We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


User Access to domains

intellie_ex asked
Medium Priority
Last Modified: 2010-04-18
I have a head office and remote sites.

head office is the main DC and is running dns

remote sites also have domain which are in the existing forest, all of this is connected with vpn site to head office

My users replicate through out the forest

At the remote site, i added a workstation to the domain, and was setting up some GPO. I specified a shared folder on the remote domain with a wallpaper image. and it didn't show up. So i try to go to my domain \\domain. and i got an error that the currect user does not have access to the resourses.

I loged off, and log in as admin, and i had access.

what's can be the problem?

Where do i specify which users have access to which domain.
Watch Question

Top Expert 2005

Be careful to keep in mind that you have 2 domains - which, by definition, are security boundaries.

If you just want the remote domain to get the wallpaper, then the GPO will have to be created on the remote domain and linked so that users in that domain are affected by it.

The share also needs to be accessible on that domain.


No, it'snot just wallpaper, I want the whole thing......


I understand that wallpaper has to be pointed to the domain at the site.  It's not the problem.

I have a Workstation on that subnet.  It logs onto the domain with the User i created in my PDC in head office. I can apply the GPO for that user in head office and they replicate, but the walpaper feature doesn't work because that user does not have access to the domain. I i log out and login with the admin info, i can browse the local and parent server.

Top Expert 2005

So you have a user from the parent domain logging into the child (?) domain or a separate domain in the Forest.

The GPO that applies for the user is the one that is in the parent domain since that is where the User account is located.

Can you attach to the share once the user is logged on?  Try opening the share like this:  \\servername\share  from the Run box.  If you cannot open it, then there is a Trust issue (even though there shouldn't be).

My feeling is that DNS is not configured correctly on the other domain to allow the User from the parent domain to find the share (just a guess).

Let us know.


Here is what i did from begginng. I have many remote sites... and they will connect with secure vpn.. It's a retail business

First i setup my main domain in head office. dns was configured automaticaly.

Then i used the following steps that some one pointed me to:

Everything is replicating, I creat and edit the GP on my head office domain, and the policies replicate to my remote domain. The users and ou that i created also replicate, because i can see them on the remote domain.  But i can not access the shares resourses on both domains with the new user i created.

If i log in with the domain admin member i can access the shared resourses on the domains.

i'm not not 2 familiar with dns, so yes there might be an error.

Top Expert 2005

I think the confusion lies in what you keep referring to as "remote domain".  Are all remote locations in the same domain, or have you created a new domain for each remote location?  It makes a difference.


the remote domain, is in an existing domain.
so my head office : abc.domain.net
remotes               : def.domain.net
Top Expert 2005

This (I think) is your problem.

Where is domain.net?

As it stands, all these domains you have are not child domains of any parent.

You're going to have to change the scope on all your zones so that they replicate to all DNS servers in the Forest in order to get the zones on all DNS servers.  Other than that, you can create secondary zones on all servers for the rest of the domains and have them sync with the primary for each domain.


domain.net is in location 1

I have retail sotes through out the country let's say.

There is a server in each store. i have pos terminals connecting to it for out pos software.


But the DNS replicates already, because i set that up in ADSS
Top Expert 2005

OK, so if domain.net exists then the following should be true:

1)  The _msdcs.domain.net Forward zone should exist on every server.
2)  The Forward Zones for each domain should exist on the respective DC that hosts that domain.
3)  The Reverse Zones should exist on the domains they service.

Is that much correct?


yes, all that replicated to the new domain...


k tell me, is it better to have a child domain, or another domain in forest for remote sites?


Top Expert 2005

I'm back, sorry.  I was admitted to hospital last Friday and just got out today.

Personally, one domain is the best method.  Each location can be represented by an OU.

Regardless, can you bring me back up to speed on this?


K, I'm looking to get some advice with my whole network structure for a company.

It's a retail business with a head office and stores.  

