My school was recently federated, and as such I have been asked to give the teachers the ability to log on to both schools with the same username and password and with the same Home area and shared drives.
We are a kent school and both schools are using the same Internet service provided by EIS. As such, the easiest and least expensive way to link the schools was to open up the ports between both schools. I am now able to remotely log on to their servers and vice versa.
This is where things get shakey. I thought the best way to give the teachers what they need was to set up domain trusts (which I have never done before) and then give them the option of which domain to login to on the logon page. I believe I have set up the domain trusts OK. In My schools DNS I can see the federated school and vice versa. When you get to a logon screen here you have the option of which domain to log on to. SO I choose the other schools domain and used a username and password from their domain, but when I do this I get the error message "The system cannot log you on now because the domain <DOMAIN NAME> is not available".
COuld anyone point me in the right direction with this? I'm convinced that I'm either going about this whole thing the wrong way, or I've made some small error in the setup.
There needs to be a two way trust between the domains (I seem to recall that Microsoft call it something else now, but that's effectively what it is)
Are the clients timing out over the internet link? May have to tweak group policy - wait for network to be available etc. Do you need to 'apportion' a section of the internet link between the two schools with QOS via a router maybe? You don't want connections dropping coz some teacher thinks that video streaming for 30 kids is a great idea.
Just a quick note, when you modify DNS, make sure the local DNS is still primary, then any external DNS for internet or another domain are secondary.
As for the error message "Unable to log you on because of account restrictions", this could be for a whole range of reasons. The security settings, such as password requirements may differ from one site to the other. Another example are time restrictions which can also prevent you from logging on.
I remoted in to the other schools forest root server. I wanted to check the trusts again so I went in to Active Directory Domains and Trusts. I right clicked on the root of it and clicked connect to domain controller. Typed in my own schools domain name and got
"The configuration information describing this enterprise is not available. No authority could be contacted for authentication."
Yet when I log on to my own schools forest root and attempt to connect to the other school's DC in the same way, it works perfectly.