is Netbios sufficient to establish the share permissions
> >> >> > for
> >> >> > an
> >> >> > external domain?
> >> >>
> >> >> It looks like you will have to fix some resolution problems. My advice
> >> >> is
> >> >> to
> >> >> use DNS. Since you are running Windows Server 2003 you can use
> >> >> conditional
> >> >> forwarding to configure DNS server in domains A and B to point to
> >> >> correct
> >> >> servers for resolution. Personally I would fix name resolution (DNS)
> >> >> issue
> >> >> first -- and then work on other issues that might remain.
> >> >>
> >> >> Let me know if you need more help with this.
> >> >>
> >> >> --
> >> >> Mike
> >> >> Microsoft MVP - Windows Security
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Fixed named resolution in DNS using forwarders
Can resolve domainA.com from domainB.com
can resolve srv records for domains both ways
I have validated the trust both ways.
I am now only able to assign permissions to resources, one-way
Error:The local security authority cannot be contact

I beginning to think that name resolution is not the problem.




"Wayne" wrote:

> Mike,
> I was reluctant to get into the DNS configuration due to the fact they we
> are using different DNS solutions for each forest and I have limited
> knowledge of configuring DNS. After creating forwarders for each domain, I
> re-established the trust in the lab and it is working pefectly. The
> configuration in Active Directory DNS was easy. The Nortel NetID was much
> more difficult and not very intuitive, but I did manage to make it work.
> Thanks for your advice.
> \Wayne
>
> "Miha Pihler [MVP]" wrote:
>
> > How was this solved for users in domainb.com? My guess is they added some
> > records that enabled them to surf the web and send e-mails (WWW A record and
> > MX records)... If it works for them -- it should also work for your domain
> > since you will be using conditional forwarding.
> > Later you can still think about renaming the domain...
> >
> > --
> > Mike
> > Microsoft MVP - Windows Security
> >
> > "Wayne" <(E-Mail Removed)> wrote in message
> > news:E12889F4-BB32-4128-A79F-(E-Mail Removed)...
> > > Hi Mike,
> > >
> > > This may be the best soution. If I create a conditional forward for
> > > DomainB.com, won't this prevent the users from surfing to the outside
> > > DomainB.com?
> > >
> > > "Miha Pihler [MVP]" wrote:
> > >
> > >> Hi,
> > >>
> > >> Even if domain name was used that is registered -- you can still use
> > >> conditional forwarding on your DNS servers to query your new domain
> > >> (domain
> > >> B) DNS servers. Another option would be to create a secondary zone and
> > >> replicate it from domain B DNS to your DNS server in domain A. Any
> > >> queries
> > >> from any of your clients for domain B will get answered either by records
> > >> in
> > >> secondary zone or by conditional forwarder if you decide to use it (I
> > >> recommend it).
> > >>
> > >> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
> > >> (as you are figuring it out already)...
> > >>
> > >> --
> > >> Mike
> > >> Microsoft MVP - Windows Security
> > >>
> > >> "Wayne" <(E-Mail Removed)> wrote in message
> > >> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> > >> > Hi Mike,
> > >> > Domain local groups
> > >> > Our policy and I know it is not text book, is to not use Domain Local
> > >> > groups. We have been assigning Global Groups to the resources for other
> > >> > domain trusts and this works. This is our only "External" trust.
> > >> > Technically
> > >> > it should work to assign the permissions on the resource using a global
> > >> > group, even tough it is not best practice.
> > >> >
> > >> > DNS- I may have to configure DNS,but we have an issue with this. The
> > >> > Domain(B) used a domain name that is registered (by someone else) on
> > >> > the
> > >> > internet.
> > >> > Is there any reason why the external trust would not work using Netbios
> > >> > (WINS) name resolution or does an external trust "require DNS". From
> > >> > what
> > >> > I
> > >> > have read, it does not, it can use Netbios. This will limit security to
> > >> > ntlm
> > >> > (no Kerberos)
> > >> >
> > >> > Please comment,
> > >> > Regards, Wayne
> > >> >
> > >> >
> > >> > "Miha Pihler [MVP]" wrote:
> > >> >
> > >> >> Hi,
> > >> >>
> > >> >> Some of my comments are in-line...
> > >> >>
> > >> >> "Wayne" <(E-Mail Removed)> wrote in message
> > >> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> > >> >> >I have setup a 2 way external trust to a recently acquired domain(B)
> > >> >> >from
> > >> >> >our
> > >> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
> > >> >> > Domain
> > >> >> > Controllers are pointed to a common WINS database.
> > >> >> > Issue- I am unable to assign permissions on a share to Global groups
> > >> >> > or
> > >> >> > users between Domain(A) and Domain(B).
> > >> >>
> > >> >> Proper and recommended way for doing this would be to create a Domain
> > >> >> Local
> > >> >> Group in Domain B and assign this group permissions on resources. Then
> > >> >> add
> > >> >> Global group from domain A to Domain Local Group in Domain B.
> > >> >>
> > >> >> > I have relied on Netbios to setup the share as the seperate DNS's
> > >> >> > are
> > >> >> > not
> > >> >> > talking to each other yet.
> > >> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
> > >> >> > Domain(B)
> > >> >> > but I am unable to assign NTFS permissions on the share on
> > >> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> > >> >> > Question: Is Netbios sufficient to establish the share permissions
> > >> >> > for
> > >> >> > an
> > >> >> > external domain?
> > >> >>
> > >> >> It looks like you will have to fix some resolution problems. My advice
> > >> >> is
> > >> >> to
> > >> >> use DNS. Since you are running Windows Server 2003 you can use
> > >> >> conditional
> > >> >> forwarding to configure DNS server in domains A and B to point to
> > >> >> correct
> > >> >> servers for resolution. Personally I would fix name resolution (DNS)
> > >> >> issue
> > >> >> first -- and then work on other issues that might remain.
> > >> >>
> > >> >> Let me know if you need more help with this.
> > >> >>
> > >> >> --
> > >> >> Mike
> > >> >> Microsoft MVP - Windows Security
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>
> >
> >
> >

Mike,
Just to recap,
I put in the domain conditional forwarders for domainB and domainA
respectively.
On a Domain controller for Domain A, I am able to assign permisions to a
share from DomainB. On a workstation in DomainA I can do the same.
On a Domain Controller for DomainB, I am able to assign permisions to a
share from DomainA. On a workstation in DomainB, I get the error:"The local
security authority cannot be contacted", and no objects can be found. If it
is on a windows 2000 server, I get the error "no authority could be contacted
for authentication".
These computers are able to query (nslookup) for all srv records in DomainA.

Any advise at this point would be appreciated.
Regards, Wayne

"Wayne" wrote:

> Fixed named resolution in DNS using forwarders
> Can resolve domainA.com from domainB.com
> can resolve srv records for domains both ways
> I have validated the trust both ways.
> I am now only able to assign permissions to resources, one-way
> Error:The local security authority cannot be contact
>
> I beginning to think that name resolution is not the problem.
>
>
>
>
> "Wayne" wrote:
>
> > Mike,
> > I was reluctant to get into the DNS configuration due to the fact they we
> > are using different DNS solutions for each forest and I have limited
> > knowledge of configuring DNS. After creating forwarders for each domain, I
> > re-established the trust in the lab and it is working pefectly. The
> > configuration in Active Directory DNS was easy. The Nortel NetID was much
> > more difficult and not very intuitive, but I did manage to make it work.
> > Thanks for your advice.
> > \Wayne
> >
> > "Miha Pihler [MVP]" wrote:
> >
> > > How was this solved for users in domainb.com? My guess is they added some
> > > records that enabled them to surf the web and send e-mails (WWW A record and
> > > MX records)... If it works for them -- it should also work for your domain
> > > since you will be using conditional forwarding.
> > > Later you can still think about renaming the domain...
> > >
> > > --
> > > Mike
> > > Microsoft MVP - Windows Security
> > >
> > > "Wayne" <(E-Mail Removed)> wrote in message
> > > news:E12889F4-BB32-4128-A79F-(E-Mail Removed)...
> > > > Hi Mike,
> > > >
> > > > This may be the best soution. If I create a conditional forward for
> > > > DomainB.com, won't this prevent the users from surfing to the outside
> > > > DomainB.com?
> > > >
> > > > "Miha Pihler [MVP]" wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Even if domain name was used that is registered -- you can still use
> > > >> conditional forwarding on your DNS servers to query your new domain
> > > >> (domain
> > > >> B) DNS servers. Another option would be to create a secondary zone and
> > > >> replicate it from domain B DNS to your DNS server in domain A. Any
> > > >> queries
> > > >> from any of your clients for domain B will get answered either by records
> > > >> in
> > > >> secondary zone or by conditional forwarder if you decide to use it (I
> > > >> recommend it).
> > > >>
> > > >> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
> > > >> (as you are figuring it out already)...
> > > >>
> > > >> --
> > > >> Mike
> > > >> Microsoft MVP - Windows Security
> > > >>
> > > >> "Wayne" <(E-Mail Removed)> wrote in message
