[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Weird forest trust / access denied issue

Posted on 2006-04-10
Medium Priority
Last Modified: 2008-02-01
I've just setup a 2nd forest to test disaster recovery procedures for an exchange server.  Everything seems ok, but I have one share which I'm unable to access from the test network.

Now I have 2 forests, each containing a single domain.  Trusts have been setup in both directions for these domains.  I've also configured each DNS server to act as a secondary server for the other domain.  Net result:  I can assign permissions quite happily to any account on either domain.

Problem:  One particular share is inaccessible from the test server.  Since this contains the source for exchange 2000 server, this presented a bit of a problem.  I've tried adding specific users or groups from the test network onto that share.  I've checked share and NTFS permissions.  I've even tried adding users from the test network into the users account on that machine.  Nothing seems to work.  I'm doing all this from the Administrator account on the test network.

Now, bizarely, I've just found that I'm able to access the C$ share.  This works for the server giving me problems, and my own machine.  So it appears the admin on the test network has domain admin rights on the live network.

This does give me a work around for my problem, but I'd still really, really love to know why I still get an access denied error for this particular share when C$ works fine...

Question by:myxiplx

Author Comment

ID: 16416126
Grrr, found it.... I'd set the local admin and domain admin passwords identially on the test network.  Not a problem, but guess who was using the local account without realizing it.  Domain permissions don't do you much good if you're not logged onto the domain...

I'm guessing the C$ share worked because I've used the same local admin password on the test network as I use on the live network.  All machines have the same username and password for the local admin account, so it's not really surprising I'd be able to get admin access.  The particular share I was struggling with however had explicit permissions set, only allowing access to domain admins and to a specific domain account on the test network.

In summary:
If you want to link two Windows 2000 forests, it's far easier than I thought:
 - Configure the DNS server for each domain to also run as a secondary server for other domains you need to access.
 - Create the trusts between the domains using Active Directory Domains & Trusts
 - Grant permissions as usual.  

The only problem to look out for is that some groups cannot contain cross-forest members.  You need to either use Local or Universal groups.  If you want to be lazy, add each domains "Domain Admins" group to the "builtin\Administrators" group on the other domain.

Posting this here in case it's useful to anybody else :)

Accepted Solution

EE_AutoDeleter earned 0 total points
ID: 16592933
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.


Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question