I think the last line says it all, and we'll do that next time. Again, I think some of the snags (in addition to that last line) are because, although NYC has 4 Win2003 DCs, their functional level still shows as "Win2000". Our level is at Win2003 which NYC must change.
As to proper AD functionality w/SRV, DNS, etc, well, we gotta get the trust set up first. Thanks, this is great! -------------------------------------- Richard McClary, Systems Administrator ASPCA Knowledge Management 1717 S Philo Rd, Ste 36, Urbana, IL 61802 217-337-9761 http://www.aspca.org "Ben Scott" <[EMAIL PROTECTED]> wrote on 11/13/2008 07:59:35 AM: > On Thu, Nov 13, 2008 at 8:15 AM, <[EMAIL PROTECTED]> wrote: > > We then did just as Microsoft (and you) said - the Properties tab of the > > NYC domain's AD D&T tool. > > On my Win 2K servers, that's where I would go. > > Let's suppose you have domains <foo.example.com> and <bar.example.com>. > > 1. Log in to a computer on domain <foo.example.com> using an account > with domain admin rights > 2. Open Active Directory Domains and Trusts > 3. Right-click the domain icon, choose "Properties" > 4. "Trusts" tab. There are two lists: "Domains trusted by this > domain" and "Domains that trust this domain". > 5. Click "Add" for "trusted by" > 6. Enter the domain name <bar.example.com>, and a password for the trust. > 7. Repeat steps 5 and 6 for the "trust this" list > 8. Repeat steps 1 through 7 on domain <bar.example.com>, targeting > domain <foo.example.com> > > Don't enter the angle-brackets, if that isn't obvious. :) > > The trust password is just a shared secret unique to the trust, not > a domain admin account password or anything else. > > > Whatever, though, should both domains have started off with a DNS A record > > pointing to each other's domains? > > You will need DNS working for both domains in both domains for AD to > work properly. However, I believe just adding an A record will not do > it. All the docs say AD uses SRV records to locate DCs, and I've > never seen anything that leads me to think otherwise. > > Your best bet is to make sure each domain can fully resolve all DNS > records in the other domain. If the domains share a common parent > domain, that can be done by making sure delegations (NS records) exist > for each subdomain, and that those NS records are returned in each > domain. However, that won't work if the domains are private and don't > share their DNS infrastructure. If that's the case, and you're > running Windows 2003 for DNS, you can configure your DNS servers for > each one to forward queries for the specific domains to the DNS > servers for the other domain. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~