Re: [ActiveDir] Trust issue

[Tom Kern]

i'm gonna check but i'd swear a trust between a win2k and win2k3 dc uses only dns and NO netbios/wins.

i'm entering the fqdn in netdom.

 

i'm also using AD Domains and Trusts mmc.

there is no way this can be wins.

its win 2k.

 

i'm also in native mode and i have netbios/tcp disabled.

 

thanks

 

On 10/12/05, Brian Desmond <[EMAIL PROTECTED]> wrote:

The way I understand it is that trusts between 2k3 and any downlevel domain is the same. 2k3 and 2k3 is different. Realize that what you put into the trusted/trusting domain (fqdn or shortname) makes a difference.

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, October 12, 2005 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Trust issue

 

Downlevel name resolution between a win2k native mode domain and a win2k3 domain?

 

How so?

it should all be dns according to MS.

am i mistaken?

 

is wins/netbios used in a trust between a win2k and win2k3 dc?

 

thanks

 

On 10/12/05, Brian Desmond < [EMAIL PROTECTED]> wrote:

Take a trace. I suspect you have downlevel name resolution to deal with.



Thanks,
Brian Desmond

<mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]



c - 312.731.3132





_____

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Wednesday, October 12, 2005 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trust issue



I'm doing a win2k-win2k3 trust.

Logically and from what i've read from MS, I assume i only need the proper
dns set up.

Its my understanding that for trusts bet
win2k-win2k,win2k-win2k3,win2k3-win2k3, you don't need wins or netbios or
lmhosts.



of course when it comes to netbios, no one seems to have a definitive
answer, including MS.

Then some people say there is a disntinction between flat names like
"mydomain"(that you see in the drop down list in the GINA) and netbios
names.

but i never could understand that very specific distinction.



of course, i'm no expert and people whom i respect on this list seem to have
conflicting views on netbios and what it is(a api,a protocol,a network
driver?) and its place in modern win2k/2k3 networks, specifically as applies
to trusts.



but what this comes down to really, is i should get off my butt and run
ethereal on my test forests and see what i can see :)





thanks



P.S-  in the org i work for, we have netbios/tcp disabled in both forests
and no WINS(whatever that implies...)



-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Wed 10/12/2005 4:33 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] Trust issue

Unless you're doing a 2k3 - 2k3 trust, you better plan on downlevel name
resolution. Personally, I rely on it for any trust. I have somewhere between
350 and 400 that I manage, and WINS is the only reliable thing I have out to
all my remote sites.



Thanks,
Brian Desmond

<mailto: [EMAIL PROTECTED]> [EMAIL PROTECTED]



c - 312.731.3132






_____


From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Wednesday, October 12, 2005 2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trust issue



Nope.



also as an aside,what is pretty amusing(in a frustrating way) is MS was the
one that told me about the lmhost entries.

i remeber bringing this up on the list awhile ago and we all went back and
forth about wheter  netbios is involved in a external trust between win2k
and win2k3 and if it could be entirley done via dns.



i know MS was just grasping at straws to try to help me out but its just
amusing that no one can say without doubt or confusion wheter you need
netbios or not in this senario inculding the guys that sell the product.



only in the software industry, i guess...





-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Wed 10/12/2005 2:24 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] Trust issue

DCOM range locked down on one end but not the other?



Thanks,
Brian Desmond

<mailto: [EMAIL PROTECTED]> [EMAIL PROTECTED]



c - 312.731.3132






_____


From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Wednesday, October 12, 2005 1:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trust issue



nope.



-----Original Message-----
From: Brian Desmond [mailto: [EMAIL PROTECTED] ]
Sent: Wed 10/12/2005 1:46 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir] Trust issue

Is there a firewall between the two places? PDC emulators in particular?

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Wednesday, October 12, 2005 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Trust issue

I have an external 2 way trust between a child domain in a win2k3 forest
(win2k3 FFL) and a child domain in a win2k native mode forest.

I set up the trust thru netdom or the Domains and Trusts mmc and after a few

minutes it fails coming from the win2k side.
the win2k domain/dc stops trusting the win2k3 domain/dc but the win2k3 trust

stays up.

i have dns set up for forwarding on both sides for the respective
domains/dns servers.
i also have lmhosts entries on both dc's in the trust.

nothing is logged in the event logs are either dc.

is there anything else i should be looking at?
thanks alot
.+w?B+v*rz     Vryi??

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/