User Access to domains

I have a head office and remote sites.

head office is the main DC and is running dns

remote sites also have domain which are in the existing forest, all of this is connected with vpn site to head office

My users replicate through out the forest

At the remote site, i added a workstation to the domain, and was setting up some GPO. I specified a shared folder on the remote domain with a wallpaper image. and it didn't show up. So i try to go to my domain \\domain. and i got an error that the currect user does not have access to the resourses.

I loged off, and log in as admin, and i had access.

what's can be the problem?

Where do i specify which users have access to which domain.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Be careful to keep in mind that you have 2 domains - which, by definition, are security boundaries.

If you just want the remote domain to get the wallpaper, then the GPO will have to be created on the remote domain and linked so that users in that domain are affected by it.

The share also needs to be accessible on that domain.

intellie_exAuthor Commented:
No, it'snot just wallpaper, I want the whole thing......
intellie_exAuthor Commented:
I understand that wallpaper has to be pointed to the domain at the site.  It's not the problem.

I have a Workstation on that subnet.  It logs onto the domain with the User i created in my PDC in head office. I can apply the GPO for that user in head office and they replicate, but the walpaper feature doesn't work because that user does not have access to the domain. I i log out and login with the admin info, i can browse the local and parent server.

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

So you have a user from the parent domain logging into the child (?) domain or a separate domain in the Forest.

The GPO that applies for the user is the one that is in the parent domain since that is where the User account is located.

Can you attach to the share once the user is logged on?  Try opening the share like this:  \\servername\share  from the Run box.  If you cannot open it, then there is a Trust issue (even though there shouldn't be).

My feeling is that DNS is not configured correctly on the other domain to allow the User from the parent domain to find the share (just a guess).

Let us know.
intellie_exAuthor Commented:
Here is what i did from begginng. I have many remote sites... and they will connect with secure vpn.. It's a retail business

First i setup my main domain in head office. dns was configured automaticaly.

Then i used the following steps that some one pointed me to: 

Everything is replicating, I creat and edit the GP on my head office domain, and the policies replicate to my remote domain. The users and ou that i created also replicate, because i can see them on the remote domain.  But i can not access the shares resourses on both domains with the new user i created.

If i log in with the domain admin member i can access the shared resourses on the domains.

i'm not not 2 familiar with dns, so yes there might be an error.

I think the confusion lies in what you keep referring to as "remote domain".  Are all remote locations in the same domain, or have you created a new domain for each remote location?  It makes a difference.

intellie_exAuthor Commented:
the remote domain, is in an existing domain.
so my head office :
remotes               :
This (I think) is your problem.

Where is

As it stands, all these domains you have are not child domains of any parent.

You're going to have to change the scope on all your zones so that they replicate to all DNS servers in the Forest in order to get the zones on all DNS servers.  Other than that, you can create secondary zones on all servers for the rest of the domains and have them sync with the primary for each domain.

intellie_exAuthor Commented: is in location 1

I have retail sotes through out the country let's say.

There is a server in each store. i have pos terminals connecting to it for out pos software.

intellie_exAuthor Commented:
But the DNS replicates already, because i set that up in ADSS
OK, so if exists then the following should be true:

1)  The Forward zone should exist on every server.
2)  The Forward Zones for each domain should exist on the respective DC that hosts that domain.
3)  The Reverse Zones should exist on the domains they service.

Is that much correct?

intellie_exAuthor Commented:
yes, all that replicated to the new domain...
intellie_exAuthor Commented:
k tell me, is it better to have a child domain, or another domain in forest for remote sites?
intellie_exAuthor Commented:
I'm back, sorry.  I was admitted to hospital last Friday and just got out today.

Personally, one domain is the best method.  Each location can be represented by an OU.

Regardless, can you bring me back up to speed on this?
intellie_exAuthor Commented:
K, I'm looking to get some advice with my whole network structure for a company.

It's a retail business with a head office and stores.  

