<without any statement about the solutions 1 and 2 presented, either pro or con>
3. Point the clients that belong to the AD domain at the AD DNS Servers and have a secondary DNS server in the list for the OTHERCO stuff. 4. Have the users use local IDs and use RUNAS and NET USER /USER. The only time this would really fall down that I am aware is when managing Exchange because it is stupid and requires the managing machine to be in the same forest as the Exchange Org. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, March 06, 2005 3:16 PM To: 'Scott McIntosh '; '[EMAIL PROTECTED] '; '[email protected] ' Cc: '[EMAIL PROTECTED] ' Subject: RE: [ActiveDir] Traveling Users Unable to Authenticate to AD Although it is not allowed (why?) there are two possibilities here as I can see... (1) On the UNIX zone MYCO.US.PARENT.COM delegate the underscore domains beneath to the AD/DNS servers as seperate zones. You'll need to do the same for the AD/DNS servers. This is needed so that the UNIX servers as the AD/DNS servers can find the underscore DNS domains. (not that beautifull but it works) You could also remove the MYCO.US.PARENT.COM zone on the AD/DNS servers and leave the underscore DNS domains as zones. Caveat here (of the latter issue) is you must also change the IP address of DNS servers on all servers/clients that should be queried to the IP address of the UNIX servers. Not recommended because these are overseas (2) On the UNIX servers remove the zone MYCO.US.PARENT.COM and delegate it to the AD/DNS servers (I would prefer this one) Hope this helps for you Cheers, Jorge -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Cc: [EMAIL PROTECTED] Sent: 3/6/2005 6:52 PM Subject: [ActiveDir] Traveling Users Unable to Authenticate to AD Statement of Problem: Laptop users from MYCO (on Active Directory) traveling to OTHERCO (on Novell NDS but not AD) are unable to authenticate to MYCO.US.PARENT.COM Active Directory. Required Result: To enable laptop users from MYCO traveling to OTHERCO to authenticate to MYCO.US.PARENT.COM Active Directory, get their mapped drives, access to file shares, etc. over the WAN. Background Information: Overseas parent company does not allow delegation/forwarding from/to their UNIX BIND 9.2 DNS servers to W2k3 Active Directory DNS; Parent company (not on Active Directory) is authoritative for DNS root zone: PARENT.COM. Neither name server records nor SOA records are allowed to be populated in any of the parent company-hosted DNS zones; Parent company is also authoritative 1st level DNS zone: US.PARENT.COM (this zone is hosted overseas); Our company's dual-authoritative AD-integrated and UNIX DNS zone: MYCO.US.PARENT.COM (from parent company perspective the UNIX servers are authoritative, from our company's internal client/server systems W2k3 DNS is authoritative); The W2k3 Active Directory DNS servers conditionally forward queries for PARENT.COM and all child domains of PARENT.COM other than MYCO.US.PARENT.COM to MYCO's UNIX BIND DNS servers. This has worked fine. Affiliated, WAN-connected US company with Novell DNS zone OTHERCO.US.PARENT.COM (unable to conditionally forward and not in budget to perform necessary upgrade to OS to enable this feature); Within a year, both the parent company and otherco will be migrated to a globally-unified Active Directory implementation in a completely different namespace so that this will cease to be a problem. But we cannot let the problem persist for a year. Discussion: I believe the reason that laptop users from MYCO traveling to OTHERCO are unable to authenticate to MYCO.US.PARENT.COM Active Directory is that the OTHERCO DNS server sends packets to the US.PARENT.COM zone which looks to the UNIX BIND servers of MYCO.US.PARENT.COM for resolution-the UNIX BIND servers have the "A" records for the W2k3 DC DNS servers don't have the SRV and LDAP records necessary to enable authentication to the MYCO DC's running DNS. Without spending a lot of $$ and without having to deploy an additional MYCO DC/DNS server at otherco, we need a temporary workaround so that the traveling users can authenticate. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
