Trusts between domains connected via VPN.

I have 2 domains in my company at 2 different locations connected via VPN on
a T1. Both servers are running Win2003 Server. I have recently added a 2-way
trust in both domains so that I can have a computer at one office joined to
the domain at the other office. This works fine except for a few problems
that have cropped up.
1. I don’t always see the other network in Windows Explorer until I type one
of the computer names from the other network. Then they all show up. This
isn’t a big problem, more a point of curiosity as to why both don’t show to
begin with.
2. I have used batch files in the past to copy certain files between
servers. I was using IP address in the commands to direct xcopy to the proper
folders but now I get invalid drive specification. I have also tried using
the computer name but get the same error. Note: This is true ONLY on the
server, when I run the batch file from my desktop it works fine but I prefer
to do these types of operations from the server and not on my desktop which
might get changed out.
3. I thought with a 2 way trust you could log onto either domain. But I
can’t log onto the other domain unless I’m doing so with a user name from
that domain. If I use a user name that is only on my local domain and not the
other one, it won’t let me log on.

One more question:
Eventually we will be moving the other server to my location and have the
personnel at the other office login to the domain via VPN. What would the
best thing to do be, add this DC as a sub domain to the main server or do
away with it as it’s own domain and make it basically just a file / SQL
server for that office. This would just result in them logging into my main
DC and setting up just a few new accounts for them under my main domain. I
know which I think should be done but there are some conflicting opinions
here.

Thanks,
Rob

Hi Rob,

I would recommend the second one - less issues.

Are you going to use Windows VPN? Or, some other, I might recomend
ViPNet - www.vpnsolution.info

The VPN is handled by a Watchguard SOHO6 at one end and a Watchguard X700 at
the other.

"(E-Mail Removed)" wrote:

> Hi Rob,
>
> I would recommend the second one - less issues.
>
> Are you going to use Windows VPN? Or, some other, I might recomend
> ViPNet - www.vpnsolution.info
>
>

Hi Rob,


"Rob" <(E-Mail Removed)> wrote in message news:
> 1. I don't always see the other network in Windows Explorer until I type
> one
> of the computer names from the other network. Then they all show up. This
> isn't a big problem, more a point of curiosity as to why both don't show
> to
> begin with.

Browsing is handled by the computer browser service which relies on NetBIOS
broadcasts and WINS (cross subnet browsing) to enumerate the list. Without
more details of your setup it would be hard to tell you why the list is
incomplete.

> 2. I have used batch files in the past to copy certain files between
> servers. I was using IP address in the commands to direct xcopy to the
> proper
> folders but now I get invalid drive specification. I have also tried using
> the computer name but get the same error. Note: This is true ONLY on the
> server, when I run the batch file from my desktop it works fine but I
> prefer
> to do these types of operations from the server and not on my desktop
> which
> might get changed out.

You don't get any other error other than invalid drive specification e.g.,
an error code to go with it?

> 3. I thought with a 2 way trust you could log onto either domain. But I
> can't log onto the other domain unless I'm doing so with a user name from
> that domain. If I use a user name that is only on my local domain and not
> the
> other one, it won't let me log on.

This is by design. The purpose of a trust relationship is to allow a user
to
logon to a computer in either domain but that user must specify which domain
his/her account is located. The DC then passes the logon credential back
to the domain where the user account resides. That's why you get the
trusting
domain listed in the drop down list for domains on the logon screen.

>
> One more question:
> Eventually we will be moving the other server to my location and have the
> personnel at the other office login to the domain via VPN. What would the
> best thing to do be, add this DC as a sub domain to the main server or do
> away with it as it's own domain and make it basically just a file / SQL
> server for that office. This would just result in them logging into my
> main
> DC and setting up just a few new accounts for them under my main domain. I
> know which I think should be done but there are some conflicting opinions
> here.

I would suggest leaving it so the users do not rely on your VPN connection
for authentication.

"Michael Giorgio - MS MVP" wrote:

> Hi Rob,
>
>
> "Rob" <(E-Mail Removed)> wrote in message news:
> > 1. I don't always see the other network in Windows Explorer until I type
> > one
> > of the computer names from the other network. Then they all show up. This
> > isn't a big problem, more a point of curiosity as to why both don't show
> > to
> > begin with.
>
> Browsing is handled by the computer browser service which relies on NetBIOS
> broadcasts and WINS (cross subnet browsing) to enumerate the list. Without
> more details of your setup it would be hard to tell you why the list is
> incomplete.

Both domains were originally connected only via VPN. They both have their
own DC, DNS, and DHCP servers. I established the two way trust between them
and was able to verify both directions. When I did this I found in order for
my computer to see the other domain I had to add it's WINS server IP address
to my local machine.

