Currently we are attempting to set up a mulit-domain forrest in our testing environment. For this example our root domain is dom1.root and our second domain is dom2.local. Both domains are in Windows 2000 Native mode and therefore Universal groups are enabled. I added the dom2\Administrator account to the Enterprise Admins group, but when inspecting the Administrator accoutn in ADUC in dom2.local the "Member Of" tab does not reflect that the administrator is bart of that universal group and when I try to add him I cannot see the dom1.root domain nor can I search within it when trying to add groups. However, on a mail server (mail.dom2.local) when I try and add users to the local machine Administrators group I can see the dom1.root users and I can add the users to the group. I have two questions: 1. Why can't dom2.local see that the Administrator account has Enterprise Admin rights? 2. Why can't I see the dom1.root domain when trying to add groups to the users in dom2.local? If any other information is needed please let me know. Thanks in advance. Wes Carroll There are 10 types of people in this world; those who understand binary and those who don't.

According to your DNS names above....you have created two separate domains in two separate forests. In order to do what you want, you'll need to enable trusts between them. If they were two separate domains within the same forest, trust relationships between the two wouldn't be necessary.

good call curt, half way through reading it I was thinking trusts too

Thanks for the comments guys, however, we are one forrest with two domains, we are just running a disjointed namespace. When the second domain was created, the forrest trusts were put in place automatically. I have validated these trusts and they are functioning properly. I will try to add additional trusts and see if this helps. Any other thoughts? There are 10 types of people in this world; those who understand binary and those who don't.

It is very important to understand that trees within Active Directory must have contigious name spaces. However, a forest by definition are a collection of trees; therefore, their name spaces are noncontigious. Wes apparently has at least two trees - dom1.root and dom2.local. He has one AD forest, but two trees. However, trust relationships must still be created, and they should be two way trusts. Anwering #1, and this may be why your setup overall isn't working, but perhaps your AD isn't functioning properly. I would run dcdiag to make sure all is replicating, and the FSMO role holders, particularly the PDC emulator, is correct. Also, replication can get really messed up when the infrastructure master is a global catalog when you have more than one domain. Check that. Answering #2. This sounds like the Global Catalog in dom2 is not updated with info about dom1. Use LDP connecting to the GC in dom2 on port 3268, and look to see if you see anything about the dom1 domain. Finally, there are three types of people actually in this world - those who can count, and those who can't! Or should I say 11 types? ;-)

I'm creating the same setup. Our central office already has a forest and root domain established. We'll call DOM1 which is both the forest and root domain name. I loaded a 2003 server and did a DCPROMO and told it I wanted a new tree in an existing forest. It set up the trust between them, etc with no problem. You do have to set up zones in both domains DNS for the other domain. Still trying researching to see if Primary or Secondary zones are in order. Haven't gotten everything worked out yet, but if you do, drop me a line! I'm still not seeing both domains when I do a 'entire network' thing.

Thanks for the answers guys. This link pretty much answers question number 1: http://support.microsoft.com/?kbid=833883 Still working on question number two. There are 10 types of people in this world; those who understand binary and those who don't.