I recently set up a forest trust between and existing 2003 forest and a new 2008 forest. The new 2008 side has two domain conrollers/DNS servers and each side has an AD integrated stub pointing to the opposite sides DNS server. I thought this may be easier than conditional forwarding but could easily change this. The trust is in place and seems to be working for the purposes of AMDT. We can migrate objects and SID History does come across to the new domain. There were some recent troubles with migrated users on migrated workstations accessing non-migrated resources. I am still in the process of troubleshooting this and the first thing I cam across is this:
C:\Users\administrator>netdom trust trustingdomain.fqdn /d:trusteddomain.fqdn /verify
The attempt to do a group look up on domain controller \\DC.trustingdomain.fqdn
for the Domain Admins group of trusting domain
trustingdomain.fqdn failed with the following error:
Access is denied.
The attempt to do a group look up on domain controller \\DC.trusteddomain.fqdn
for the Domain Admins group of trusting domain
trusteddomain.fqdn failed with the following error:
Access is denied.
The command failed to complete successfully.
This only happens when run from the new 2008 forest. When run on the other forest the trust verifys as expected. I am using some test accounts and I appear to still have access to resources through the SID History attribute. Is there any chance that this is causing a part of my issue?