Slight modification inline. ~Eric
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DCacheShowDomainTags"=dword:00000001 "DCacheShowDnsNames"=dword:00000001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells <[EMAIL PROTECTED]> wrote: > As I said, it is indeed a common misunderstanding ... the fact that > there's a related article published only lends weight to that point. > It takes very little effort to test and it continues to surprise me > when I hear of articles such as the one you've referenced (not that I > read it since I have more than enough accurate material to plough > through ;o) > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mylo > Sent: Saturday, August 13, 2005 12:19 PM > To: ActiveDir@mail.activedir.org > Cc: Send - AD mailing list > Subject: Re: [ActiveDir] trust question > > Dean, > > Oh...I was under the impression that external trusts still used legacy > name resolution.. Here's a common misunderstood article about it ;-) > http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html > > Cheers > Mylo > > Dean Wells wrote: > > >I'm really not certain where this very common misunderstanding comes > >from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that > >matter) requires NetBIOS in order to establish a trust. The locator > >mechanisms employed to establish the trust are dependant exclusively > >upon the ability to resolve the trust partner, a role which DNS is > >more > than able to fulfill. > >This is true to say of external, cross-forest and realm trusts (as > >far as I can recollect however, NT does impose a NetBIOS dependency). > > > >One of the most common reasons for trust creation failure is the > >scenario where each domain uses an isolated DNS name resolution > >hierarchy, enabling NetBIOS often appears to resolve this (no pun > >intended) since broadcast, WINS or LMHOSTS mechanisms are triggered > >and are typically more tolerant in these instances. > > > >-- > >Dean Wells > >MSEtechnology > >* Email: [EMAIL PROTECTED] > >http://msetechnology.com > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo > >Sent: Saturday, August 13, 2005 9:46 AM > >To: ActiveDir@mail.activedir.org > >Subject: Re: [ActiveDir] trust question > > > >Tom, > > > >Had to do this a few months back in a 3-way love triangle between > >NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that > >NetBIOS has been deprecated... sooooo, yes.... you still need NetBIOS > >for the trust creation process.... try creating the trust with NetBIOS (e.g. > >LMHOSTS with 1xB and 1xC entries) enabled and then disable it and > >validate the trust afterwards... It could be for the trust creation > >only that it needs to be turned on.. > >Cheers > >Mylo > > > >Tom Kern wrote: > > > > > > > >>I can't find a clear answer- > >>when you form a trust between the root of a win2k3 forest and a > >>child domain of a win2k forest, is netbios used at all? > >>is this trust all done through dns? > >> > >>this is NOT a forest trust but an external trust. > >> > >>we are about to migrate to a new forest. the old forest has > >>netbios/tcp turned off and so will the new forest. > >> > >>when an external trust is formed between a win2k3 and win2k domain, > >>is wins/netbios needed? > >> > >>thanks > >>List info : http://www.activedir.org/List.aspx > >>List FAQ : http://www.activedir.org/ListFAQ.aspx > >>List archive: > >>http://www.mail-archive.com/activedir%40mail.activedir.org/ > >> > >> > >> > >> > >> > >> > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > De > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/