Inter forest security

[ajbritton]

Almost all the sites I support have two domains (admin & curriculum). Most of these sites also have two forests (admin & curriculum), but in newer installations, the domains are in the same forest (admin is the forest root domain and curriculum is an additional domain in the same forest). Where the domains are in the same forest there is an implicit trust relationship between the domains. Where the domains are in separate forests, explicit trust relationships have been created.

I'm trying to use a Startup script to install SIMS on PCs connected to the curriculum domain. The Startup script runs the various SIMS installers which are hosted on a server on the admin domain. This seems to work fine on the single forest sites, but gives me 'access denied' on the dual-forest sites.

It seems to come down the the Local System Account not being able to access anything outside the forest to which the PC belongs. I tested this using PsExec to launch a CMD session as the System account. On the single forest sites I could happily 'net view' resources in any domain. On the dual-forest sites I could only 'net view' resources in the same domain.

Any ideas how I can make it work on the dual-domain sites?

[ChrisH]

You might wanna pop that type of question over to mark minasi's forum. www.minasi.com

[ajbritton]

Will do. Thanks ChrisH

[Geoff]

Are you sure the domains have been correctly setup in the forest. If they have there should be an automatic two way trust between the domains. Therefore things like net view should work.

[ChrisH]

He is looking for interforest info not intraforest which works as you have described.

[Geoff]

Ok, you need to create a trust between the two forests then. Here's a technet article.

http://technet2.microsoft.com/Window....mspx?mfr=true

[ajbritton]

That looked promising, but it appears to be a Windows 2003 only thing. Most of our systems still involve at least one Windows 2000 domain.

[spc-rocket]

You should be able to do a trust between windows 2000 domain and windows 2003. I do recommend that on your windows 2000 domain raise the domain functional level to windows 2000 native i.e. no pre-windows 2000 clients.

Thsi should allow you manully configure the trust. I'm not sure if NetBIOS is require or if its kerberous based.

What i would recommend is that you carry out a test using vmware first i.e. install windows 2003 server with AD in a forest and anothe VM with windows 2000 domain in a completely new forest.

I would also recommend that you create a secondary zone in Domain A (forest1) for the primary zone of domain B (forest2) and vice versa before configuring the trust.


Ash.

[ajbritton]

I already have 2-way trusts between the domains and they appear to make no difference. I'm doing some testing now (I use Virtual PC btw).

[ajbritton]

I tried connecting two Windows 2003 forests with a 2 way forest trust and it still does not allow the system account to access resources on a domain outside the forest.

Edit: I was wrong. It DOES work as long as I specify the server by FQDN. Unfortunately, I don't think that will help me with Win2K systems. Tests continuing!

[Norphy]

Sounds like a DNS issue then. Do you have stub zones or (waits for a telling off from Geoff) DNS forwarders to the other domain in each domain's DNS server?

Adding the other domain's suffix to the domain search list might help too.

[ajbritton]

No, DNS is fine. Just to create the forest trust I had to make sure there was full name resolution across both domains. Each DNS server hosts the zone for the domain it is in and has a conditional forwarder for the DNS server in the other domain.