We currently have two domains in a two way trust in preparation for a domain migration. I have successfully migrated test user accounts from domain A to domain B. I can access all resources in domain A except for any on 2008 servers -in particular, a file server. 2003 servers work fine in both directions. I can ping domain A from domain B on 2003 servers but not on 2008 servers. The same is true in the opposite direction. I have created an lmhost file for the domains on the 2008 server which did not help, DNS is configured properly or 2003 servers wouldnt work.I try to grant permission to the migrated test accountsin domain B to the 2008 file server in domain A.Both domains are visable but user accountscannot be resolved across the domains but thisONLY occurs on 2008 servers (firewall is disabled as well).Any advice would be appreciated.

Hi JaymeW, According to your description, I understand that you migrate Windows 2003 domain user accounts to Windows 2008 domain and this account could not access the Windows server 2008 shares. If I have misunderstand you, please let me know. This issue might be caused by an NTLM compatibility issue between Windows Server 2003 and Windows Server 2008. Please try to set the following group policy settings on the Windows 2008 server to see if it helps========================Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options:Network Security: Do not store LAN Manager hash value on next password change - SET TO DISABLENetwork Security: LAN Manager authentication level - SET TO SEND LM & NTLM - USE NTLM v2 IF NEGOTIATEDRefresh group policy by restarting the computer or typing gpupdate /force in the run dialog box. If the issue continues, please provide more information for our research: 1. Can you use the other Domain B user accounts to access the file on the problematic Windows 2008 file server? 2. Can you access the files on 2008 server from the other clients? 3. If you reset the password for the migrated test account, can you access the file on the problematic files server? If not, please let us know the error message WORD by WORD. 4. Check if you received any Event ID logs in the client and Windows 2008 Server. 5. Collect a MPSReport on the problematic file server. a) Download the proper MPS Report tool from the website below. Microsoft Product Support Reports http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en b) Double-click to run it. If the requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General"; Internet and Networking; Business Network; Server Components; click Next. c) After collecting all log files, choose "Save the results". Choose a folder to save the <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the response. To clarify my issue - Domain A is 2003/2008 domain and domain B is totally 2008. The 2008 file server is in domain A but I need users to have access to it from domain B after they have been migrated. A two way trust is in place and validated. I tried the changes to the local policy with no luck. 1. No user accounts in domain B can access the file server in domain A. More precisely I can access shares that are available to Everyone but not the user folder specific to the migrated account. To correct this I tried to add the migrated account in domain B to the shared folder security settings of the 2008 file server still in domain A. I can see domain A and B when I attempt to add the user account but it cannot resolve any accounts in domain B. 2. No other clients can access the file server 3. Resetting a user account password didnt help me. When I try to access shared files on the 2008 file server in domain A I receive "Access is denied" 4. I dont see anything in the event logs of either the server or clients that give any clues5. http://cid-1506ebdcb95c278f.skydrive.live.com/self.aspx/.Public/USATLMSFS01^_MpsReports.cab

Hi JaymeW, Thank you for your response. According to your description " I can see domain A and B when I attempt to add the user account but it cannot resolve any accounts in domain B. ", mostly likely there is a DNS query issue with the problematic Windows 2008 file server and Domain B. Please check the following settings: 1. Does the file server point to the correct DNS server in Domain A? (1) Click Start and run "nslookup", and then press ENTER. (2) Type set type=all, and then press ENTER. (3) Type _ldap._tcp.dc._msdcs.domainA.com and then press ENTER.(4) Type _ldap._tcp.dc._msdcs.domainB.com and then press ENTER.Does it return a success reply? 2. Logon the Domain B computer.(1) Click Start and run "nslookup", and then press ENTER(2) Type 2008fileservername.domainA.com and then press ENTER.Does it return a success reply? 3. If the above nslookup actions return errors, please check the both domain DNS server's Conditional Forwarder. For Window Server 2003, please refer to: Conditional Forwarding in Windows Server 2003http://support.microsoft.com/kb/304491 Configuring DNS forwarders to support Windows Server 2003 forest trustshttp://blogs.techrepublic.com.com/window-on-windows/?p=501 For Windows 2008, please refer to:http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx 4. If the above nslookup actions return successes, please try add Domain B account into File server shared folder via Advanced Sharing.Change the Location to B.com, and try access the shares from Domain B again Best Regards,Wilson Jia

Tweaking DNS on the 2008 file server resolved the issue.What I dont understand is why the forwarders worked fine for all 2003 servers but not 2008.In any event, thank you for all the advice and help - on to the domain migration!