+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Inter forest security in Technical; Almost all the sites I support have two domains (admin & curriculum). Most of these sites also have two forests ...
  1. #1
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Inter forest security

    Almost all the sites I support have two domains (admin & curriculum). Most of these sites also have two forests (admin & curriculum), but in newer installations, the domains are in the same forest (admin is the forest root domain and curriculum is an additional domain in the same forest). Where the domains are in the same forest there is an implicit trust relationship between the domains. Where the domains are in separate forests, explicit trust relationships have been created.

    I'm trying to use a Startup script to install SIMS on PCs connected to the curriculum domain. The Startup script runs the various SIMS installers which are hosted on a server on the admin domain. This seems to work fine on the single forest sites, but gives me 'access denied' on the dual-forest sites.

    It seems to come down the the Local System Account not being able to access anything outside the forest to which the PC belongs. I tested this using PsExec to launch a CMD session as the System account. On the single forest sites I could happily 'net view' resources in any domain. On the dual-forest sites I could only 'net view' resources in the same domain.

    Any ideas how I can make it work on the dual-domain sites?

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,998
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106

    Re: Inter forest security

    You might wanna pop that type of question over to mark minasi's forum. www.minasi.com

  3. #3
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Inter forest security

    Will do. Thanks ChrisH

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Inter forest security

    Are you sure the domains have been correctly setup in the forest. If they have there should be an automatic two way trust between the domains. Therefore things like net view should work.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,998
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106

    Re: Inter forest security

    He is looking for interforest info not intraforest which works as you have described.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Inter forest security

    Ok, you need to create a trust between the two forests then. Here's a technet article.

    http://technet2.microsoft.com/Window....mspx?mfr=true

  7. #7
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Inter forest security

    That looked promising, but it appears to be a Windows 2003 only thing. Most of our systems still involve at least one Windows 2000 domain.

  8. #8

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: Inter forest security

    You should be able to do a trust between windows 2000 domain and windows 2003. I do recommend that on your windows 2000 domain raise the domain functional level to windows 2000 native i.e. no pre-windows 2000 clients.

    Thsi should allow you manully configure the trust. I'm not sure if NetBIOS is require or if its kerberous based.

    What i would recommend is that you carry out a test using vmware first i.e. install windows 2003 server with AD in a forest and anothe VM with windows 2000 domain in a completely new forest.

    I would also recommend that you create a secondary zone in Domain A (forest1) for the primary zone of domain B (forest2) and vice versa before configuring the trust.


    Ash.

  9. #9
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Inter forest security

    I already have 2-way trusts between the domains and they appear to make no difference. I'm doing some testing now (I use Virtual PC btw).

  10. #10
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Inter forest security

    I tried connecting two Windows 2003 forests with a 2 way forest trust and it still does not allow the system account to access resources on a domain outside the forest.

    Edit: I was wrong. It DOES work as long as I specify the server by FQDN. Unfortunately, I don't think that will help me with Win2K systems. Tests continuing!

  11. #11
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,236
    Thank Post
    50
    Thanked 273 Times in 211 Posts
    Blog Entries
    6
    Rep Power
    108

    Re: Inter forest security

    Sounds like a DNS issue then. Do you have stub zones or (waits for a telling off from Geoff) DNS forwarders to the other domain in each domain's DNS server?

    Adding the other domain's suffix to the domain search list might help too.

  12. #12
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Inter forest security

    No, DNS is fine. Just to create the forest trust I had to make sure there was full name resolution across both domains. Each DNS server hosts the zone for the domain it is in and has a conditional forwarder for the DNS server in the other domain.

SHARE:
+ Post New Thread

Similar Threads

  1. Inter Domain Trusts -- how do you do it
    By Hedghog in forum Windows
    Replies: 5
    Last Post: 4th November 2007, 09:15 PM
  2. Forest Root concerns
    By u8dmtm in forum Wireless Networks
    Replies: 1
    Last Post: 13th December 2006, 11:43 AM
  3. Replies: 1
    Last Post: 27th August 2006, 08:34 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •