Announcement

Collapse
No announcement yet.

Forest Trust Issue, Validated, but still cant select users across domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forest Trust Issue, Validated, but still cant select users across domains

    Hi, everyone, I'm a bit stumped here, and would require assistant on this issue.

    I have 2 domain, on separate forests, that I'd like to create a trust on. These are connected via ipsec vpn

    Pinging domain A and B from each other returned the correct IP address, the DNS server is the DC as well.

    Conditional forwarders have been placed in both DNS servers. I can get the IP for all machines behind each other domain from for example ping computer.domainb

    My problem is, when I try to add a user from Domain B in Domain A's share. The list doesn't populate.

    In Domain A security settings
    Select this Object Type
    - Users or Groups

    From this location
    - Domain B

    Enter the Object names to select
    - There's no object name here at all. I can't access the users or groups of Domain B, from Domain A

    What else am I missing? Thanks.

  • #2
    Re: Forest Trust Issue, Validated, but still cant select users across domains

    Hi,

    what type of groups have you used. Is it global/domain local/universal?
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Forest Trust Issue, Validated, but still cant select users across domains

      Hi, thanks for the reply,

      They're all Global groups.

      Now that I look into it, it's a bit funny.
      Domain A can 'Find' the users and groups of Domain B.

      However, Domain B when I try to search for the members in Domain A.

      It's telling me, "the system has detected a possible attempt to compromise security..."

      So, I have part of the trust working it seems. And it would seems like I've misconfigured something... and domain A is purposely denying the request from Dom B?
      Last edited by Valeron; 27th January 2011, 05:20.

      Comment


      • #4
        Re: Forest Trust Issue, Validated, but still cant select users across domains

        Hi,

        Try this create domainLocal Group in Both Domains let say A and B then try to add members cross domain.

        Global Groups: you can only add members from local domain to the group

        on DomainA run the following command and post theoutput

        FromDomainB
        nltest /dsgetdcomainControlofDomainA

        Similary from DomainA as well
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Forest Trust Issue, Validated, but still cant select users across domains

          Hi thanks for the help,

          I've run the command from both DC, and the results are good.

          DC : correct
          Address : correct
          Dom GUID : ok
          Dom Name : ok
          Forest Name : ok
          DC site name Default Fist Site
          Our site name Default Fist Site
          Flags : both are the same

          The only difference I noticed between the DCs is in the DC site name and our site name, but i dont think that matters much?
          DC site name Default First Site Name vs Default First Site
          Our site name Default First Site Name vs Default First Site

          Reading this link, it says the firewall maybe blocking UDP and TCP 88, but I've already opened the ports and still no candy.
          kb/938457

          As it is now, I'm still stumped as to why the trust only works one way. My hardware firewall has the same settings on both ends, so that rules it out.

          I can view the list of users in Dom A from Dom B, but when I browsed Dom B's users and groups, I got this
          "the system has detected a possible attempt to compromise security" I'll see if google has more pointers that I can try out...

          Seems like all clues point to DNS being the culprit... I'll have a closer look.

          Comment


          • #6
            Re: Forest Trust Issue, Validated, but still cant select users across domains

            Can you give me a checklist of what else I could try to get this working?

            Im still stuck, and I have no idea where to start looking


            Thanks
            Last edited by Valeron; 28th January 2011, 10:59.

            Comment


            • #7
              Re: Forest Trust Issue, Validated, but still cant select users across domains

              Hi,

              Can you try this for now.
              http://support.microsoft.com/kb/938457#appliesto

              Check DNS for any rouge enteries of other DC's as well.
              Thanks & Regards
              v-2nas

              MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
              Sr. Wintel Eng. (Investment Bank)
              Independent IT Consultant and Architect
              Blog: http://www.exchadtech.blogspot.com

              Show your appreciation for my help by giving reputation points

              Comment


              • #8
                Re: Forest Trust Issue, Validated, but still cant select users across domains

                Ok, I look stupid now
                there's another VPN connection going between these two domains, i used that one and test things out, and wallop everything is working fine.

                So IT IS my hardware firewall that's dropping the packets... Thanks!!
                I know where to look now~
                Last edited by Valeron; 11th February 2011, 09:47.

                Comment


                • #9
                  Re: Forest Trust Issue, Validated, but still cant select users across domains

                  WoW !!! : )
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment

                  Working...
                  X