I have a Windows 2000 server joined into the W2k3 AD1 forest in native mode.
I also have another W2K3 AD2 forest joined by two-way trust with AD1. When
sharing a folder in W2K server AD1, I can't seem to see AD2 in the dropdown
for me to select the users to assign permission. Is this because I'm in
native mode? How can I assign users from AD2?

Thanks
TagaR

Is this because I'm in
Native mode has nothing to do with trusts.

Any errors in event viewer?

What happens when you do what?

hth
DDS W 2k MVP MCSE

Show quoteHide quote

Danny,

1. I already have two-way trusts between my W2K3 AD1 and W2K3 AD2 working
fine.
2. In W2K3 AD1, I have a windows 2000 file server where I want to share some
files to users in AD2. When I assign the share or security permission by
clicking Add, the "look in" dropdown does not list the AD2 domain.
3. In W2K3 AD1, I have a windows 2003 server. Sharing files to AD2 users is
no problem.

There is no error. It's just that I can't see the users in AD2

I hope this is clearer.

Thanks
TagaR

Show quoteHide quote

If you can't see anything in the opposite domain, you probably have name
resolution problems.  If you simply can't see your groups, it is probably a
group scope issue, e.g. domain local groups in the source domain.

Please explain how your DNS (and WINS if you have it) is setup in both
forests.

Hi Paul,

My W2K3 AD1 server is a DNS server. My W2K3 AD2 is also a DNS server.
Two-way trusts were created between them. I created forwarding from each
server to point to the other for resolution. The servers are also WINS and
are replicating records between them. I don't have any problem pinging
netbios name or fqdn between this two domains.

One thing strange too. My Exchange 5.5 is on W2K server member of AD1. I
can't also share any files/folders to users in AD2. But, I can assign users
in AD2 to their mailboxes as additonal permission.

Thanks
TagaR

Show quoteHide quote

Check the trusts using the Verify button in DOMAIN.MSC.

When you open up the Security Windows on a folder of a member server in
domain-a and bring up the object picker can you see the domain as well as
entire organisation and your local domain?  Can you use the advanced button
and search for users in this domain?

Looking in W2K member server, I can only see the Local Server, Entire
Directory, my domain.

Looking in W2k3 member server, I can see Local Server, Entire directory, my
domain and the trusted domain in question AD2.

Currently, I can share only files to AD2 domain users on my W2K3 file server
but not on W2K.

I have validated both incoming and outgoing forest trust and they validate
fine.

Thanks,
TagaR

Show quoteHide quote

It sounds like the trust is one way only.  I'll take your word for it that
this isn't the case.  In which case, we need to test name resolution some
more.

Install the support tools and run the following:

nltest /dsgetdc:domain-name.com


Use both domain names.  Are both successful?

Note.  For more info. on the support tools, see:
-- http://www.msresource.net/content/view/53/46/

Paul,

I ran both domains from each domain controller and the results are
successful as below;

           DC: \\AD2.domain2.local
      Address: \\x.x.x.x
     Dom Guid: a9a6ebd5-958a-4a3b-965c-c60e7760b547
     Dom Name: domain2.local
  Forest Name: domain2.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC
DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully

           DC: \\AD1.domain1.local
      Address: \\x.x.x.x
     Dom Guid: a3f75b0e-8a3c-4e78-924c-d5d3b4453b7c
     Dom Name: domain1.local
  Forest Name: domain1.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC
DNS_DOMAIN DNS_FOREST CLOSE_SITE
The command completed successfully

Thanks
TagaR

Show quoteHide quote

Name resolution seems fine.  Is there a firewall in the way?  Any ports
being blocked?  Does the trust verify?

I'm running out of ideas...

Paul,

I also don't have any ideas because of the following results;

a. The forest trust can be verified and validated ok.
b. My Windows 2003 server can share files to the other forest users
c. My Windws 2000 server CAN'T share files to the other forest users because
the domain/forest is not listed in the look in dropdown.
d. My Exchange 5.5 server which is a WIndows 2000 server CAN'T share files
just like above, however, the I CAN assign the mailbox to the forest users.
The domain is listed in the dropdown box.
e. Pinging by netbios of fqdn from each side of the LAN to any client is OK.

The only difference between these two forest is that the AD2 is a Windows
2003 R2 server while the AD1 is Windows 2003 SP1 Server.

Thanks for all you replies.

TagaR


Show quoteHide quote

Strange.  I'm not seeing this issue.  I just configured some forest trusts
using different name resolution techniques (conditional forwarding one way;
stub zone the other) and can browse the trust and select principals from the
other domain for folder ACLs and group membership.

If I were you I would try resetting the trust password and re-resolving the
name suffix routing.  If that didn't help I'd be inclined to break the
trusts and recreate.

Fsmo question
Upload tool
Best DNS set up for multiple sites
Active Directory and Clustering
Mailbox creation
DC hosted on Virtual Server 2005 Time Sync Problem
User Account Lockout
Map drive based on OU location or group membership?
IP Printer assignment in AD
Replacing Domain Controller