> > > >> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> > > >> > Hi Mike,
> > > >> > Domain local groups
> > > >> > Our policy and I know it is not text book, is to not use Domain Local
> > > >> > groups. We have been assigning Global Groups to the resources for other
> > > >> > domain trusts and this works. This is our only "External" trust.
> > > >> > Technically
> > > >> > it should work to assign the permissions on the resource using a global
> > > >> > group, even tough it is not best practice.
> > > >> >
> > > >> > DNS- I may have to configure DNS,but we have an issue with this. The
> > > >> > Domain(B) used a domain name that is registered (by someone else) on
> > > >> > the
> > > >> > internet.
> > > >> > Is there any reason why the external trust would not work using Netbios
> > > >> > (WINS) name resolution or does an external trust "require DNS". From
> > > >> > what
> > > >> > I
> > > >> > have read, it does not, it can use Netbios. This will limit security to
> > > >> > ntlm
> > > >> > (no Kerberos)
> > > >> >
> > > >> > Please comment,
> > > >> > Regards, Wayne
> > > >> >
> > > >> >
> > > >> > "Miha Pihler [MVP]" wrote:
> > > >> >
> > > >> >> Hi,
> > > >> >>
> > > >> >> Some of my comments are in-line...
> > > >> >>
> > > >> >> "Wayne" <(E-Mail Removed)> wrote in message
> > > >> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> > > >> >> >I have setup a 2 way external trust to a recently acquired domain(B)
> > > >> >> >from
> > > >> >> >our
> > > >> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
> > > >> >> > Domain
> > > >> >> > Controllers are pointed to a common WINS database.
> > > >> >> > Issue- I am unable to assign permissions on a share to Global groups
> > > >> >> > or
> > > >> >> > users between Domain(A) and Domain(B).
> > > >> >>
> > > >> >> Proper and recommended way for doing this would be to create a Domain
> > > >> >> Local
> > > >> >> Group in Domain B and assign this group permissions on resources. Then
> > > >> >> add
> > > >> >> Global group from domain A to Domain Local Group in Domain B.
> > > >> >>
> > > >> >> > I have relied on Netbios to setup the share as the seperate DNS's
> > > >> >> > are
> > > >> >> > not
> > > >> >> > talking to each other yet.
> > > >> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
> > > >> >> > Domain(B)
> > > >> >> > but I am unable to assign NTFS permissions on the share on
> > > >> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> > > >> >> > Question: Is Netbios sufficient to establish the share permissions
> > > >> >> > for
> > > >> >> > an
> > > >> >> > external domain?
> > > >> >>
> > > >> >> It looks like you will have to fix some resolution problems. My advice
> > > >> >> is
> > > >> >> to
> > > >> >> use DNS. Since you are running Windows Server 2003 you can use
> > > >> >> conditional
> > > >> >> forwarding to configure DNS server in domains A and B to point to
> > > >> >> correct
> > > >> >> servers for resolution. Personally I would fix name resolution (DNS)
> > > >> >> issue
> > > >> >> first -- and then work on other issues that might remain.
> > > >> >>
> > > >> >> Let me know if you need more help with this.
> > > >> >>
> > > >> >> --
> > > >> >> Mike
> > > >> >> Microsoft MVP - Windows Security
> > > >> >>
> > > >> >>
> > > >> >>
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >

