Re: Assigning Security through W2k3 to W2k Trusted Domains

When I am in DomainA, I try to assign NTFS permissions on a folder located on
a member server. I want to add a user from DomainB.

Example:
On the file server running windows 2000 in DomainA (2003) I do the following:
Right-click on folder
select security tab
click location and select DomainB
I get the following error:
"Could not display objects from this location because of the following error:
No authority could be contacted for authentication. "

I can browse and assign NTFS security for a user/group from DomainB on all
windows 2003 servers and the one DC that is Windows2000 in DomainA. The issue
only seems to reside on Windows 2000 Member servers; two to be exact.

I can not browse the trusted domain to assign NTFS security.

Does that help? Any ideas?

Thanks,

DevGD

"Roger Abell [MVP]" wrote:

I cannot see how a member reboot would matter, but then I also
do not see what is the issue :-)
When you attempt to, say, add a user to a local group on the
W2k member, just what is it that you experience and refer to
as not being able to do it?.

"DevGD" <DevGD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6998644E-7FF0-4874-B0EE-F75CB03391AD@xxxxxxxxxxxxxxxx
Third time must be the charm. On DomainA (2003), I went to the w2k DC and
validated the trust for a third time. This time, after validating fine, it
allowed me to assign security on that domain controller. But I still can
not
assign security on member servers running windows 2000. Can you think of
anything else I can try? Would I have to reboot the member server?

Thanks,
DevGD

"Roger Abell [MVP]" wrote:

I named the specific ones, about 2/3s of which are not understood by
W2k and would not affect them. If you know that you have not altered
the settings then these are not it. However, if someone has these could
be involved (again, difficult to think through the asymmetry however) as
these control the ability to communicate for authentication/control.

"DevGD" <DevGD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7A318E3-201C-4FAF-97CC-1D87D7BD7FB9@xxxxxxxxxxxxxxxx
Could it really be a policy issue? One thing I failed to mention is
that
the
trust was orginally in place before the upgrade to 2003 domain on
domanA.
Assigning security worked before that upgrade and where the security is
assigned, before the upgrade, seems to still be working. I will double
check
that though. Is there something in particular in a security policy that
you
might this would be causing the issue? I am amazed that it works on the
w2k3
servers but not the w2k servers.

Thanks
DevGD

"Roger Abell [MVP]" wrote:

Hmmm . . . while I do not see how the following could account
to the observed asymmetry I would still check the effective group
policy settings in the Security Options part of Computer policies.
Specifically I would be looking at policies understood by W2k3
but not by W2k, and in particular I would be looking at the Domain
Member policies regarding secure channel signing and encryption,
and also at the Network client and server policies for digital signing
and the Network security policies for minimum session security for
NTLM SSP

"DevGD" <DevGD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6F48EF3F-F4C1-49BE-8856-50CD2507AE88@xxxxxxxxxxxxxxxx
Each domain has a DNS zone for the other trusted domain. The trust
can
be
validated and I can assign security on any pc or server on DomainB
from
DomainA. In DomainA(2003 domain), I can assign security on all pcs
and
server
except for servers or pcs running windows 2000.

Example:

I have a windows 2003 file server and a windows 2000 file server in
DomainA.
On the windows 2003 file server, I can assign all the security I
want
from
DomainB. But on the windows 2000 server I can not assign anything.

Does Windows 2000 browse or check authentication differently then
W2K3
or
XP?

Thanks

DevGD

"Roger Abell [MVP]" wrote:

Make sure that the DNS zones for all involved domains are
available for name resolution, such as by conditional forwarders
or zone transfers between the DNS servers supporting the two
forests.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"DevGD" <DevGD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BA74DE88-7770-4844-BB2D-D390A986C1B8@xxxxxxxxxxxxxxxx
Situation:
I have created a trust between two domains in two different
forests.
DomainA
is a mixed Windows 2003 domain. DomainB is native Windows 2000.
The
trust
can
be validated and seems to be working in every way. I have
validated
on
both
ends of the trust. There is no firewall blocking the servers.

Problem:
When I try to add access for a user or security group from
DomainB
to a
folder on a server running w2K on DomainA, I get the following
error:

"Could not display objects from this location because of the
following
error:
No authority could be contacted for authentication. "

I can do the same steps on a windows 2003 server and it browses
the
domain
and adds the security just fine.

Also, I can assign security on any server or PC on DomainB with
groups
or
users from DomainA. OS does not seem to matter.

Process I am using to assign security
Right-click on folder, select security tab, click location and
select
DomainB. This is when I get the error.

Please help.

Thanks
DevGD















.

Relevant Pages