I'm going to say roughly the same thing as Jason Berg, but I'm going to put more detail and emphasis in the DNS part, because none of this will work without good DNS resolution on both the servers and client computers in the Windows 2000 Active Directory domain and the domain controllers in the Windows Server 2008 Active Directory domain.
If you can create a DNS situation that allows client and server computers in the W2K domain to resolve the name of the W2K8 domain domain controller computer(s) then you can proceed with creating a trust relationship and ease into your domain migration.
Hopefully you're hosting DNS on your Windows 2000 Server domain controller computer(s), and hopefully that's what your client computers are using for DNS. Unfortunately, the Windows 2000 DNS server doesn't allow for conditional forwarding of non-authoritative zones to another DNS server like the Windows Server 2003 DNS server does. If your W2K8 DNS server can resolve Internet names, just set the W2K8 DNS server as a "forwarder" on the W2K DNS server. If not, then you might consider creating secondary zones for the W2K8 domain and its "_msdcs" child domain on the W2K DNS server (but that's more work).
On the W2K8 side of the house, just create a conditional forwarded for the W2K domain's name to the W2K DNS server and you're in business.
Once you can resolve the fully-qualified domain names of the domains and domain controllers in the other domain from a domain controller in both domains then you can proceed in creating a trust relationship.
Just like Jason Berg says, a one-way, outgoing, external trust is what you're looking for in the W2K8 domain. Don't bother trying to create it until you've got good DNS resolution.
Once you've done this you can name users (and, potentially groups) from the W2K domain in permissions on the W2K8 domain. User accounts from the W2K8 domain can also be used to logon to client computers in the W2K domain (and Group Policy specified in the W2K8 domain for users will apply! You can't apply any computer Group Policy from the W2K8 domain to computers joined to the W2K domain, though.)
If you want to create a two-way trust and use tools like the ADMT you certainly can. The one way trust will get you up and going for naming W2K domain security principles in permissions in the W2K8 domain, though.
I've just spent an incredible amount of time similarly debugging my server and have come down to the realization that the share and the directory being shared cannot have the same name.
I have no idea why. I hope someone else stumbles across this earlier in their process than I did.
Best Answer
You could probably use the ADMT if you wanted to create a new domain, but as you want to have a minimal impact on your user base then the logical thing to do is to join the samba host as a new domain controller (DC) in the same AD domain.
After that the AD objects should be replicated to the new DC and you should replicate the sysvol and netlogon shares manually or with robocopy.
The whole process is documented in the samba wiki: https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory