Two Domains - NT4 and W2K - No Trust - An interesting problem

[danman77]

Here's the scenario:

Our 'corporate' is running an NT server with DHCP (we have the BDC here) and we are running with a Novell server and IPX/SPX is blocked at the router. This allows us to have our own internal network outside the 'corporate' domain and users can log into both domains with one login (provided that the username and passwords are the same) and login scripts are be run both from the corporate NT box and the Novell Box.

What we want:

We are upgrading the Novell box to W2K professional server. We want to be able to have users log into the NT4 domain and pass-through to the W2K domain, running login scripts from both servers. We also want to give our users the option of logging into the NT4 domain or logging into the W2K domain in case corporate has to shut down it's servers (maintenance, virus', etc). We do not want a trust between the two domains (this would get corporate involved .... this can be very bureaucratic!) and we can manage duplicate user accounts on this end (only about 75 users). We intend on using TCP/IP as a protocol. This is currently being attempted on a test network.

Here's the problem:

So far, I have created the W2K domain and am using 2 NIC cards (one with a static IP that belongs to the NT domain 10.0.0.2 and one for the new W2K domain 10.0.1.1). The W2K will also be using DHCP however, it won't really be needed unless a user logs into that domain. I have it so far that the client machine can log into the NT4 box and see the both domains and access resources on both sides. I have not been able to execute login scripts on the W2K side once the user logs into the NT4 side. Also, because the client is a Windows 95 machine, I can log into the domain that is shown as the 'Workgroup' (the NT domain) but not the W2K domain (even if I change the domain name when logging in).

I know it sounds a little odd, and using a trust would probably solve most of these issues but that is not really an option we want to use. I have worked with NT4 for years but not W2K. Do I need to use Active Directory for the W2K box? What will that give me?

Can what we are trying to do actually be done? (I know all things are possible, but this one's a bit of a stretch!)

 

[GlenJohnson]

Have you thought about upgrading the nt box to w2k? Might solve the problem. Working with PDC's and DC's can cause issues if memory serves me. Just a thought. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com

"There is nothing in this world constant but inconstancy."
Jonathan Swift (1667-1745); Irish author.

 

[danman77]

Thanks for the response Glen. Upgrading is not an option as we are a division of a larger corporation. The NT4 box belongs to 'corporate' and the Novell box we are replacing is ours. We have had some siturations (ie virus infection) that has had corporate shut down their PDC's and BDC's. This shut us down as well. We are looking at a 'sub-domain' that can operate within the master domain but not actually be a part of it. Using this method, we can effectively maintain operations in the event corporate has to shut down or run maintenance. It will also allow us to add temporary users, groups, etc to our own system without having to wait for the requests to be completed at the corporate level. Our current set-up allows this however, the Novell box we are using is Novell 3.12 ... it is very old, slow, and not too reliable. It works on the Novell box as it is using IPX/SPX as a protocol. Corporate wants this protocol removed and I am trying to create the same scenario using W2K and TCP/IP.

 

[GlenJohnson]

I'm in the process of moving from a Novell4.0 to a w2k domain. We started with Novell, then way back when, brought in a NT 4.0 box. We've been adding W2K machines until we bought a compaq w2k server. We upgraded the nt box to w2k and made the old server and new server dc's. That's why I thought about upgrading. I'm not locked down like you are. We use active directory and it is nice. You can put scripts in the profile tab of a user so when they log on, whatever services you want loaded are. We use this function for our anti-virus program. If I go to a different machine and logon, it automatically runs my script so the anti-virus software loads. It sounds like a security issue, but I don't know enough about trusts to say if it would fix the problem. How about basic network connectivity. Has anybody been able to access the new server? Ping, route print, etc? You mentioned DHCP, that's just for giving out ip's correct? Server is fixed IP? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com

"There is nothing in this world constant but inconstancy."
Jonathan Swift (1667-1745); Irish author.

 

[danman77]

Man, you respond quickly, Glen! The W2K server is on a test network (2 clients, 2 servers) and I am testing this before we actually migrate to the new server. The whole DHCP thing works fine for NT (as expected) but, because a client can really only belong to the 1 domain shown in the Identification|Workgroup tab (that I know). The NT server has a fixed IP (10.0.0.1) and a DHCP Range of 10.0.0.2 - 10.0.0.200. It also has the address 10.0.0.2 as a reserved address. The Win2K server has 2 NICS, both with static IP's - 10.0.1.1 and 10.0.0.2. This allows me to have the 10.0.0.2 nic card as a gateway for the 10.0.1.1 side. If users log into the NT server, they will be assigned 10.0.0.x. I was hoping to set it up that a user can log into the W2K box and be assigned an address of 10.0.1.x in the event that the NT box goes down (see comments from previous threads).

So far, the NT client can see both servers and access resources on both. The NT server can see the W2K server, but not the client. The W2K server can see the NT box, but not it's client. All can ping all.

 

[GlenJohnson]

Try to disable dhcp on the test server and see what happens. I think what you need to be looking at are scopes, not trusts. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com

"There is nothing in this world constant but inconstancy."
Jonathan Swift (1667-1745); Irish author.

 

[danman77]

Both the NT server and the W2K servers (and clients) are on the test network. The test network here emulates the real network in the office. If I disable the DHCP on the W2K server, the client machines will not be able to log into that server.

I really don't know if what I want to do is do-able. I am trying to get it so that the clients log into the NT box and can access resources on the W2K box (I have that already). Additionally, I am hoping to be able to execute login scripts when the user logs in from both the NT server and the W2k server. Should the NT DC and BDC is shut down, I want to allow the users to log into the W2K server. Because I am using 2 domains here, a trust is the way to go however, I do not want to do this as it will make us dependant on corporate IT and we want to be able to control this ourselves.