I have resolved the unable to assign permissions problem.
The domain that was responding with "no authority could be contacted
for authentication" is in NTEmulation mode.

nltest /dsgetdc:domain.com /pdc was failing from the clients that were not
able to find objects.

The NeutralizeNT4Emulator key con the client resolved this.


"Wayne" wrote:

> Mike,
> Just to recap,
> I put in the domain conditional forwarders for domainB and domainA
> respectively.
> On a Domain controller for Domain A, I am able to assign permisions to a
> share from DomainB. On a workstation in DomainA I can do the same.
> On a Domain Controller for DomainB, I am able to assign permisions to a
> share from DomainA. On a workstation in DomainB, I get the error:"The local
> security authority cannot be contacted", and no objects can be found. If it
> is on a windows 2000 server, I get the error "no authority could be contacted
> for authentication".
> These computers are able to query (nslookup) for all srv records in DomainA.
>
> Any advise at this point would be appreciated.
> Regards, Wayne
>
> "Wayne" wrote:
>
> > Fixed named resolution in DNS using forwarders
> > Can resolve domainA.com from domainB.com
> > can resolve srv records for domains both ways
> > I have validated the trust both ways.
> > I am now only able to assign permissions to resources, one-way
> > Error:The local security authority cannot be contact
> >
> > I beginning to think that name resolution is not the problem.
> >
> >
> >
> >
> > "Wayne" wrote:
> >
> > > Mike,
> > > I was reluctant to get into the DNS configuration due to the fact they we
> > > are using different DNS solutions for each forest and I have limited
> > > knowledge of configuring DNS. After creating forwarders for each domain, I
> > > re-established the trust in the lab and it is working pefectly. The
> > > configuration in Active Directory DNS was easy. The Nortel NetID was much
> > > more difficult and not very intuitive, but I did manage to make it work.
> > > Thanks for your advice.
> > > \Wayne
> > >
> > > "Miha Pihler [MVP]" wrote:
> > >
> > > > How was this solved for users in domainb.com? My guess is they added some
> > > > records that enabled them to surf the web and send e-mails (WWW A record and
> > > > MX records)... If it works for them -- it should also work for your domain
> > > > since you will be using conditional forwarding.
> > > > Later you can still think about renaming the domain...
> > > >
> > > > --
> > > > Mike
> > > > Microsoft MVP - Windows Security
> > > >
> > > > "Wayne" <(E-Mail Removed)> wrote in message
> > > > news:E12889F4-BB32-4128-A79F-(E-Mail Removed)...
> > > > > Hi Mike,
> > > > >
> > > > > This may be the best soution. If I create a conditional forward for
> > > > > DomainB.com, won't this prevent the users from surfing to the outside
> > > > > DomainB.com?
> > > > >
> > > > > "Miha Pihler [MVP]" wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Even if domain name was used that is registered -- you can still use
> > > > >> conditional forwarding on your DNS servers to query your new domain
> > > > >> (domain
> > > > >> B) DNS servers. Another option would be to create a secondary zone and
> > > > >> replicate it from domain B DNS to your DNS server in domain A. Any
> > > > >> queries
> > > > >> from any of your clients for domain B will get answered either by records
> > > > >> in
> > > > >> secondary zone or by conditional forwarder if you decide to use it (I
> > > > >> recommend it).
> > > > >>
> > > > >> Anything else (WINS, NetBIOS, ...) is less reliable then DNS in this case
> > > > >> (as you are figuring it out already)...
> > > > >>
> > > > >> --
> > > > >> Mike
