Options
Problem eastablishing/validating cross forest domain trusts
UncleCid
Member Posts: 66 ■■□□□□□□□□
I will try to put all the details that i can up.
First, the problem is that one side of a two-way trust works appropriately, while the reciprocal one does not. The two-way trust is established via server side from each domain, but i can only validate from one of them. Also, when i try to add "Domain Admins" to the builtin "administrators" group, it works on both servers,but the domain that cannot validate will loose it's user friendly title within the builtin security group "administrators" and only show the guid. Which I am guessing is from the unvalidating two-way trust. I also cannot access, with the non-validating domain, the opposite domain, because of access denied.
What has been done prior to this problem is establishment of two-way trusts on each domain that were "this domain only". I established conditional forwarding on each domain controller for the domain of the other server. The "Domain Admins" security group was placed in the builtin "administrators" of opposing domain. Also the SID filtering was removed on the trusts, from both ends, using "netdom trust (targeted-two-trust) /domain
local-domain) /usero:administrator /passwordo:MSPress#1". Also two groups were made using "net localgroup "Pre-Windows 2000 Compatible Access" "anonymous logon" /add" and "net localgroup "Pre-Windows 2000 Compatible Access" everyone /add". Both domain functional levels are at Windows 2000 native.
The lab that I am completing is Lab 12 where pages 164-170 are where the problem is. Tyvm to anyone who has read this, and please let me know if there is anything i left out or you need to know about this situation. I will gladly post the information.
First, the problem is that one side of a two-way trust works appropriately, while the reciprocal one does not. The two-way trust is established via server side from each domain, but i can only validate from one of them. Also, when i try to add "Domain Admins" to the builtin "administrators" group, it works on both servers,but the domain that cannot validate will loose it's user friendly title within the builtin security group "administrators" and only show the guid. Which I am guessing is from the unvalidating two-way trust. I also cannot access, with the non-validating domain, the opposite domain, because of access denied.
What has been done prior to this problem is establishment of two-way trusts on each domain that were "this domain only". I established conditional forwarding on each domain controller for the domain of the other server. The "Domain Admins" security group was placed in the builtin "administrators" of opposing domain. Also the SID filtering was removed on the trusts, from both ends, using "netdom trust (targeted-two-trust) /domain
local-domain) /usero:administrator /passwordo:MSPress#1". Also two groups were made using "net localgroup "Pre-Windows 2000 Compatible Access" "anonymous logon" /add" and "net localgroup "Pre-Windows 2000 Compatible Access" everyone /add". Both domain functional levels are at Windows 2000 native.The lab that I am completing is Lab 12 where pages 164-170 are where the problem is. Tyvm to anyone who has read this, and please let me know if there is anything i left out or you need to know about this situation. I will gladly post the information.
Comments
-
OptionsUncleCid
Member Posts: 66 ■■□□□□□□□□
......
I have changed the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AllowPasswordExport" to 1. Also there were two Currentcontrolset's, so i changed them both. /shrug I did a reboot of both domain controllers.... now... well... it works. /facepalm
Do you normally need to reboot to enable cross forests trusts on a domain controller?