On Thu, Nov 13, 2008 at 9:31 AM, <[EMAIL PROTECTED]> wrote: > Again, I think some of the snags (in addition to that last line) are > because, although NYC has 4 Win2003 DCs, their functional level still > shows as "Win2000". Our level is at Win2003 which NYC must change.
I've never tried it, but I'm not so sure functional levels need to match between domains for external trusts between AD domains. I say that mainly because I *have* created trusts between an AD domain and an NTLM domain, which are *very* different beats, and that certainly worked fine. I wouldn't expect the trust mechanism to allow that, but then be pickier about AD<->AD trusts. Then again, I've seen stupider limitations. > As to proper AD functionality w/SRV, DNS, etc, well, we gotta get the > trust set up first. That may not be possible. I think you need to have DNS working properly in order to establish the trust. AD uses DNS to find DCs. Without proper DNS, the one domain's DCs will not be able to find the other domain's DCs. If the DCs cannot talk, the trust isn't going to be very useful, even if you manage to create it. I'm checking my usual sources (Minasi, Lowe-Norris, Crawford, Google), and I can't find anything that says AD trusts definitely will not work without proper DNS. But do find lots of recommendations to have DNS working properly. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
