I have a DC that is Trust with the primary DC.. My DC is an isolated network
with a Trust relationship the agencies primary DNS... All the users that
logon to my DC can only see my DC.. I can see my Trusted DC and the Trust
DC...

I upgraded my DC from Windows Nt 4.0 to Windows 2000 and bulted the Active
directory.. Applied the GPO security policies, but can not load either
Integrated DNS or Standard DNS Zones...
I know you can not completely work with Active Directory without the DNS
Zone.. Though I tried to load the zones it never takes with the active
directory..

What should I do next?

"AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
news:64897406-E279-41B5-BA8D-F04560AAED48@microsoft.com...
>I have a DC that is Trust with the primary DC.. My DC is an isolated
>network
> with a Trust relationship the agencies primary DNS... All the users that
> logon to my DC can only see my DC.. I can see my Trusted DC and the Trust
> DC...

"See"? Do you mean browse? Browsing is a NetBIOS application
and as such is not releated to trusts or DNS directly.

Also note that a "DC" cannot trust another DC nor DNS. Trusts are
between domains (except in one new Win2003 exception case for
forests.)

You indicate an "isolated" network -- if this implies routers (or
router switches) then your problem is likely a lack of (common)
WINS servers.

NetBIOS resolution has a practical requirement for a common
WINS database.

> I upgraded my DC from Windows Nt 4.0 to Windows 2000 and bulted the Active
> directory.. Applied the GPO security policies, but can not load either
> Integrated DNS or Standard DNS Zones...

What? IF you have a DC then you can run DNS on it. If you run
DNS on the DC it CAN be integrated.

> I know you can not completely work with Active Directory without the DNS
> Zone.. Though I tried to load the zones it never takes with the active
> directory..

What do you mean by "never takes"?

> What should I do next?

Be very explicit about exactly what happens, avoid generic
phrases and describe your exact actions, results, and error
messages.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks Herb for your kind reply..

I am very new with working at the server level. I have a strong workstation
level experience. Trying to get more familiar with servers and domain
controllers.. Let me give you the details that you need to help me...

Orginally, this primary domain controller (PDC) was a Windows NT 4.0 with a
Trust relationship with our organization's primary domain (Red). I built a
Windows NT 4.0 backup primary domain controller (BDC) on new Compaq Proliant
box and replicated the SAM accounts from the PDC. Then, I promoted the newly
built BDC to PDC. After this was done, I upgraded the new PDC to a Windows
2000 domain controllers. The Active Directory was created and all the
policies were modified.

The IPs are configured on the new DC as static for our organization's
primary DNS server. This was the only way to add this new DC to the network
for the existing domain. Also, it is the same domain name as the old Windows
NT 4.0 after the upgrade to Windows 2000.

All went well, until after the new Windows 2000 domain controller was added
to the organization's Trust relationship. The users are able logon to the new
domain contoller's domain (Blue) which I created in the Active directory.
But, when browsing "My Network Places" to look at the entire contents of the
(Blue) domain, it come back with error;

"Blue is not accessable. Logon Failue: user account Restriction.

After researching this, reading the event viewer and consulting with several
persons.. I was told that I did not have a DNS Zone.. I went ahead and
attempt to install the DNS manager and DNS Zone.. While attempting to install
the DNS "Active Directory Integrated" Zone, the message appears as;

"Zone can not be created. The Active Directory service is not available."

I went ahead and installed the "Standard Zone" I received the same message;

"Zone can not be created. The Active Directory service is not available."
When attempting to install the "Reverse: Active Directory-integrated
Primary Zone"

I hope I have explain this the best I could with little experience that I
have at the server level..

Thanks AllforLax


"Herb Martin" wrote:

> "AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
> news:64897406-E279-41B5-BA8D-F04560AAED48@microsoft.com...
> >I have a DC that is Trust with the primary DC.. My DC is an isolated
> >network
> > with a Trust relationship the agencies primary DNS... All the users that
> > logon to my DC can only see my DC.. I can see my Trusted DC and the Trust
> > DC...
>
> "See"? Do you mean browse? Browsing is a NetBIOS application
> and as such is not releated to trusts or DNS directly.
>
> Also note that a "DC" cannot trust another DC nor DNS. Trusts are
> between domains (except in one new Win2003 exception case for
> forests.)
>
> You indicate an "isolated" network -- if this implies routers (or
> router switches) then your problem is likely a lack of (common)
> WINS servers.
>
> NetBIOS resolution has a practical requirement for a common
> WINS database.
>
> > I upgraded my DC from Windows Nt 4.0 to Windows 2000 and bulted the Active
> > directory.. Applied the GPO security policies, but can not load either
> > Integrated DNS or Standard DNS Zones...
>
> What? IF you have a DC then you can run DNS on it. If you run
> DNS on the DC it CAN be integrated.
>
> > I know you can not completely work with Active Directory without the DNS
> > Zone.. Though I tried to load the zones it never takes with the active
> > directory..
>
> What do you mean by "never takes"?
>
> > What should I do next?
>
> Be very explicit about exactly what happens, avoid generic
> phrases and describe your exact actions, results, and error
> messages.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
>

"AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
news:1C640449-5161-4C75-852D-40CC3592119F@microsoft.com...
> Thanks Herb for your kind reply..

Sorry for the delay in replying - this thread wasn't marked and I
had trouble re-finding it when you replied.

> I am very new with working at the server level. I have a strong
> workstation
> level experience. Trying to get more familiar with servers and domain
> controllers.. Let me give you the details that you need to help me...
>
> Orginally, this primary domain controller (PDC) was a Windows NT 4.0 with
> a
> Trust relationship with our organization's primary domain (Red). I built a
> Windows NT 4.0 backup primary domain controller (BDC) on new Compaq
> Proliant
> box and replicated the SAM accounts from the PDC. Then, I promoted the
> newly
> built BDC to PDC. After this was done, I upgraded the new PDC to a Windows
> 2000 domain controllers. The Active Directory was created and all the
> policies were modified.

Standard procedure for upgrading NT when the (old) PDC is not a good
candidate.

Since: ONLY the PDC can upgrade the domain.

> The IPs are configured on the new DC as static for our organization's
> primary DNS server. This was the only way to add this new DC to the
> network
> for the existing domain. Also, it is the same domain name as the old
> Windows
> NT 4.0 after the upgrade to Windows 2000.

You cannot expect to use MANUAL records for AD -- your DCs
really need to register themselves so DNS must practically be
Dynamic.

While technically it is POSSIBLE to do this manually it is impractical
to the point that it is unworkable for real world domains.

> All went well, until after the new Windows 2000 domain controller was
> added
> to the organization's Trust relationship. The users are able logon to the
> new
> domain contoller's domain (Blue) which I created in the Active directory.
> But, when browsing "My Network Places" to look at the entire contents of
> the
> (Blue) domain, it come back with error;
>
> "Blue is not accessable. Logon Failue: user account Restriction.

Trusts outside of a single forest AND browsing are both dependent
on NetBIOS (as I mentioned previously.)

> After researching this, reading the event viewer and consulting with
> several
> persons.. I was told that I did not have a DNS Zone.. I went ahead and
> attempt to install the DNS manager and DNS Zone.. While attempting to
> install
> the DNS "Active Directory Integrated" Zone, the message appears as;
>
> "Zone can not be created. The Active Directory service is not available."
>
> I went ahead and installed the "Standard Zone" I received the same
> message;
>
> "Zone can not be created. The Active Directory service is not available."
> When attempting to install the "Reverse: Active Directory-integrated
> Primary Zone"

You don't really need a reverse zone. You need a forward zone (which
might have been created automatically for you) but I though you already
had DNS setup?

Your DC must point to the DNS server it will use on it's NIC->IP properties.

> I hope I have explain this the best I could with little experience that I
> have at the server level..

You have two problems. DNS (fixing the zones) and NetBIOS (likely
WINS server needed if you have more than one Subnet) to fix browsing
and to enable trusts OUTSIDE of the forest.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanks AllforLax
>
>
> "Herb Martin" wrote:
>
>> "AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
>> news:64897406-E279-41B5-BA8D-F04560AAED48@microsoft.com...
>> >I have a DC that is Trust with the primary DC.. My DC is an isolated
>> >network
>> > with a Trust relationship the agencies primary DNS... All the users
>> > that
>> > logon to my DC can only see my DC.. I can see my Trusted DC and the
>> > Trust
>> > DC...
>>
>> "See"? Do you mean browse? Browsing is a NetBIOS application
>> and as such is not releated to trusts or DNS directly.
>>
>> Also note that a "DC" cannot trust another DC nor DNS. Trusts are
>> between domains (except in one new Win2003 exception case for
>> forests.)
>>
>> You indicate an "isolated" network -- if this implies routers (or
>> router switches) then your problem is likely a lack of (common)
>> WINS servers.
>>
>> NetBIOS resolution has a practical requirement for a common
>> WINS database.
>>
>> > I upgraded my DC from Windows Nt 4.0 to Windows 2000 and bulted the
>> > Active
>> > directory.. Applied the GPO security policies, but can not load either
>> > Integrated DNS or Standard DNS Zones...
>>
>> What? IF you have a DC then you can run DNS on it. If you run
>> DNS on the DC it CAN be integrated.
>>
>> > I know you can not completely work with Active Directory without the
>> > DNS
>> > Zone.. Though I tried to load the zones it never takes with the active
>> > directory..
>>
>> What do you mean by "never takes"?
>>
>> > What should I do next?
>>
>> Be very explicit about exactly what happens, avoid generic
>> phrases and describe your exact actions, results, and error
>> messages.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>>

Hello,

Been a while.. Sorry.. Ben frustrating in working on tis problem alone..

I added the WINS IP address and able to see the resources in the "Blue"
domain.. However, still unable to shared out the resources on the "Blue"
domain..

I enter the WINS IP address for the organization's "Red" Trust Domain in the
primary "Blue's" DNS zone property. I was still not able to create an
Integrated Active Directory Zone... I even changed the primary DNS setting in
the NIC> Propteries for the "Blue" Domain and still user can not access the
resources.. Still getting error, "Blue is not accessable. Logon Failue: user
account Restriction".

"Herb Martin" wrote:

> "AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
> news:1C640449-5161-4C75-852D-40CC3592119F@microsoft.com...
> > Thanks Herb for your kind reply..
>
> Sorry for the delay in replying - this thread wasn't marked and I
> had trouble re-finding it when you replied.
>
> > I am very new with working at the server level. I have a strong
> > workstation
> > level experience. Trying to get more familiar with servers and domain
> > controllers.. Let me give you the details that you need to help me...
> >
> > Orginally, this primary domain controller (PDC) was a Windows NT 4.0 with
> > a
> > Trust relationship with our organization's primary domain (Red). I built a
> > Windows NT 4.0 backup primary domain controller (BDC) on new Compaq
> > Proliant
> > box and replicated the SAM accounts from the PDC. Then, I promoted the
> > newly
> > built BDC to PDC. After this was done, I upgraded the new PDC to a Windows
> > 2000 domain controllers. The Active Directory was created and all the
> > policies were modified.
>
> Standard procedure for upgrading NT when the (old) PDC is not a good
> candidate.
>
> Since: ONLY the PDC can upgrade the domain.
>
> > The IPs are configured on the new DC as static for our organization's
> > primary DNS server. This was the only way to add this new DC to the
> > network
> > for the existing domain. Also, it is the same domain name as the old
> > Windows
> > NT 4.0 after the upgrade to Windows 2000.
>
> You cannot expect to use MANUAL records for AD -- your DCs
> really need to register themselves so DNS must practically be
> Dynamic.
>
> While technically it is POSSIBLE to do this manually it is impractical
> to the point that it is unworkable for real world domains.
>
> > All went well, until after the new Windows 2000 domain controller was
> > added
> > to the organization's Trust relationship. The users are able logon to the
> > new
> > domain contoller's domain (Blue) which I created in the Active directory.
> > But, when browsing "My Network Places" to look at the entire contents of
> > the
> > (Blue) domain, it come back with error;
> >
> > "Blue is not accessable. Logon Failue: user account Restriction.
>
> Trusts outside of a single forest AND browsing are both dependent
> on NetBIOS (as I mentioned previously.)
>
> > After researching this, reading the event viewer and consulting with
> > several
> > persons.. I was told that I did not have a DNS Zone.. I went ahead and
> > attempt to install the DNS manager and DNS Zone.. While attempting to
> > install
> > the DNS "Active Directory Integrated" Zone, the message appears as;
> >
> > "Zone can not be created. The Active Directory service is not available."
> >
> > I went ahead and installed the "Standard Zone" I received the same
> > message;
> >
> > "Zone can not be created. The Active Directory service is not available."
> > When attempting to install the "Reverse: Active Directory-integrated
> > Primary Zone"
>
> You don't really need a reverse zone. You need a forward zone (which
> might have been created automatically for you) but I though you already
> had DNS setup?
>
> Your DC must point to the DNS server it will use on it's NIC->IP properties.
>
> > I hope I have explain this the best I could with little experience that I
> > have at the server level..
>
> You have two problems. DNS (fixing the zones) and NetBIOS (likely
> WINS server needed if you have more than one Subnet) to fix browsing
> and to enable trusts OUTSIDE of the forest.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > Thanks AllforLax
> >
> >
> > "Herb Martin" wrote:
> >
> >> "AllforLax" <AllforLax@discussions.microsoft.com> wrote in message
> >> news:64897406-E279-41B5-BA8D-F04560AAED48@microsoft.com...
> >> >I have a DC that is Trust with the primary DC.. My DC is an isolated
> >> >network
> >> > with a Trust relationship the agencies primary DNS... All the users
> >> > that
> >> > logon to my DC can only see my DC.. I can see my Trusted DC and the
> >> > Trust
> >> > DC...
> >>
> >> "See"? Do you mean browse? Browsing is a NetBIOS application
> >> and as such is not releated to trusts or DNS directly.
> >>
> >> Also note that a "DC" cannot trust another DC nor DNS. Trusts are
> >> between domains (except in one new Win2003 exception case for
> >> forests.)
> >>
> >> You indicate an "isolated" network -- if this implies routers (or
> >> router switches) then your problem is likely a lack of (common)
> >> WINS servers.
> >>
> >> NetBIOS resolution has a practical requirement for a common
> >> WINS database.
> >>
> >> > I upgraded my DC from Windows Nt 4.0 to Windows 2000 and bulted the
> >> > Active
> >> > directory.. Applied the GPO security policies, but can not load either
> >> > Integrated DNS or Standard DNS Zones...
> >>
> >> What? IF you have a DC then you can run DNS on it. If you run
> >> DNS on the DC it CAN be integrated.
> >>
> >> > I know you can not completely work with Active Directory without the
> >> > DNS
> >> > Zone.. Though I tried to load the zones it never takes with the active
> >> > directory..
> >>
> >> What do you mean by "never takes"?
> >>
> >> > What should I do next?
> >>
> >> Be very explicit about exactly what happens, avoid generic
> >> phrases and describe your exact actions, results, and error
> >> messages.
> >>
> >> --
> >> Herb Martin, MCSE, MVP
> >> Accelerated MCSE
> >> http://www.LearnQuick.Com
> >> [phone number on web site]
> >>
> >>
> >>
>
>
>
>