No. That domain wide authentication thing you mention is called
selective authentication. Although the selection you made is K, that is
not what you need in this case to get admin permissions on the source
domain. To read more about selective authentication see:
Another thing
the outgoing trust (source target) sidfiltering is enabled by
default if the trusts was created on a W2KSP4 DC or higher (it is
disabled by default if the trust was created on a W2KSP3 DC or earlier
For more info see:
If you want to use sidhistory then sid filtering will have impact on
that. Disable it for the moment you use sidhistory if it is enabled
To use an account that has full admin rights on both source and target
environment (to migrate users, groups, computers, etc.) you can:
(1) add target domain admins to source domain administrators and add SID
of source domain admins to sidhistory of target domain admins
(2) Create a domain local group in the source domain. With restricted
groups add that domain local group to the local administrators group of
all computers where you need admin permissions. Add target domain admins
to source domain administrators and the previously created domain local
group
NTE: to be able to created domain local groups in the source env. that
source domain must at least have windows 2000 native
To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you can:
(1) add target domain admins to source domain administrators
for the rest just follow:
Cheers,
Jorge
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Lloyd Williams
Sent: Friday, December 16, 2005 16:50
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Interforest Password Migration
Thanks for the reply. Yes this is the document that I am using as my
guide to do this.
The only part I am not sure about is the part that says the "users must
have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain Admin from
one domain to the Domain Administrators group in the other domain.
If you go into Active Directory Users and Computers to add accounts to
Domain Admins the only location you are given is that domain.
So I am assuming that the necessary right come from creating the trust
relationship. When I created this I used the Domain wide authentication
option.
Can I assume that this gives Domain Admins in Domain1 appropriate rights
to Domain 2
Thanks
Lloyd
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Almeida Pinto,
Jorge de
Sent: Friday, December 16, 2005 4:40 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Interforest Password Migration
Is everything configured as mentioned in
Cheers,
Jorge
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Lloyd Williams
Sent: Friday, December 16, 2005 01:58
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Interforest Password Migration
I am using ADMT v3.0 to migrate users from one 2000/2003 forest to
another 2003 forest. I have no trouble migrating users however I cannot
migrate passwords. I have the password migration service installed on
the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I
get "unable to establish a session with the password export server.
Access is denied"
I have the password export service on the source machine running as the
administrator on the target machine.
The trusts seem to verify K, anyone have any idea?
Thanks
Lloyd
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

Anyone have problems with Mac S 10.4 binding to Windows 2003 AD?
you bind the damn thing successfully and unbind it you cannot re-bind it
again. I have about 10 of these Mac-Crap machines. No problem with S
10.3 and below. I like to shove all these machines up Apple's azzor my
management.
-Z.V.

upgrade to 10.4.3

Message
From: "Za Vue" <zvue (AT) emory (DOT) edu>
To: <ActiveDir (AT) mail (DOT) activedir.org>
Sent: Friday, December 16, 2005 2:13 PM
Subject: [ActiveDir] S 10.4 and W23k Ad

Anyone have problems with Mac S 10.4 binding to Windows 2003 AD?
you bind the damn thing successfully and unbind it you cannot re-bind it
again. I have about 10 of these Mac-Crap machines. No problem with S
10.3 and below. I like to shove all these machines up Apple's azzor my
management.
-Z.V.

I am running 10.4.3.
-Z.V.

Kevin Gent wrote:

upgrade to 10.4.3

Message From: "Za Vue" <zvue (AT) emory (DOT) edu>
To: <ActiveDir (AT) mail (DOT) activedir.org>
Sent: Friday, December 16, 2005 2:13 PM
Subject: [ActiveDir] S 10.4 and W23k Ad
--

"This computer is unable to access the domain controller for an unknown
reason." Why can we all just get along?
-Z.V.