> > > > >> Microsoft MVP - Windows Security
> > > > >>
> > > > >> "Wayne" <(E-Mail Removed)> wrote in message
> > > > >> news:76AEA43A-41C0-450D-99B0-(E-Mail Removed)...
> > > > >> > Hi Mike,
> > > > >> > Domain local groups
> > > > >> > Our policy and I know it is not text book, is to not use Domain Local
> > > > >> > groups. We have been assigning Global Groups to the resources for other
> > > > >> > domain trusts and this works. This is our only "External" trust.
> > > > >> > Technically
> > > > >> > it should work to assign the permissions on the resource using a global
> > > > >> > group, even tough it is not best practice.
> > > > >> >
> > > > >> > DNS- I may have to configure DNS,but we have an issue with this. The
> > > > >> > Domain(B) used a domain name that is registered (by someone else) on
> > > > >> > the
> > > > >> > internet.
> > > > >> > Is there any reason why the external trust would not work using Netbios
> > > > >> > (WINS) name resolution or does an external trust "require DNS". From
> > > > >> > what
> > > > >> > I
> > > > >> > have read, it does not, it can use Netbios. This will limit security to
> > > > >> > ntlm
> > > > >> > (no Kerberos)
> > > > >> >
> > > > >> > Please comment,
> > > > >> > Regards, Wayne
> > > > >> >
> > > > >> >
> > > > >> > "Miha Pihler [MVP]" wrote:
> > > > >> >
> > > > >> >> Hi,
> > > > >> >>
> > > > >> >> Some of my comments are in-line...
> > > > >> >>
> > > > >> >> "Wayne" <(E-Mail Removed)> wrote in message
> > > > >> >> news:26FB1715-08AE-4397-9298-(E-Mail Removed)...
> > > > >> >> >I have setup a 2 way external trust to a recently acquired domain(B)
> > > > >> >> >from
> > > > >> >> >our
> > > > >> >> > domain(A). Both domains are Windows 2003 Server and in mixed mode.
> > > > >> >> > Domain
> > > > >> >> > Controllers are pointed to a common WINS database.
> > > > >> >> > Issue- I am unable to assign permissions on a share to Global groups
> > > > >> >> > or
> > > > >> >> > users between Domain(A) and Domain(B).
> > > > >> >>
> > > > >> >> Proper and recommended way for doing this would be to create a Domain
> > > > >> >> Local
> > > > >> >> Group in Domain B and assign this group permissions on resources. Then
> > > > >> >> add
> > > > >> >> Global group from domain A to Domain Local Group in Domain B.
> > > > >> >>
> > > > >> >> > I have relied on Netbios to setup the share as the seperate DNS's
> > > > >> >> > are
> > > > >> >> > not
> > > > >> >> > talking to each other yet.
> > > > >> >> > I can \\Fileserver\sharename from a fileserver in Domain(A) from
> > > > >> >> > Domain(B)
> > > > >> >> > but I am unable to assign NTFS permissions on the share on
> > > > >> >> > Domain(A)\\Fileserver\sharename. I get there error (Name not found)
> > > > >> >> > Question: Is Netbios sufficient to establish the share permissions
> > > > >> >> > for
> > > > >> >> > an
> > > > >> >> > external domain?
> > > > >> >>
> > > > >> >> It looks like you will have to fix some resolution problems. My advice
> > > > >> >> is
> > > > >> >> to
> > > > >> >> use DNS. Since you are running Windows Server 2003 you can use
> > > > >> >> conditional
> > > > >> >> forwarding to configure DNS server in domains A and B to point to
> > > > >> >> correct
> > > > >> >> servers for resolution. Personally I would fix name resolution (DNS)
> > > > >> >> issue
> > > > >> >> first -- and then work on other issues that might remain.
> > > > >> >>
> > > > >> >> Let me know if you need more help with this.
> > > > >> >>
> > > > >> >> --
> > > > >> >> Mike
> > > > >> >> Microsoft MVP - Windows Security
> > > > >> >>
> > > > >> >>
> > > > >> >>
> > > > >>
> > > > >>
> > > > >>
> > > >
> > > >
> > > >