Domain Trust 2008 to 2003
- by nick3216
I'm having trouble setting up the trust relationship between a Windows Server 2003 and a Windows Server 2008 AD.
Domain a is Windows Server 2003 Forest functional level.
Domain b is a Windows Server 2008 Forest functional level.
I can set up the incoming side of the trust relationship on domain "a" so that it trusts domain "b".
Try as I might on domain "b" I can't set up the outgoing side of the trust relationship to domain "a".
The GUI interface gives an unhelpful 'The request is not supported'.
I'm not sure netdom is being more or less helpful as it refers me to FilterSIDs
netdom trust /add b /uo:b\admin /po:* /d:a /ud:a\admin /pd:* /oneside:trusting
To improve the security of this external trust, security identifier (SID)
filtering is enabled, however, if users have been migrated to the trusted
domain and their SID histories have been preserved, you may choose to turn off this
feature.
For more information about SID filtering and how to turn it off, see the help
for netdom trust /FilterSids or see Help and Support.
The request is not supported.
The command failed to complete succesfully.
I say 'less helpful' because Windows Server 2008 doesn't support the /FilterSIDs option.
How can we force creation of this trust?
Edit:
Just to clarify I've checked that the
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]
"Network access: Allow anonymous SID/Name translation” is enabled on both sides of the trust as per http://social.technet.microsoft.com/Forums/en/winserverDS/thread/cc61fc25-3569-4413-bbfd-92390eb31118