Head office has 1 different parts to it. Office area and Warehouse. In the office i have 10 Users, some printers. In warehouse I have 20 computes who connect to a server for the database, and i have managers who manage that part.  

In the stores I have a server with a database, managers pc and  4-9 Windows based point of sale registers. I have Sonicwall Firewalls, with which i will setup VPN between the stores and head office so the databases at the stores can sync. with head office.  

The software that we use for our retail part get's update about 1-4 times a month.  

Now this is where it get a little tricky.

This software gets update from version to version. I have to manually do this for every location.  I run the update on the server. Then I start the program on the server, it tells me that it's been updated and asks me if i want to update the database to the newer version. I hit yes. and it updates.  

The fist time another pc connects to the database it tells the user that he need to update to the currect version, they click yes, and it automatically get's updated, they the user runs the program again, and can enter.  

My problem with this is that if i have a laptop user who conencts to different location when he is physycally there and has a newer version on his laptop he forces the server to update. and that creates a big problem.  so some how to auto update from head office?

I will have another server for Exchage 2003. I have 3 different domains that i want to use with the exchange. I will also what to use my exchange as a smtp server, because i have laptop users who travel and need to send from different locations.

so basically what is the best structure to use for servers in the stores?

make it a new DC in a forest? or make a child domain?

And the DNS settings, so if the vpn goes down, the store server will not fail. I need some help with configuration for that.

For now that's all, but i do have more Questons and i will start a new Qestion for that..

Top Expert 2005

OK, here is what I would do (and this is only my opinion based on experience):

1)  This whole company can be structured under one domain.
2)  Each DC in the remote sites can be managed locally (if desired) by delegating control of portions of the Active Directory.
3)  Your Head Office can be the root DC and be setup in it's own OU.
4)  Each physical site can be represented by an OU also.
5)  Sites in AD Sites and Services can be defined for each physical site and subnet.  The correct server can be moved into their respective site.
6)  It is critical that each site by using a different subnet.  When all these sites are connected, their addressing must be unique.

As for the program - the client should NOT update the server.  Every custom application I've dealt with that has the Autoupdate feature you describe will notifiy and update the client, but will not allow new clients to connect to the old backend version of another server until the server is updated.  This sounds as if the vendor should be writing this check into their code or providing a mechanism to allow you to change this behaviour on the server side.

DNS is easily managed - especially in a single domain model.  For redundancy - the clients will continue to function locally (the DC locally should also be a GC) since DNS is accessible as is a domain controller.  If the WAN link is down or the link to the main site is down then clients should still be okay locally unless they obviously map to something on the main site.


K, So basically I should go with 1 DC in Head Office
each of the remote site server will also be a DC in currect domain.
Setup replictation between remote DC and head office with GC enabled for remote DC
Once the replication finished to the remote site, install DNS and point each remote DC to its self.

Is this it? if so I had that. but when i added a new user in my main DC and the user got replicated to the remote DC, that user can see the folders shared on the remote server, but could not browse. Once i loged on as admin, i can assess all folders. I checked the permisions and everything looked good.

What a hell am i doing wrong?
Top Expert 2005
Yes, this is exactly it.  If you have full-time, high-speed links between sites then there is no need to setup replication at all - KCC will take care of this automatically.

You will need to setup Sites in AD Sites and Services and associate the proper subnets to them.  The Default-First-Site-Name is the main site and should be renamed accordingly, but you MUST use it for the root site since everything is configured for it during the initial DCPROMO.

You're doing nothing wrong.  Browsing across subnets can only be done using WINS or static LMHOSTS files.  You should be able to open Start>Run and type in the share exactly and it opens.


If there are permission issues, then you need to deal with those.  By Default, the Everyone group has Full Control on the share - this should be changed to Authenticated Users - Full.  The NTFS permissions are where you will be setting proper permissions on the actual folder and subfolders.

Let me know.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


thanks for the info...
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.