I am trying to create an external trust between two domains. Both domains consist of just a single server that is the domain controller and a file server. Both have a few XP clients.

The first is called “lds2.kac” and is on Windows 2000 Server.
The second is called “kreditlab.local” and is on Windows 2003 R2 Server.

These two servers can ping each other with the IP address. But neither can ping the other using the domain name.

They are both connected to the same DSL modem and I think that is why they can ping even though the IP address of the Windows 2000 box is a non routeable 192.169.1.22 (the Windows 2003 box has a public IP address we bought from Qwest).

My question concerns the following steps from the Microsoft TechNet on creating the trust:

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain that you want to establish a trust with, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the domain, and then click Next.

If I do this on the 2003 box, in step 2, the 2000 domain is not listed, and vice versa. Do the directions refer to the other domain? If so, I am having trouble figuring out how to make that happen, and that is my problem I need help with.

In step 4 I am confused about the DNS name I’m suppose to enter.

I am worn out reading and reading tech notes, I hope someone can help get me un-stuck and moving again.

Are the 2000 Server and 2003 Server both in the same forest?
If they are not.. which would explain not seeing the other domain... dns won't help.

Trusts are between domains in the same forest. This is different than NT which only had domains.

Only 2003 AD has the ability for forest trusts. You would have to upgrade the 2000 AD to 2003 before you could do your forest trust.

update: read below since this is partially correct.

Are you ready for where Microsoft wants you to go today?

I have read that external trusts can be used to accomplish trusts when NT4.0 and Win2k is involved. Are you saying that is not true? I am really expending time and energy and getting burnt out, hope you can help me. Thanks!

I have read that external trusts can be used to accomplish trusts when NT4.0 and Win2k is involved

That's what wanderer just said more or less,

"Trusts are between domains in the same forest. (this is referring to Active Directory and 2000/2003)

This is different than NT which only had domains." (Ergo the reason for external trusts in NT or an NT/AD combination)

With NT to NT or NT to 2000/2003, you established and external trust because that is all NT is capable of (ie: it has no Active Directory).

However that's meaningless to you since you're using 2000 and 2003 and Active Directory so the rules change.

To quote wanderer again, "Are the 2000 Server and 2003 Server both in the same forest?
If they are not.. which would explain not seeing the other domain... dns won't help."

Wanderer, correct me if I'm wrong, but I thought in Windows 2000 Server you could create a 1-way non-transitive trust between forests meaning that the trust would have to be created for domain 1 to use resources in domain 2, and vice versa.

"Computer security." — Oxymoron

Good question tonysathre. I swear MS keeps changing the rules when I am not looking.

I found this:
http://tinyurl.com/2zfkrn

which says: "Windows Server 2003 forest trusts cannot be created between a Windows Server 2003 forest and a Windows 2000 forest."

BUT it then goes on to say: "You can, however, manually create a trust relationship between any domain in a Windows Server 2003 forest and any domain in a Windows 2000 forest by using one-way or two-way external trusts. External trusts are nontransitive and provide for access to resources in another domain outside the forest that is not already joined by a forest trust."

and from here:http://tinyurl.com/ye39lo

we get
"Transitive trusts can only exist between Windows 2000 domains in the same forest.
In summary, nontransitive domain trusts are the only form of trust relationship possible between:

• A Windows 2000 domain and a Windows NT domain.

• A Windows 2000 domain in one forest and a Windows 2000 domain in another forest.

• A Windows 2000 domain and an MIT Kerberos v5 realm."

You are correct tonysathre. Thanks for the update to my personal database.

*****************************************
Now what is the best way to help quitestorm?
I suspect each forests DNS server needs to know about the others forests servers.

Your thoughts?

Quitestorm here is an external trust how to
http://tinyurl.com/3duqx5

Imagine the power if you knew how to internet search

Well, if your budget can handle another license for Windows 2003 Server, I would go that route. Then you can enable native mode on both your DC's. If not, your best bet would be external nontransitive trusts between your Windows 2000 and 2003 DC's.

One thing to consider when switching from mixed to native mode is backwards compatibility. If you have older workstations running older OS's, that need access to AD resources, don't switch to native mode. There is no way that I know of to switch back from native mode to mixed mode.
"Foolproof systems don't take into account the ingenuity of fools."

Thanks for trying to help me. I am going to stop working on this. I have decided instead to wipe the 2003 server, re-install Windows and deploy it as a new domain in the forest that the 2003 server is in. I don't want it to be a member of the same domain; I want it to be a new domain in the forest tree. Would you care to comment on the plausibility of this? Thanks again for your help.

By the way I did follow the link to the technet page--I had been trying to follow those instructions when I created my first post on this topic.