I've googled this, seen a ton of suggestions, most of which didnt go far... and one MS KB.. the KB said to check netlogon.ftl security... I did, it was ok... its a 2k8r2 AD at that op mode. and the other domain is a 2k op mode on a 2k3 server. I setup the trust without any issues and validated by-directionally from both ends (redundant, but wanted to check) when I login to a server the domain dropdown shows both netbios domain names... on the 2k8 system, if I select location from the people picker all I see is my domain, from the 2k3 server I see Entire Directory - local domain from the 2k8 server I did an nltest /dsgetdc:otherdomain and the results look good. Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE not sure where to go from here. thanks

Hello jrich, I suspect that on one domain you have a global group and you are trying to add users from that other domain into that group. correct? If that is the case, you have to remember that depending on what resource you are working with...certain rules apply. For instance, global groups can only contain members from the same domain. Try the same thing from a domain lcoal group, or just open the properties of a share and you should be able to see all of the trusted domains in the "locations" list. Visit: anITKB.com, an IT Knowledge Base.

If domains are on different network segments, make sure you enforce netbios over tcp on all gc/dc in both sides

so, in this case I think you are both right... I had read about the global/univeral group... and... I never looked at the domain admins to see that it was global and not universal... I can use enterprise... the next part is, even after looking at enterprise admin group I still cant see it, so to Vincenzo's point, they are across subnets... I'll have to verify the netbios over tcp. thanks

You are not going to be able to add accounts from domains outside of the forest in the Enterprise Admins group. I don't think the NetBIOS concern has anything to do with this case. Just right click any folder on your desktop, go to properties, security tab, click add, then locations. If you can see the trusted domains, everything is working as expected. Visit: anITKB.com, an IT Knowledge Base.

you are correct... looks like i need to do some more through reading of ADMT. Thanks

no problem. glad I was able to assist. Visit: anITKB.com, an IT Knowledge Base.