How do I map a network drive from a separate domain?

I'm currently on a domain called "meta" in our office here.  It's still an NT 4 domain but I have the hardware and will upgrade soon.  I want to map a drive from a Windows XP machine to a Server 2003 machine that is located at another company for us.  They installed it there on a separate domain called "meta.sol".  I wasn't sure how well it would interface with our NT4 domain here, so we did it that way.  When we upgrade, I might work at just having that added to our domain here, but I digress.

The problem is that it won't authenticate.  I enter the \\server IP\shared folder and it seems to connect just fine through the "mapping" wizard, but then it brings up a dialog box and no matter what combination of username and password with domain\username and password, it won't authenticate.  It's a separate login from the meta domain, but I know I have the right credentials and I know I have the right permissions to access the folder.  Anyone have any idea what the problem might be?  I was thinking perhaps a trust issue, but I don't know how I would establish a trust there or if it's possible between NT4 and 2003.  

I can Remote Desktop into the server so I don't see why the firewall would allow that and not a mapping, however, the other company controls the firewall that is in front of our server there and we control the firewall here in the office.  But I can see and change anything on our server there, so let me know if you need more information or need me to try something.  I'm giving it a lot of points as I can't figure it out and the tech support where the server is at can't figure it out either, so I'm hoping one of you can save the day.  Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does the 2003 server have VPN set up.

Being able to remote might just mean that a port is open up allowing you to do this. Without domain authentication (like VPN connection) I am not sure how you would access shared drive on a different domain.
have you tried the net use command
Drummerx007Author Commented:
I THINK we have an IPSEC vpn tunnel setup between our firewalls or do you mean me personally VPNing into the server?

I tried using the net use command and got "System error 5 has occurred.  Access is denied"

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

David Scott, MCSENetwork AdministratorCommented:
its a permissions issue on the share on the other domain.  have they given the username and password you are entering for authentication permissions to the share?  
David Scott, MCSENetwork AdministratorCommented:
oops, missed the part that you are using a login from their domain.  stupid stuff, you're sure the account they provided you isn't locked out or some such thing?  (gotta start with the small stuff).  

are the two domains in the same tree or forest?  if so, the trust already exists.  if not, the meta.local domain needs to add your domain as a trust.  

open the domain forest and trusts snapin.  right click the domain, properties, trusts.  if they don't see you in there as a trust, then they need to add you as an external trust.  you'll only need a one way trust if its just you accessing their resources
Drummerx007Author Commented:
If it was locked out, I assume I wouldn't be able to remote desktop in, correct?  I have administrative privileges when I log in though.

They are not in the same tree or forest.  I tried adding our meta domain as a trust, but I didn't see the domain available to add AS a trust, so I wasn't sure how exactly to do that.

Now, I'm not POSITIVE the IPSEC VPN is properly functioning, but will try to confirm that as that could be the problem?  Or would it be the whole domain trust issue?
David Scott, MCSENetwork AdministratorCommented:
can you see the other domain in my network places?  when you remoted desktop to that domain controller, is it via lan ip or wan ip?  if by lan ip then there is a vpn.

can you ping the other DC by ip? by name?
Drummerx007Author Commented:
I cannot see the other domain in my network places.  I remoted to the DC by wan ip, but I can ping it by name and IP.  I have it listed in my hosts file, so that might be why.  Thanks for continuing to comment!
David Scott, MCSENetwork AdministratorCommented:
well, that may be a wins thing.  typically you have to enable netbios on your vpn tunnel to see the other domain. sometimes the dns will work as well.

anyway, not to worry.  when you did the "new trust" on the win 03 server and clicked next, did you type in the nt domain name and clicked next and what happened?
Drummerx007Author Commented:
Being an IPSEC tunnel through our firewall, I don't see any option anywhere to enable netbios or any protocol with it.

