|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Need help with AD trustsexternal.com, and internal.lan. I would like to conveniently access files on external.com from my XP Professional workstation, which is a member of internal.lan, however, I don't want external.com to have access to internal.lan. Next I create a 1-way outgoing trust on external.com, which it says will allow users from internal.lan to be authenticated on external.com. I indicate that I want it created on both ends, enter the administrator credentials for internal.net.The trust creation completes and confirms. In the Trusts tab of the properties display, I can see under Domains trusted by this domain (outgoing trusts): Domain Name: internal.lan Trust Type: External Transitive: No. Similarly, when logged into the domain controller for interal, lan, I see under "Domains that trust this domain (incoming trusts): Domain Name: external.com Trust Type: External Transitive: No. However, When I'm logged into External.Com, I can see shared resources on machines in internal.lan (their share permissions specify domain users only, there are no permissions for External.com). Conversely, from internal.lan, I CAN'T see resources in external.com. So, the situation is the exact opposite from what I want, and what the system describes. So, I create the opposite kind of trust: Incoming from external.com, outgoing from internal.lan. Now what happens is that I can access resources on the other machine from either end (i.e., it's what I would have expected if I had created a 2-way trust. Any suggestions? I completely out of ideas. Thanks, Joe -- Posted via NewsDemon.com - Premium Uncensored Newsgroup Service ------->>>>>>http://www.NewsDemon.com<<<<<<------ Unlimited Access, Anonymous Accounts, Uncensored Broadband Access Did you remove the previous trust you established that you spoke of earlier
that Herb assisted you with? If not you have two seperate trusts basically a twoway transitive trust. Go to my web site and look at the NT4 -vs- AD trust. There are some links for troubleshooting trusts in the document. http://www.pbbergs.com Select the articles link -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com/ This posting is provided "AS IS" with no warranties, and confers no rights. "Joe Befumo" <j**@befumo.com> wrote in message news:4409a7c0$0$26784$b9f67a60@news.newsdemon.com... >I have two Active Directory domains, fully independent (separate forests), >external.com, and internal.lan. I would like to conveniently access files >on external.com from my XP Professional workstation, which is a member of >internal.lan, however, I don't want external.com to have access to >internal.lan. > > > > Next I create a 1-way outgoing trust on external.com, which it says will > allow users from internal.lan to be authenticated on external.com. I > indicate that I want it created on both ends, enter the administrator > credentials for internal.net.The trust creation completes and confirms. > In the Trusts tab of the properties display, I can see under Domains > trusted by this domain (outgoing trusts): > > Domain Name: internal.lan > > Trust Type: External > > Transitive: No. > > > > Similarly, when logged into the domain controller for interal, lan, I see > under "Domains that trust this domain (incoming trusts): > > Domain Name: external.com > > Trust Type: External > > Transitive: No. > > > > However, When I'm logged into External.Com, I can see shared resources on > machines in internal.lan (their share permissions specify domain users > only, there are no permissions for External.com). Conversely, from > internal.lan, I CAN'T see resources in external.com. So, the situation is > the exact opposite from what I want, and what the system describes. > > > > So, I create the opposite kind of trust: Incoming from external.com, > outgoing from internal.lan. Now what happens is that I can access > resources on the other machine from either end (i.e., it's what I would > have expected if I had created a 2-way trust. > > > > Any suggestions? I completely out of ideas. > > > > Thanks, > > > > Joe > > > > -- > Posted via NewsDemon.com - Premium Uncensored Newsgroup Service > ------->>>>>>http://www.NewsDemon.com<<<<<<------ > Unlimited Access, Anonymous Accounts, Uncensored Broadband Access Further details --
As far as I can see, external.com and internal.lan are both completely symmetrical. Settings on the share are exactly the same. I have a share on each, and each is set up to grant access only to administrators of their respective domains. I have converted the 1-way trust to a 2-way (this is the first time I've done this--in the past I have first removed the existing trust, then added the new one). This time, when I rebooted, the behavior is as follows: from internal.lan I try to access share on external.com -- I can do so, however, I am asked for login information, and only given access when I log in as administrator. from external.com to internal.lan, I am given access without the login prompt. Again, what I'm looking for is for there to be no access of internal.lan from external.com, but to be able to access external.com (with or without a login) from internal.lan. In addition, I ultimately want my web app on external.com to be able to access SQL Server on internal.lan, but I'm not even going to start thinking about that until I have the basic connectivity working properly. Thanks again, Joe -- Posted via NewsDemon.com - Premium Uncensored Newsgroup Service ------->>>>>>http://www.NewsDemon.com<<<<<<------ Unlimited Access, Anonymous Accounts, Uncensored Broadband Access Sounds like the trust is the wrong way round. Delete all trusts and create
a new one. You want to create an outgoing trust from external, as external needs to trust internal. Internal doesn't need to trust external; internal should be trusted by external. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Wierd - that's the way I had it set up in the beginning & it had the exact
opposite expect from what I wanted. When I set it up the other way, it behavied like a 2-way, and when I set up a 2-way, accessing External from Internal pupped up a login dialog box, but accessing Internal from External just allowed access (which is what I would expect). I double-checked all of my share permissions to make sure that neither side grants any access to the other at that level. Joe Show quoteHide quote "Paul Williams [MVP]" <ptw2***@hotmail.com> wrote in message news:O1zU6cEQGHA.720@TK2MSFTNGP14.phx.gbl... > Sounds like the trust is the wrong way round. Delete all trusts and > create > a new one. You want to create an outgoing trust from external, as > external > needs to trust internal. Internal doesn't need to trust external; > internal > should be trusted by external. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > -- Posted via NewsDemon.com - Premium Uncensored Newsgroup Service ------->>>>>>http://www.NewsDemon.com<<<<<<------ Unlimited Access, Anonymous Accounts, Uncensored Broadband Access 
Other interesting topics
Rename Domain
UNC Virtual Directory (WebDAV) Server upgrade GetColumn/ExecuteSearch does not return any values for multivalued column AdminSDHolder - in laymen's terms is that the thing that resets default permissions on all built-in Restoring a single OU is it posible to change user's sid Auditing entries in DC Security log FRS Problems Cool tool add-on User Properties |
|||||||||||||||||||||||
