asked on
External Domain Trust Relationship Problem - Cannot find DC?
Experts:
I just setup (for ease, I intend to restrict later) a two-way domain-wide trust relationship between our internal domain and a domain I just set up in our DMZ. The DMZ DC is running Server 2008 R2, the internal DC is 2003.
I've set up all the DNS entries as best I can, I can ping the FQDN of either domain from any place in either domain. BUT - here's the issue: when trying to grant permissions for a DMZ user in the internal domain or an internal user in the DMZ domain, I only seem to be able to do so on Windows 7 computers, but not on server operating systems (2000, 2003, 2008, or 2008 R2).
That is with the notable exception of the internal DC itself, which allows me to give DMZ users permissions to folders, etc., despite being 2003.
Any idea what is going on? Why can't I give DMZ users rights to internal resources and vice versa when I have such an open trust?
Final note: When trying to do such an operating on a Win2k server box, I get the following message: "No authority could be contacted for authentication." BUT, I can ping the DMZ domain's FQDN on it without issue.
Thanks,
Matt
I just setup (for ease, I intend to restrict later) a two-way domain-wide trust relationship between our internal domain and a domain I just set up in our DMZ. The DMZ DC is running Server 2008 R2, the internal DC is 2003.
I've set up all the DNS entries as best I can, I can ping the FQDN of either domain from any place in either domain. BUT - here's the issue: when trying to grant permissions for a DMZ user in the internal domain or an internal user in the DMZ domain, I only seem to be able to do so on Windows 7 computers, but not on server operating systems (2000, 2003, 2008, or 2008 R2).
That is with the notable exception of the internal DC itself, which allows me to give DMZ users permissions to folders, etc., despite being 2003.
Any idea what is going on? Why can't I give DMZ users rights to internal resources and vice versa when I have such an open trust?
Final note: When trying to do such an operating on a Win2k server box, I get the following message: "No authority could be contacted for authentication." BUT, I can ping the DMZ domain's FQDN on it without issue.
Thanks,
Matt
Active DirectoryWindows Server 2003Windows Server 2008
Last Comment
mhentrich
ASKER
In this situation, I am not trying to add anyone to groups, but rather grant someone permissions directly to a folder or share. Like I said, it works in some places and not others.
Pinging the domain names could work because of a host file entry of a single DNS zone entry.
It does not verify that the trust is working correctly.
Can you validate the trust between your domains by using AD Domains and Trusts?
A quick test to check if the trust is working is to access the domain by UNC path, i.e. from the run command enter \\<<remoteDomainName>>
You should see the netlogon and sysvol folder being displayed, if not then your trust is either not working or your server are being blocked from accessing that network.
So even firewall restrictions could be the reason why your DC apply permissions but not your other servers.
For the trust validation and user authentication, Windows 2000 would be looking for the server holding the PDC emulator role on the domain being referenced.
Check with the firewall adminstrators others check the following post.
http://support.microsoft.com/kb/179442
It does not verify that the trust is working correctly.
Can you validate the trust between your domains by using AD Domains and Trusts?
A quick test to check if the trust is working is to access the domain by UNC path, i.e. from the run command enter \\<<remoteDomainName>>
You should see the netlogon and sysvol folder being displayed, if not then your trust is either not working or your server are being blocked from accessing that network.
So even firewall restrictions could be the reason why your DC apply permissions but not your other servers.
For the trust validation and user authentication, Windows 2000 would be looking for the server holding the PDC emulator role on the domain being referenced.
Check with the firewall adminstrators others check the following post.
http://support.microsoft.com/kb/179442
ASKER
All,
Thanks, I've made a little headway but am having a different problem now. Maybe you can help with this? I'm going to make a new question for it anyways.
I've remade the trusts and they seem to be working fine - I can take a user from domain A and give them permissions to folders in domain B with no problem, and vice versa.
BUT - when I try to grant that person a login on SQL Server, no dice. I can see the domain, find the user, etc. but when I click OK to actually add the user, it responds with "Error 15401: Windows NT user or group '%s' not found. Check the name again. "
What's the deal with that? I've confirmed that I can resolve user names in Windows from across domains with no problem; why wouldn't SQL instances on those same servers be able to add these users?
Thanks,
Matt
Thanks, I've made a little headway but am having a different problem now. Maybe you can help with this? I'm going to make a new question for it anyways.
I've remade the trusts and they seem to be working fine - I can take a user from domain A and give them permissions to folders in domain B with no problem, and vice versa.
BUT - when I try to grant that person a login on SQL Server, no dice. I can see the domain, find the user, etc. but when I click OK to actually add the user, it responds with "Error 15401: Windows NT user or group '%s' not found. Check the name again. "
What's the deal with that? I've confirmed that I can resolve user names in Windows from across domains with no problem; why wouldn't SQL instances on those same servers be able to add these users?
Thanks,
Matt
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This solved the problem, sorry I didn't come across it before starting the thread.
You should use Domain Local to assign cross domain permissions.