Cross domain shares

I am getting stumped.

I have a test environment set up. I am trying to get a client in one domain to access shares in a seperate domain. Also have a user in one domain access an exchange server in that seperate domain. I have a single forest with 2 seperate domains.
ABC.local and XYZ.local. I have 2 sites setup SiteA and SiteX with a DC in each. The trusts seem to be setup and each site has a GC. The DC is also a file server and the XYZ.local hosts the exchange server. Which is also the Schema master. What I want is the least amount of CALs needed to purchased.

User logs into ABC.local takes up a CAL. This client is able to access a share on Server.ABC.local using the group I created in the ABC.local domain. Then I browse to a share on the Server.XYZ.local in which I created a group and added the user to that group. But this user cannot even open the share. I give everyone full and full, Share and NTFS. I don't see any errors in the event viewer on either server. I do see a CAL taken up on the Server.XYZ.local stating it is from the ABC domain.

What am I missing? The purpose of this exercise is so a user in ABC.local can access their mailbox in XYZ.local without creating the same user in both domains and having to purchase a user CAL in both. If I can't even get this share working I am not sure I will be able to get the mailbox working.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try creating a local group on for access to the NTFS folder.  On the share use Authenticated Users - Full.

Create another Global Group for the cross-domain users - add this to the local group you created above.  Now, add the user to the Global Group.

He/She will need to log off then back on to reset their access token.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Templar_mAuthor Commented:
I tried that and but went through your steps to make sure we are on the same page. I am getting this message on the client when I try to access the share.

"Configuration information could not be read from DC. Either because the machine is unavailable or access has been denied."
Templar_mAuthor Commented:
Just a note. I can access the SYSVOL on that domain controller.
Templar_mAuthor Commented:
It worked. I assumed I was able to access the server using the \\XYZ.local\share. I was able to see the share but not access it. I put the \\Server.XYZ.local\share and that worked. My assumption was based on the fact I was able to access the SYSVOL.

Interesting lesson.

Yes.  You must access the share by \\servername\share.

If you want to access shares by \\domain\share you need to use DFS - but cross domain access adds another level of permissions to figure out.

Glad you're up and running.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.