Parent Domain Universal Group Not Showing in Child Domain Account "MemberOf" tab
Parent Domain mode: Windows 2000 Native, Child Domain mode: Windows Server 2004
If I manage the Universal Group in the Parent Domain I can add the account from the child domain but when I look at the "MemberOf" tab of the child domain account the Parent Domain Universal Group does not show up.
Also, if I manage the child domain user account, "MemberOf" tab and try to add a group I can only select groups from the local domain not the parent domain.
I wrote a VBScript that will dump the group members for an account. When I run the script against the child domain account it dumps all the group memberships including the parent domain groups.
I tried forcing replication and that did not help.
Looking for any hints as to what to look at next.
If I manage the Universal Group in the Parent Domain I can add the account from the child domain but when I look at the "MemberOf" tab of the child domain account the Parent Domain Universal Group does not show up.
Also, if I manage the child domain user account, "MemberOf" tab and try to add a group I can only select groups from the local domain not the parent domain.
I wrote a VBScript that will dump the group members for an account. When I run the script against the child domain account it dumps all the group memberships including the parent domain groups.
I tried forcing replication and that did not help.
Looking for any hints as to what to look at next.
And what are we trying to accomplish here? Universal Groups are normally used to bring Global Groups together..
We discussed this in detail in another thread, which may help you here:
https://www.experts-exchange.com/questions/21525640/Need-help-to-structure-AD.html
We discussed this in detail in another thread, which may help you here:
https://www.experts-exchange.com/questions/21525640/Need-help-to-structure-AD.html
ASKER
The goal is to create an empty root domain by moving all of the groups and users in the parent domain to the child.
The other goal is not to cripple the company in the process so we will be moving users a few at a time, dept. by dept.
In order to do this we create the OU and user accounts for the department along with all the groups relevant to that department. So the HR department's accounts and groups are in the child domain but as is always the case there are a few HR people that need to access objects outside of their department so then need to be members of groups that are yet to be migrated in the parent domain. Since Global groups can only have accounts from its own domain we had to make all of the global groups into Universal groups. That way existing parent domain accounts could live side by side with child domain accounts in the same group. Eventually all of the groups and accounts will be moved to the child domain so this is a transitional thing.
Beyond that I think we are going to keep using Universal groups and Domain Local groups exclusively in the new domain and not Global groups. In our size of domain, 1000 users or so, I don't think Global inside of Universal inside of Domain Local makes much sense. I don't want to have more groups than users and I've see that happen before. This company is a bit volatile in its acquisitions and sell-offs so I may have to create a new child domain tomorrow and want the ability to assign accounts to groups across the domains. I like the flexibility of Universal groups and am willing to give up a little bandwidth in the tradeoff.
I am aware of the Global Catalog implications but I believe that to be negligible especially since now under our 2003 Domain only changes in the Universal group are replicated and not the whole list. All of our domain controllers are also global catalog servers.
Anyone that wants to shoot a hole in my logic please feel free...
As to my original question; that I have answered myself... http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
The other goal is not to cripple the company in the process so we will be moving users a few at a time, dept. by dept.
In order to do this we create the OU and user accounts for the department along with all the groups relevant to that department. So the HR department's accounts and groups are in the child domain but as is always the case there are a few HR people that need to access objects outside of their department so then need to be members of groups that are yet to be migrated in the parent domain. Since Global groups can only have accounts from its own domain we had to make all of the global groups into Universal groups. That way existing parent domain accounts could live side by side with child domain accounts in the same group. Eventually all of the groups and accounts will be moved to the child domain so this is a transitional thing.
Beyond that I think we are going to keep using Universal groups and Domain Local groups exclusively in the new domain and not Global groups. In our size of domain, 1000 users or so, I don't think Global inside of Universal inside of Domain Local makes much sense. I don't want to have more groups than users and I've see that happen before. This company is a bit volatile in its acquisitions and sell-offs so I may have to create a new child domain tomorrow and want the ability to assign accounts to groups across the domains. I like the flexibility of Universal groups and am willing to give up a little bandwidth in the tradeoff.
I am aware of the Global Catalog implications but I believe that to be negligible especially since now under our 2003 Domain only changes in the Universal group are replicated and not the whole list. All of our domain controllers are also global catalog servers.
Anyone that wants to shoot a hole in my logic please feel free...
As to my original question; that I have answered myself... http://support.microsoft.com/default.aspx?scid=kb;en-us;833883
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did not have to do that, but thanks for closing this out and awarding pts! :)
FE
FE
when you are in the "memberof" TAB and adding the users, are you telling it to look in the parent domain in the locations box?
Cheers!