I just setup (for ease, I intend to restrict later) a two-way domain-wide trust relationship between our internal domain and a domain I just set up in our DMZ. The DMZ DC is running Server 2008 R2, the internal DC is 2003.
I've set up all the DNS entries as best I can, I can ping the FQDN of either domain from any place in either domain. BUT - here's the issue: when trying to grant permissions for a DMZ user in the internal domain or an internal user in the DMZ domain, I only seem to be able to do so on Windows 7 computers, but not on server operating systems (2000, 2003, 2008, or 2008 R2).
That is with the notable exception of the internal DC itself, which allows me to give DMZ users permissions to folders, etc., despite being 2003.
Any idea what is going on? Why can't I give DMZ users rights to internal resources and vice versa when I have such an open trust?
Final note: When trying to do such an operating on a Win2k server box, I get the following message: "No authority could be contacted for authentication." BUT, I can ping the DMZ domain's FQDN on it without issue.
You should use Domain Local to assign cross domain permissions.