AD forest trust

mikedisd2

I'm trying to establish a forest trust between 2x domains running on Win2003. The functional level is 2000 mixed and the Wizard keeps returning the message "the name you specified is not a valid Windows domain name."

I believe the networking side has been completed and I've added an entry into the Hosts file. Conditional forwarding has been configured and names are resolving.

Is the functional level causing this issue. A search indicates that this needs to be at 2003 level. Can I use a Realm trust instead?

Hyper-Me

a realm trust is for UNIX to Windows trust.

What are your domain names?

It almost sounds like you are using a single label name for one of your domains.

Zartanasaurus

Need to set the forest functional level to 2003.

HeroPsycho

Both forests must be Windows 2003 functional level before you can create forest trusts:

Checklist: Creating a forest trust: Active Directory

blargoe

You could just do a domain trust though.

mikedisd2

HeroPsycho wrote: »

Both forests must be Windows 2003 functional level before you can create forest trusts:

Checklist: Creating a forest trust: Active Directory

I saw this one too; I'm finding mixed message on this. Trusts existed before 03 though.

Because it's mixed mode I wondered if the Realm option is the way to go, although it's mainly used for UNIX boxes as Hyper-me said.

Domains are abc.local and xyz.local. As mentioned they can ping and resolve via HOSTS entries.

As it's a government department and I'm a contractor I don't think raising the functional level is an option.

snadam

mikedisd2 wrote: »

I saw this one too; I'm finding mixed message on this. Trusts existed before 03 though.

Because it's mixed mode I wondered if the Realm option is the way to go, although it's mainly used for UNIX boxes as Hyper-me said.

Domains are abc.local and xyz.local. As mentioned they can ping and resolve via HOSTS entries.

As it's a government department and I'm a contractor I don't think raising the functional level is an option.

Ideally, you could create an external trust as opposed to a realm trust.

I believe Forest-level trusts weren't doable until server 2003. Either way your FFL needs to be 2003 in both forests to create a forest trust.

mikedisd2

snadam wrote: »

Ideally, you could create an external trust as opposed to a realm trust.

I believe Forest-level trusts weren't doable until server 2003. Either way your FFL needs to be 2003 in both forests to create a forest trust.

Thanks Snadam, am checking out other trust types now.

My 70-294 exam was only about a year ago. Use it or lose it, I guess.

EDIT: External trusts seem to only be for connecting to NT4 or older. The New Trust Wizard only gives the choice of Realm trust or Trust with a Windows domain.

snadam

mikedisd2 wrote: »

Thanks Snadam, am checking out other trust types now.

My 70-294 exam was only about a year ago. Use it or lose it, I guess.

EDIT: External trusts seem to only be for connecting to NT4 or older. The New Trust Wizard only gives the choice of Realm trust or Trust with a Windows domain.

I read the same article. I think its trying to say IF you delete an external trust between server 2003 and NT, then delete it from the 2003 DC. External trusts are typically used for domains outside the forest, or NT domains.

Question: Does this trust have to be transitive, or do you just want one domain in one forest trusting another domain in another forest? I forgot that external trusts are non-transitive.

mikedisd2

I don't think the transitive state is a concern; it's just a 2-way trust to allow for specific access in an ILM configuration.

Just had word that the company is going to bring in a technical architect to manage my project. Which is what they should have done in the first place. I'm still just a doer not a designer, unless you ask my ego.

Thanks for all the help, it gives me a much better acumen when explaining all this tomorrow.