************************************************

> > 2. I have used batch files in the past to copy certain files between
> > servers. I was using IP address in the commands to direct xcopy to the
> > proper
> > folders but now I get invalid drive specification. I have also tried using
> > the computer name but get the same error. Note: This is true ONLY on the
> > server, when I run the batch file from my desktop it works fine but I
> > prefer
> > to do these types of operations from the server and not on my desktop
> > which
> > might get changed out.
>
> You don't get any other error other than invalid drive specification e.g.,
> an error code to go with it?

Nope, no error code. This is one line of the .bat file:

xcopy \\domainserver2\D$\Compan~1\*.* \\domainserver1\D$\ATLBckup /D /E /I
/F /H /R /K /Y /Z

and the error after it runs at the command prompt is:

Invalid drive specification
0 File(s) copied

I have used both the server name and it's IP address but both give the same
error. Now if I run the same .bat file on my local computer logged into
domain1 it runs properly. It just fails when running from the server which
did work before the trust was established.

************************************************

> > 3. I thought with a 2 way trust you could log onto either domain. But I
> > can't log onto the other domain unless I'm doing so with a user name from
> > that domain. If I use a user name that is only on my local domain and not
> > the
> > other one, it won't let me log on.
>
> This is by design. The purpose of a trust relationship is to allow a user
> to
> logon to a computer in either domain but that user must specify which domain
> his/her account is located. The DC then passes the logon credential back
> to the domain where the user account resides. That's why you get the
> trusting
> domain listed in the drop down list for domains on the logon screen.

That's what I thought. I do have the drop down box listing both domains and
the local machine. I can login on either domain with my user name because
that name is a member of both domains. But if I try to log into domain2 using
a name that is a member of domain1 but not of domain2 I get the following:

"The system could not log you on. Make sure your User name and domain are
correct, then type your password again. Letters in passwords must be typed
using the correct case."

Thanks for you patience and help,
Rob

Hi Rob,


"Rob" <(E-Mail Removed)> wrote in message news:
>> Browsing is handled by the computer browser service which relies on
>> NetBIOS
>> broadcasts and WINS (cross subnet browsing) to enumerate the list.
>> Without
>> more details of your setup it would be hard to tell you why the list is
>> incomplete.
>
> Both domains were originally connected only via VPN. They both have their
> own DC, DNS, and DHCP servers. I established the two way trust between
> them
> and was able to verify both directions. When I did this I found in order
> for
> my computer to see the other domain I had to add it's WINS server IP
> address
> to my local machine.
>

If you have 1 single WINS server you do have to point all clients towards
that
paticular WINS Server. If you have a WINS server in each location you can
have them replicate. You still having issues?

>>
>> You don't get any other error other than invalid drive specification
>> e.g.,
>> an error code to go with it?
>
> Nope, no error code. This is one line of the .bat file:
>
> xcopy \\domainserver2\D$\Compan~1\*.* \\domainserver1\D$\ATLBckup /D /E /I
> /F /H /R /K /Y /Z
>
> and the error after it runs at the command prompt is:
>
> Invalid drive specification
> 0 File(s) copied
>
> I have used both the server name and it's IP address but both give the
> same
> error. Now if I run the same .bat file on my local computer logged into
> domain1 it runs properly. It just fails when running from the server which
> did work before the trust was established.

That is strange because I would expect a specific error code as well.
I would check permissions. Are you using the same account to logon
to the DC as the account you are using to logon to the workstion which
works. Can you map to each share successfully from the server and copy
files back and forth using Explorer. Sorry if you are already answered this
question.

> > This is by design. The purpose of a trust relationship is to allow a
> > user
>> to
>> logon to a computer in either domain but that user must specify which
>> domain
>> his/her account is located. The DC then passes the logon credential back
>> to the domain where the user account resides. That's why you get the
>> trusting
>> domain listed in the drop down list for domains on the logon screen.
>
> That's what I thought. I do have the drop down box listing both domains
> and
> the local machine. I can login on either domain with my user name because
> that name is a member of both domains. But if I try to log into domain2
> using
> a name that is a member of domain1 but not of domain2 I get the following:
>
> "The system could not log you on. Make sure your User name and domain are
> correct, then type your password again. Letters in passwords must be typed
> using the correct case."

Okay so you still are wondering why the error? The error means the account
doesn't exist e.g., you cannot logon to domain A with a domain B account,
you have to specify domain B. The purpose is to be able to logon to the
machine in another domain and that is possible as long as you specify which
domain your account resides. It is for physically moving from one domain to
another not accessing domain resources. That's a permissions issue. <g>