Question

Accessing resources across a trust

Asked by: bgcm12

Hello,

I have 2 seperate forests with one Windows Server 2003 domain in each.

There is a working 1-way trust between the domains (I can validate the trust from both sides of the trust, and resources in the trusting domain are accessible in the trusted domain).  Domain A trusts Domain B.

Users in domain B need access to a directory in domain A.  I have created a Domain Local group in AD in domain A with privilages to the directory.  I have created a "Security Group - Global" in AD in domain B.

On the fileserver in domain A, I have navigated to the "Sharing and Security" of the directory that needs sharing and have accessed the "Security tab".

I have clicked "Add" to add a new group to the Access Control List.  I have then clicked "locations" and I then have the choice of switching the location from Domain A to Domain B.  

Now the SELECT USERS, COMPUTERS OR GROUPS dialogue box has the options:

Select this type of object:  Users or Groups
From this location : Domain B
Enter the object names to select:

This is where i want to select my Domain Global group fom Domain B.  But AD will not find the group - or any group or user from domain B, it only brings the "name not found" box up.

What stage am I missing please?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2006-09-14 at 04:35:45ID21989246
Tags

2003

,

create

,

resource

,

trust

Topic

Windows 2003 Server

Participating Experts
2
Points
500
Comments
7

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Windows 2003 Forest Trusts
    Hi Im in the process of testing trusts so i can migrate users from one root forest domain to another. I have two domains abc.com and 123.com. I have setup DNS so that each domain has a secondary copy of the primary zone. This works fine and I can see it replicate across. I t...
  2. Setting up DFS across 2 forests with trust enabled
    I have 2 forests connected via a Site to Site VPN tunnel over a WAN link. A trusted connection has been created between the 2 forests. In one for the forest, I have a DFS (Distributed File System) with is working properly. Clients in the forest can access the shares via DNS ...
  3. Forest/Domain Trusts
    Is there anyway to accomplish the following: Users in Forest A-Domain 1 need access to resources in Forest B Domain 1... There is a one way trust between these domains.... ForestB Domain 1 - Trusts ForestA Domain 1 What I wanted to be able to do was add users in Forest A D...
  4. Problem assiging permissions across forest trust
    Hey everyone, I've got two forests created one called old.local and one called new.local. I've created a Forest trust between them in each direction. When I go to add the new.local's enterprise admins group to the enterprise admins group in old.local I cant find it. It appea...
  5. Clarification on group membership across forest trusts
    Hi, I posted a query relating to trusts a little while ago here: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23884036.html In summary we have a lab with 2 forests, containing one domain each (intenallab.internal and externallab.e...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ncronesPosted on 2006-09-14 at 12:57:56ID: 17523867

try changing the domain global group in B to a Universal Group (properties of the group and click the radio button)

then try again

 

by: bgcm12Posted on 2006-09-14 at 15:36:01ID: 17525014

Tried that - it won't take any type of user or group - Domain A can't seem to find any objects within the domain B - although A knows B is there and trusts it.

Thanks anyway.

 

by: sabby447Posted on 2006-09-15 at 06:03:28ID: 17529029

I tried to configure two test machines with windows 2003 enterprise edition and tried to create the same scenario and it worked for me, now here is my suggestion :

On Security Tab of the directory in Domain A.

1. When you select Domain B in the locations then click on Advanced and click find now without typing anything and watch if it is able to find anything at all from Domain B.

Cross verify that you see Domain B in the outgoing trust on domain A and Domain A in incoming trust on Domain B.

If this doesnt work then try to delete the trust and recreate it as it hardly takes a min time to create the same.

Update about the results, awaiting reply.

Here are steps which i followed.

On Domain A i opened domain and trusts and click new trust and click next and provide the domain name A.
Choose 3rd option One Way Outgoing and click next
choose 2nd option both this domain and the specified domain and click next
provide the administrator username and password of the specified domain that is domain B and cilck next and again click next
choose confirm outgoing trust and click next and click finish.

then try to add the group or user from Domain B to the Security list of folder in Domain A.

also check if there is proper network connectivity between file server and Domain A domain controller

 

by: bgcm12Posted on 2006-09-15 at 10:44:04ID: 17531208

Thanks for your efforts Sabby - very much appreciated.

I have left work for the weekend now so I cannot try out all your suggestions until Monday morning.  Here is what I know already....

1. Domain A is unable to find any objects within A - I have tried numerous times, through advanced and even through command line.
2. The trust is outgoing on A and incoming on B - I removed the trust from domain B and recreated that side and verified correctly.  Before I had recreated this side I could not verify the trust - there was a problem with the security control.
3. This set-up has worked for me in the past - i already have a security group from B in a domain local group in A accessing domain A resources.  This group can still access the resource across the trust.
4. I haven't yet completely removed the trust and recreated it for fear of making the problem worse and losing the access i already have from B into A.
5. I only have a small network - the DC and fileserver on Domain A are one-and-the-same machine.  Network connectivity seems fine.

So, I think you are right - I have to try completely removing the trust from both sides and recreating following the steps you mention.

I will report back Monday morning.

Thanks again,

Ben.

 

by: bgcm12Posted on 2006-09-19 at 01:50:43ID: 17549925

Hello,

Hope you had a good weekend.  Unfortunately recreating the trust did not solve the problem.

I believe that the problem is within DNS as there are many errors in the event log of the DNS server (DC) in domain B.  The log is littered with 3 distinct errors and 1 warning.  Any light shed on this would be greatly appreciated.

(NB. "PDC2" is the DC/DNS server for Domain B)

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4010
Date:            18/09/2006
Time:            15:45:51
User:            N/A
Computer:      PDC2
Description:
The DNS server was unable to create a resource record for  01eb85ee-1a2e-4c48-8962-7565355adc37._msdcs.park-high.local. in zone Park-High.local. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 00 00 00               {...    

****************************************

Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      9999
Date:            18/09/2006
Time:            09:16:47
User:            N/A
Computer:      PDC2
Description:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the last 60 minute interval.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 1c 00 00 00               ....    

******************************************

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            18/09/2006
Time:            07:10:47
User:            N/A
Computer:      PDC2
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    

*******************************************

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4015
Date:            21/08/2006
Time:            10:10:24
User:            N/A
Computer:      PDC2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 00 00 00               Q...    

 

by: bgcm12Posted on 2006-09-28 at 06:02:56ID: 17618785

Solved:

The second network card in Domain As PDC had an IP address in the Domain B range.  The DNS server for this network card was pointing to local host  (127.0.0.1).  I pointed it to the IP of Domain Bs DNS server and bob became my uncle.

 

by: bgcm12Posted on 2006-09-28 at 06:04:21ID: 17618796

Thanks for the effort Sabby.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...