Trust works then quits
I have a one way trust in place between 2 domains on same gateway. Domain A is 2000 mixed mode, in the DMZ and Domain B is 2003 native mode in the intranet. I made a firewall rule to allow communication between the 2 DCs in Domain A to see the 2 DCs in Domain B. The trust is one way non-transitive with Domain A being the trusting domain and Domain B the Trusted. I also added to each DC, eachothers DNS servers as forwarders so they can see eachothers AD DNS. That works fine. Ping server1.DomainA.com from Domain B and it sees it and vice-versa. Then, I created the trust from Domain B and it worked slick, perfect. Now, I can add users from Domain B to Domain A perfectly. It works great (mostly). I have a web server in Domain A and I add users to NTFS permissions and I can see Domain B users just fine. Add them and everything. I tested it yesterday to locked pages in IIS in Domain A with users added from Domain B and it worked perfectly. Now, here is the tricky part. Today, I cannot log onto the secured web pages in Domain A with users from Domain B. I can SEE the users still in the NTFS permissions, but when I go to log on as one, Access Denied. My questions is this, I just have it set in the firewall to allow the 2 DCs from each domain to have all ports open. Do I have to allow each server on Domain A to have all ports open to the 2 DCs in Domain B? When it does a Master Browser election, does whatever server that is HAVE to be able to see the DCs on the other side or just it's local DCs?
THis one is tough.
THis one is tough.
ASKER
I only have Basic Authentication sent in clear text and the web server is also added to the firewall rules to allow all to the trused domain. Maybe I am wrong, but do I need all servers on Domain A to be able to get to all ports on Domain B? When there is a Master browser election on Domain A, does that newly elected server need to be allowed to get to Domain B?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the problem. Fist of all, I was adding a group for Domain B to Domain A in the IIS web server which was through the web interface for Front Page. It added the group just fine, but the users in that group could not authenticate. After pulling much hair over my firewall and DCs, I tried to add the same group to just a plain old NTFS folder and low and behold, it could not find that group from Domain B. The group was set to a Global Distribution. I changed it to a Global Security, and viola! It authenticated just fine. Thanks for the effort! The problem is the Front Page admin in IIS will add anything, even though the server will not authenticate and the NTFS permission on folders is much more honest and will tell you if it can use it or not.
However if you have "anonymous" and/or "Windows Integrated Auth", then you may need port 88 (both TCP/UDP) open from web server to DC as the client will have kerberos communication with web server. I will test this out if I have chance and time.