RE: [ActiveDir] trust question
Attach a debugger to it? I'm happy to review the source, but thanks though ... anyway, I wouldn't want to steal your weekend from you ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 8:42 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question If you want to validate when this code path is fired, set a breakpoint on DCacheWriteDomainsToCache and see when it fires. It might be easiest to use image file execution options to do this and put every winlogon that fires up under ntsd, or you can do it on the kd side, whatever you find easiest. `Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, August 14, 2005 10:31 AM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced
Re: [ActiveDir] trust question
Dean, You mention the VM sandpit and that lit a bulb... was doing testing with Forest trusts some days ago and had to do an outgoing trust between 2k3 and 2k3 forest using stub zones ... no NetBIOS in site... nowhere.. none..none..none It's amazing how ingrained these misconceptions become. I'll have harsh words with my memory retention department :-) Thanks for the info. Mylo Dean Wells wrote: My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust
RE: [ActiveDir] trust question
Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Tom Kern To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i guess my question is, how/where does the netlogon service get it from? DNS srv records? ** A client could not ask DNS such a question without prior knowledge of its domain suffix. To me, netlogon just refers to a secure encrypted channel between 2 hosts. To send a hashed password or register dns records of a DC. Or create a trust between a domain memeber and a dc or two domains. ** NETLOGON is many things; typically it is a share and a service. The service performs many functions (many of which you've mentioned), the creation of authenticated, secure channels is one of them. Try stopping it and see what happens. how does the netlogon service get a list of every domain in the forest when you join a domain with a client? ** The client simply asks the DC representing the domain it is joining. In NT and 2003. The source must be different depending on the OS-NT or 2000/2003. ** Windows NT and Active Directory are radically different technologies, the source of that information is likely very different but since I don't recollect the mechanisms used by Windows NT, I can't comment with any certainty. also, flat names or samAccount names when it comes to Domains, to me, always has been a synonoum for Netbios. ** Correct, since NetBIOS is being phased out but the concept of a short-name isn't, the newer name applies. i understand that a single HOST name can be part of a bigger dns name space and windows will try and append the suffixes, but a windows domain name with no suffix, can only be a netbios name to me. ** That's not correct, it would be a single labeled (not recommended )DNS name whose NetBIOS name may or may not be the same. The number of labels in a name do not tell Windows whether it is a DNS name or a NetBIOS name, we define that during the install. Windows maintains fewer and fewer NetBIOS dependencies through each successive version but the short/flat name is not going away in the foreseeable future. otherwise that would be like yahoo being the same as the Yahoo.com domain. it would be useless. ** I don't understand your point. Or it could just be me. i'm not the brightest bulb. I came from Novell backround(please don't hold it against me) ** I don't, my background is deeply rooted in Novell. and i still can't get over it when i see in AD something like cn=schema,cn=configuration,dc=domain,dc=root. i always think, how can a leaf object be inside another leaf object and if its not a leaf why would you use cn prefix and not ou. ** cn doesn't necessarily indicate a leaf object, it expresses common name. Novell's implementation was exactly that, their implementation, Microsoft's is different. The attribute prefix is controlled by the 'RDN attribute identifier' and can be any property enforced upon an object (standards dictate that it can even be multi-valued ... not supported here BTW). I could (and have), for example, forced an OU to use CN instead ... my point is, the attribute prefix is configurable and does not indicate whether the object in question can or cannot contain anything, that is something typically inferred by those coming from an NDS background. maybe i'm thinking DNS domains when i should be thinking windows domains or vice versa. Or maybe a Domain has become so overused, i don't know what it is ** I couldn't agree more; the term domain is ambiguous without specific context. anymore- a windows area of management, a dns name space,a naming context to be replicated,a MS form of Kerberos Realm? I'm just confused. Sorry Dean, ignore me. To be honest, I don't know enough about anything network related to be arguing with you or the likes of anyone on this list. ** I wasn't aware we were arguing, I thought I was assisting with your questions/misconceptions, Heck, i'm an English Lit major. i haven't even taken Comp Sci so i guess i'm just too dense to see the difference between netbios the protocol, netbios the name,and flat names and dns names. My apologies. Please don't hold it against this dim bulb who is clearly out of his depth here. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] trust question
I suspect that it comes from all of the external trusts that people have established with existing NT4 environments and not changing their tactics because the LMHosts and NetBIOS things work with NT4. First shot on Win2k to Win23 - fire up LMHosts and get it working. Yes - DNS will work, but as I said in my post earlier this week, sometimes the familiar and simpler methods make sense when you 5 million other problesm that are quite large. However, DNS or WINS (there, joe... happy? :) is the preferred method, without question as it provides a much more 'universal' mechanism for name resolution between the two entities once in place. Rick From: Dean Wells [EMAIL PROTECTED] Date: 2005/08/13 Sat AM 11:32:26 EDT To: Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] trust question I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered
RE: [ActiveDir] trust question
Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon
RE: [ActiveDir] trust question
If you want to validate when this code path is fired, set a breakpoint on DCacheWriteDomainsToCache and see when it fires. It might be easiest to use image file execution options to do this and put every winlogon that fires up under ntsd, or you can do it on the kd side, whatever you find easiest. `Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, August 14, 2005 10:31 AM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under
Re: [ActiveDir] trust question
Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] trust question
Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] trust question
i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest
Re: [ActiveDir] trust question
i guess my question is, how/where does the netlogon service get it from? DNS srv records? To me, netlogon just refers to a secure encrypted channel between 2 hosts. To send a hashed password or register dns records of a DC. Or create a trust between a domain memeber and a dc or two domains. how does the netlogon service get a list of every domain in the forest when you join a domain with a client? In NT and 2003. The source must be different depending on the OS-NT or 2000/2003. also, flat names or samAccount names when it comes to Domains, to me, always has been a synonoum for Netbios. i understand that a single HOST name can be part of a bigger dns name space and windows will try and append the suffixes, but a windows domain name with no suffix, can only be a netbios name to me. otherwise that would be like yahoo being the same as the Yahoo.com domain. it would be useless. Or it could just be me. i'm not the brightest bulb. I came from Novell backround(please don't hold it against me) and i still can't get over it when i see in AD something like cn=schema,cn=configuration,dc=domain,dc=root. i always think, how can a leaf object be inside another leaf object and if its not a leaf why would you use cn prefix and not ou. maybe i'm thinking DNS domains when i should be thinking windows domains or vice versa. Or maybe a Domain has become so overused, i don't know what it is anymore- a windows area of management, a dns name space,a naming context to be replicated,a MS form of Kerberos Realm? I'm just confused. Sorry Dean, ignore me. To be honest, I don't know enough about anything network related to be arguing with you or the likes of anyone on this list. Heck, i'm an English Lit major. i haven't even taken Comp Sci so i guess i'm just too dense to see the difference between netbios the protocol, netbios the name,and flat names and dns names. My apologies. Please don't hold it against this dim bulb who is clearly out of his depth here. Thanks for your replies On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM