Can someone help me out here - I'm having problems getting an
application (which had worked fine on NT for years) working properly in
an AD environment. Running it in a simple config, e.g. on a single DC
works ok. However, as soon as I try to run it with a more colorful W2K
setup, i.e. 2 ADs, I get various errors which suggest some kind of
trust permissions or policies between the 2 AD machines are stopping
The application does a user authentication then fetches some more info,
assuming that worked. This all used to work in NT world and the
functions I use are allegedly supported in AD seemlessly - I think its
just AD config I need to set up.
Here's the problems:
First scenario is an AD, called root.com say which has a child AD of
say child.root.com. If my app is on root.com and I am authenticating a
user in child.root.com, authentication works but when I use the
function RasAdminGetUserInfo, it fails with an "access denied" error.
The RasAdminGetUserInfo simply takes a computer name and username and
returns the RAS callback number. Even though Windows created a
transitive trust for the two systems, permissions appear to be
preventing the app on root.com from fetching the user's RAS details
from child.root.com. Running the app on child.root.com allows the data
to be fetched, so it IS a permission issue. I'd like to be able
to "turn something on" which allows the RAS data to be pulled out of
the child.root.com AD from root.com.
Second scenario is similar but I created root.com as the AD root, then
created a new AD domain, two.com, and told it to add it to the AD
root. This made a trust again (tree root) and this time authentication
fails. Trying to authenticate from two.com to root.com fails with a
permission error. I thought the tree root trust would allow this?
What do I need to turn on? However, running the app on root.com and
trying to authenticate a user on two.com fails works but then the
function LookupAccountSidA fails.
All ADs in mixed mode.
Sent via Deja.com http://www.deja.com/
Before you buy.