Head office has 1 different parts to it. Office area and Warehouse. In the office i have 10 Users, some printers. In warehouse I have 20 computes who connect to a server for the database, and i have managers who manage that part.  

In the stores I have a server with a database, managers pc and  4-9 Windows based point of sale registers. I have Sonicwall Firewalls, with which i will setup VPN between the stores and head office so the databases at the stores can sync. with head office.  

The software that we use for our retail part get's update about 1-4 times a month.  

Now this is where it get a little tricky.

This software gets update from version to version. I have to manually do this for every location.  I run the update on the server. Then I start the program on the server, it tells me that it's been updated and asks me if i want to update the database to the newer version. I hit yes. and it updates.  

The fist time another pc connects to the database it tells the user that he need to update to the currect version, they click yes, and it automatically get's updated, they the user runs the program again, and can enter.  

My problem with this is that if i have a laptop user who conencts to different location when he is physycally there and has a newer version on his laptop he forces the server to update. and that creates a big problem.  so some how to auto update from head office?

I will have another server for Exchage 2003. I have 3 different domains that i want to use with the exchange. I will also what to use my exchange as a smtp server, because i have laptop users who travel and need to send from different locations.

so basically what is the best structure to use for servers in the stores?

make it a new DC in a forest? or make a child domain?

And the DNS settings, so if the vpn goes down, the store server will not fail. I need some help with configuration for that.

For now that's all, but i do have more Questons and i will start a new Qestion for that..

OK, here is what I would do (and this is only my opinion based on experience):

1)  This whole company can be structured under one domain.
2)  Each DC in the remote sites can be managed locally (if desired) by delegating control of portions of the Active Directory.
3)  Your Head Office can be the root DC and be setup in it's own OU.
4)  Each physical site can be represented by an OU also.
5)  Sites in AD Sites and Services can be defined for each physical site and subnet.  The correct server can be moved into their respective site.
6)  It is critical that each site by using a different subnet.  When all these sites are connected, their addressing must be unique.

As for the program - the client should NOT update the server.  Every custom application I've dealt with that has the Autoupdate feature you describe will notifiy and update the client, but will not allow new clients to connect to the old backend version of another server until the server is updated.  This sounds as if the vendor should be writing this check into their code or providing a mechanism to allow you to change this behaviour on the server side.

DNS is easily managed - especially in a single domain model.  For redundancy - the clients will continue to function locally (the DC locally should also be a GC) since DNS is accessible as is a domain controller.  If the WAN link is down or the link to the main site is down then clients should still be okay locally unless they obviously map to something on the main site.

intellie_exAuthor Commented:
K, So basically I should go with 1 DC in Head Office
each of the remote site server will also be a DC in currect domain.
Setup replictation between remote DC and head office with GC enabled for remote DC
Once the replication finished to the remote site, install DNS and point each remote DC to its self.

Is this it? if so I had that. but when i added a new user in my main DC and the user got replicated to the remote DC, that user can see the folders shared on the remote server, but could not browse. Once i loged on as admin, i can assess all folders. I checked the permisions and everything looked good.

What a hell am i doing wrong?
Yes, this is exactly it.  If you have full-time, high-speed links between sites then there is no need to setup replication at all - KCC will take care of this automatically.

You will need to setup Sites in AD Sites and Services and associate the proper subnets to them.  The Default-First-Site-Name is the main site and should be renamed accordingly, but you MUST use it for the root site since everything is configured for it during the initial DCPROMO.

You're doing nothing wrong.  Browsing across subnets can only be done using WINS or static LMHOSTS files.  You should be able to open Start>Run and type in the share exactly and it opens.


If there are permission issues, then you need to deal with those.  By Default, the Everyone group has Full Control on the share - this should be changed to Authenticated Users - Full.  The NTFS permissions are where you will be setting proper permissions on the actual folder and subfolders.

Let me know.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intellie_exAuthor Commented:
thanks for the info...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.