It's a bit bizarre, but I tried adding our meta domain as a trust, but it gives me a message saying that that "the new trust wizard cannot continue because the specified domain is the same domain which the wizard is running.  To create a trust select a domain which you are not currently managing."  It's puzzling as the domain is meta.sol and I'm trying to create a trust with "meta", unless the ".sol" does not really matter?
David Scott, MCSENetwork AdministratorCommented:
put in
Drummerx007Author Commented:
Ok, so now it says that it cannot continue because the domain "" cannot be contacted.  Would  that mean that the VPN is not properly connected or functioning?
David Scott, MCSENetwork AdministratorCommented:
David Scott, MCSENetwork AdministratorCommented:
your DCs should point to themselves for primary dns and to each other for secondary dns.

you could also try creating a secondary dns zone on each DC which is the dns of the other DC

do you have wins running?  since you have an nt 4 domain, have it running on both DCs and again, point to themselves for primary and each other for secondary.

Drummerx007Author Commented:
Ok, so I need to either make sure the VPN is properly connected and thus is "should" find it by the local address assuming I can forward it properly.  OR I set it up through the hosts to go through the external IP address and have the firewall forward those requests locally to the PDC?  Not sure how I'd do the second part, but it looks like those are my two options, correct?
David Scott, MCSENetwork AdministratorCommented:
take the info out of the hosts file and see if you can get it to resolve by name by dns or wins.  the vpn is up if you are able to ping by lan ip

i don't know about the second option.  
Drummerx007Author Commented:
If I take the info out of the hosts file, it can't resolve by DNS or WINS.  Ok, so if I understand it now, I think the first thing I have to make sure is that a VPN connection is properly connected.  Then try to establish a trust between the domains and also make sure WINS is running on the meta.sol domain.  It might take some time to do that, but I will get back with results...unless you have something more to add?  Thanks for the assistance and I will get back with results/points etc.
David Scott, MCSENetwork AdministratorCommented:
without the hosts file, you can ping by lan ip right? if so the vpn is at least connected.  there might be something that needs to be configured differently, i'm not sure what model firewalls you are running.

when you establish the trust, if the DC can't resolve the other domain, then it won't work.  that is when you will have to look at dns/wins to get the name resolution working.  

so step 1: make sure VPN is operational (can ping lan ip)
step 2: try to created trust, if can't, work on dns and wins to get name resolution working (i mentioned some things to try in previous posts)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I agree with opie6373's steps above however without knowing the details on the firewall on the other side ICMP traffic may be blocked. Something like ISA 2004 and newer blocks everything as default and then you have to open ports up so ICMP can easily be missed. You already know 3389 is open so try remoting into the server with internal IP.  I just read where someone was troubleshooting a connection issue for a week and here only Telnet was open to the tunnel so they were able to connect the whole time but they thought it wasn't because they were trying to ping the server. Depending on your firewall you may also be able to verify the tunnel is up through that. Another thing to check is the windows firewall on the 2003 server. I believe it is disabled by default so it shouldn't be an issue. Also some Anti Virus software has personal firewalls incorporated. I truly believe opie6373 has you going in the right direction so I would start with his suggestions and let us know what they produce.
Drummerx007Author Commented:
I confirmed that the VPN is not properly connected.  I think everything is properly set, but it doesn't seem to want to connect.  It's a Watchguard Firebox 1000 or Firebox 3 so it's getting to be on the old side.  I will get back to you once I can get the VPN up and see what happens.
Drummerx007Author Commented:
I'm currently still working with Watchguard and the company that's hosting our Exchange server to get the VPN tunnel back up and running.  Not sure why it's giving us an error, but I suppose that would be a separate issue if I can't get it going.  Thanks for your patience.
Drummerx007Author Commented:
OK!  Finally!  I can guarantee that the VPN is working.  I see it up and running on our firewall and I can ping to the local IP address of the server at the remote location without the entry in the hosts file.

Now, when I try to map the drive on that remote machine, I still get the login dialog box even though the credentials are correct.

I tried establishing the trust again, but again it complains that meta is already the domain and that doesn't exist.  I will work on the DNS/WINS stuff now.
Drummerx007Author Commented:
Ok, I was starting my quest to determine if the DNS/WINS might have something to do with it all.  And then I had a thought.  Since I can ping the server with the local IP, how about i try mapping it with the local IP instead of the external IP.  That seemed to work!  So, I guess problem is solved!  Thanks for the effort Opie and everyone else who chimed in, but I guess I'll give the points to Opie?
Drummerx007Author Commented:
Thanks for the continued effort!  I guess it boiled down to the VPN, but I know I connected before without a VPN connection so that's why it bugged me so much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.