Kevin Gent wrote:

upgrade to 10.4.3

Message From: "Za Vue" <zvue (AT) emory (DOT) edu>
To: <ActiveDir (AT) mail (DOT) activedir.org>
Sent: Friday, December 16, 2005 2:13 PM
Subject: [ActiveDir] S 10.4 and W23k Ad
>
>
>Anyone have problems with Mac S 10.4 binding to Windows 2003 AD?
>you bind the damn thing successfully and unbind it you cannot
>re-bind it again. I have about 10 of these Mac-Crap machines. No
>problem with S 10.3 and below. I like to shove all these machines up
>Apple's azzor my management.
>>
>-Z.V.
>>
>
>
>List archive:
>%40mail.activedir.org/
>>
>

ZV,

When you unbind from the Domain have your tried deleting the computer
account then rebinding?

We have ~250 10.4.3 machines bound to our domain w/o any problems (thus
far).

Feel free to take this off list if you want.

john

Za Vue wrote:
Anyone have problems with Mac S 10.4 binding to Windows 2003 AD?
you bind the damn thing successfully and unbind it you cannot re-bind it
again. I have about 10 of these Mac-Crap machines. No problem with S
10.3 and below. I like to shove all these machines up Apple's azzor my
management.
-Z.V.

other thing beyond what Jorge mentioned if you've Enabled
Disable [oxymoron :-)] anonymous SAM enumeration via Group Policy you're
also likely to end up with problems accessing resoures.

Regards,
Mylo

Almeida Pinto, Jorge de wrote:

No. That domain wide authentication thing you mention is called
selective authentication. Although the selection you made is K, that
is not what you need in this case to get admin permissions on the
source domain. To read more about selective authentication see:

Another thing
the outgoing trust (source target) sidfiltering is enabled by
default if the trusts was created on a W2KSP4 DC or higher (it is
disabled by default if the trust was created on a W2KSP3 DC or earlier
For more info see:

If you want to use sidhistory then sid filtering will have impact on
that. Disable it for the moment you use sidhistory if it is enabled

To use an account that has full admin rights on both source and target
environment (to migrate users, groups, computers, etc.) you can:
(1) add target domain admins to source domain administrators and add
SID of source domain admins to sidhistory of target domain admins
(2) Create a domain local group in the source domain. With restricted
groups add that domain local group to the local administrators group
of all computers where you need admin permissions. Add target domain
admins to source domain administrators and the previously created
domain local group

NTE: to be able to created domain local groups in the source env.
that source domain must at least have windows 2000 native

To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you can:
(1) add target domain admins to source domain administrators

for the rest just follow:

Cheers,
Jorge

*From:* ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] * Behalf *Lloyd Williams
*Sent:* Friday, December 16, 2005 16:50
*To:* ActiveDir (AT) mail (DOT) activedir.org
*Subject:* RE: [ActiveDir] Interforest Password Migration

Thanks for the reply. Yes this is the document that I am using as my
guide to do this.

The only part I am not sure about is the part that says the "users
must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain Admin from
one domain to the Domain Administrators group in the other domain.
If you go into Active Directory Users and Computers to add accounts to
Domain Admins the only location you are given is that domain.
So I am assuming that the necessary right come from creating the trust
relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1 appropriate
rights to Domain 2

Thanks
Lloyd

*From:* ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] * Behalf *Almeida
Pinto, Jorge de
*Sent:* Friday, December 16, 2005 4:40 AM
*To:* ActiveDir (AT) mail (DOT) activedir.org
*Subject:* RE: [ActiveDir] Interforest Password Migration

Is everything configured as mentioned in

Cheers,
Jorge

*From:* ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] * Behalf *Lloyd Williams
*Sent:* Friday, December 16, 2005 01:58
*To:* ActiveDir (AT) mail (DOT) activedir.org
*Subject:* [ActiveDir] Interforest Password Migration

I am using ADMT v3.0 to migrate users from one 2000/2003 forest to
another 2003 forest. I have no trouble migrating users however I
cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in
the target domain, then used it in the source domain during the
installation of the Password Migration Service. When I use ADMT to
migrate the password I get "unable to establish a session with the
password export server. Access is denied"
I have the password export service on the source machine running as
the administrator on the target machine.
The trusts seem to verify K, anyone have any idea?

Thanks
Lloyd
--
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
>
>
>
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 15/12/2005