I have recently setup a completely separate domain to host offsite applications. Our local domain is Server 2003 Native and the new one is Server 2008 Native. I set up a one way forest level trust between the two, with the 2008 domain trusting the 2003 domain. Everything works great except that if I try and set permissions on files/folders on XP Hostsin the 2008 domain, I cannot add any users/groups from the 2003 domain. The 2003 Hosts I have sitting in the 2008 domain let me do this with no issues. When I look at the event log it references a Userenv error pertaining to a cross forest loopback policy issue. I don't even see this policy as an option on domain, so I know I don't have it applied. Any help with this would be great. Thanks in advance!

hi dolarin,please cross verify if you have missed any configuration from DNS server perspective ,t hat would make your life hectic.Cross checks =========. Open Active Directory Domains And Trusts from Administrative Tools. 2. In the console tree pane, select and right-click the domain node for the forest root for which you want to create a trust. 3. Select Properties. 4. Select the Trusts tab in the Properties dialog box.5. Click New Trust and click Next (skip the Welcome screen). 6. On the Trust Name page, enter the DNS name of the target domain for your trust (for our example, it is Cogswellcogs.com) and click Next. 7. Select Forest Trust on the Trust Type page and click Next. (If the Forest Trust option is missing, you may have omitted one of the prerequisites. In that case, double-check the DNS Forwarders tab and the forest functional level of all the domains in both forests.) 8. Choose a direction for the trust relationship: Two-Way, One-Way Incoming, or One-Way Outgoing. Two-Way: All users in both forests will be able to access all resources in both forests. One-Way Incoming: All users in this forest will be able to access all resources in the other forest but not vice versa. One-Way Outgoing: All users in the target forest will be able to access all resources in this forest but not vice versa. After youve chosen, click Next. 9. Resource access is still governed by permissions in the domain where the resource exists. The trust direction provides access to all resources where permissions allow access. Select the sides of the trust relationship: This Domain Only or Both This Domain And The Target Domain. This Domain Only: Creates the trust relationship in this domain only; an administrator on the other end will have to complete the other trust. Both This Domain And The Target Domain: Requires sufficient access in the remote domain and will allow you to complete the trust setup. 10. Select the appropriate path, depending on the choices you made in the previous two steps. If you chose Two-Way or One-Way Outgoing in step 8 and This Domain Only in step 9, you will need to select a trust authentication level. Domain-Wide Authentication will authenticate all users in the remote forest for all resources in the local forest. Choosing Selective Authentication will allow you to specify which users in the remote domain have access to local resources. Click Next. Enter a password for the trust and click Next. If you chose One-Way Incoming in step 8 and This Domain Only in step 9, enter the password for the trust in the Trust Password and Confirm Password boxes. Click Next. If you selected both domains (this domain and the selected domain) in step 9, a username and password box will appear to allow you to enter the username and password of an administrator account in the target forest. Click Next. 11. On the next screen, verify all of your selections. When you click Next, the wizard creates the trust. Verify the settings of the new trust. 12. Confirm the outgoing trust. Select Yes if you created both sides of the trust; select No if you did not. 13. Click Finish in the Creating The Trust wizard. The new trust will appear on the Trusts tab in the Properties dialog box for the domainAlso please check the below link , check for all the required ports which should be opened.http://support.microsoft.com/kb/179442sainath Windows Driver Development

Hi, Thanks for the post. From your description, I understand that a one-way forest level trust was set up between the Windows Server 2003 domain and Windows Server 2008 domain; however, if you try to set permissions on files/folders on Windows XP Hosts in the Windows Server 2008 domain, the users/groups from the 2003 domain cannot be added. Meanwhile, the issue does not occur on the 2003 hosts in the 2008 domain. In addition, there is a Userenv error shown in Event Log. Please understand Object picker cannot choose objects from another forest in Windows XP and Windows 2000, and we may get a work around provided in the following article. 878452 The Object Picker cannot locate objects that are located in another forest in Windows XP and Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;EN-US;878452 In addition, Cross-forest trust and Loopback-Replace are not available on WindowsXP ServicePack1 (SP1) or earlier. We may need to check if the client systems meet the requirement. For your reference, I suggest checking the following article: http://technet.microsoft.com/en-us/library/cc785691.aspx http://technet.microsoft.com/en-us/library/cc778618.aspx If it cannot work, please take the time to collect the Event Log for further research. Use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Hope this will help you with this issue.