Forest to Forest problem

From: Don Woeltje (dwoeltje_at_sebh.org)
Date: 05/13/03 

Date: Tue, 13 May 2003 07:40:06 -0700

I know that this isn't a Windows XP Security problem (it's
a Windows 2000 Security issue), but I couldn't post to the
Windows 2000 Security Newsgroup. I keep getting an error
back saying No such groups. So I'll have to post it here.

Hypothetical:

You have Forest A and Forest B. Both Forests are running
Mixed Mode because both have NT domain controllers. Then,
Forest B finally finishes upgrading all of its servers
(obviously, this includes the DC's) to Win2K. Forest B has
two domains; an "empty root" domain and a child domain
beneath the empty root (the child domain being the
equivelant of what used to be the old NT 4 domain). Forest
B switches it's child domain from mixed mode to native
mode....but doesn't (for some inexplicable and unknown
reason) doesn't change it's empty root domain from mixed
mode to native mode; maybe the consultants just forgot to
do it. Now, after this takes place Forest B gets a request
from a user to be able to access resources in Forest A,
which is still in Mixed Mode. There are one-way trusts in
both directions between the two forests, each trusting and
trusted by the other. But the Admins in Forest A cannot
access any of the users or groups in Forest B (not even a
listing of those users and groups), so that they can find
that person and add that person, from Forest B, into a
group in Forest A (so that this person in Forest B can
access resources in Forest A).

Forest B has the same problem; the Admins in Forest B
cannot browse any of the user or group resources in Forest
A in order to add those users or groups into groups in
Forest B.

My question is:

Would this be caused by the fact that the child domain for
Forest B was switched into Native Mode but Forest A is
still running in Mixed Mode? If not, what things could
likely be causing this problem?

Relevant Pages

  • Windows 2000 SIDHistory Escalation Attack
    ... when Microsoft introduced the Windows 2000 domains within ... all part of the same forest, they are able to share a common global ... means of modifying the SIDHistory attribute, ... security barrier. ...
    (NT-Bugtraq)
  • Passwords? Interforest migration problems
    ... from one 2003 forest in mixed mode to another 2003 forest in mixed ... sadly it will need to remain in mixed mode for some time to come due to ... I can migrate accounts no problem if the password is not kept with the ... Its only when I try and move the password that it fails. ...
    (microsoft.public.windows.server.migration)
  • Re: Merging two trees into a forest
    ... > However, are you still in mixed mode, or have you made the switch to Native ... > NT domain and then migrate it into the other forest. ... >> authentication between the domains is clearly taking place, ... >> USERID which is homed in A, when I try to log onto my workstation which is ...
    (microsoft.public.win2000.active_directory)
  • Renaming Domain/Mixed Mode vs Non Mixed Mode
    ... that Domain's Master or can it be done from the Forest Master. ... to non mixed mode do I do each domain from lowest to highest or top down? ... Can a lower domain be in non-mixed mode and the Forest be in mixed mode? ...
    (microsoft.public.windows.server.general)
  • RE: Windows 2000 password policy
    ... I agree that from what we know now, the true security boundary for W2K ... and W2K3 is the Forest, however, in the context of the question, ... password policy is set at the domain level not the forest level, ... > because Windows 2000 had to maintain backward compatibility with NT ...
    (Focus-Microsoft)