Windows 2003 Active Directory Question - Linking ADs

Hey everyone,

I'm not sure the best way to go about this...but I know it has to be the Microsoft way...and not some round about way of doing this.  Here is the setup.

Inside Active Directory Users and Computers you would see: 1 Forest with 2 Domains

Europe - default users
Asia - A group called Sales

How do I add the default users to the Asia domain so that they can have security set on their profiles?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

not easy to understand your question..
mcsweenSr. Network AdministratorCommented:
The way I understand this is..

you have a Forest and beneth it you have a domain called Asia and a domain called Europe?

To add users from the Asia domain to a group in the Europe domain or vice versa you would have to use either a Global Group or a Universal Group.  If this is for security I suggest using a Universal group, except if you will be changing the group membership a lot.  If you will be chaning the group membership a lot then use a Global group to cut down on replication.  It might take slightly longer to authenticate with a global group if there isn't a DC for each domain at the site the user is at.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Why would you want to do that?  A user from either domain can log into a computer from either domain, with roaming profiles they are still the same user account.

If a user from Europe wanted to use a computer in Asia, he/she simply has to use the dropdown to select the Europe domain then log in.  They can also use their full account logon name - on the Asia computer.

Either logon method will get them their own profile.  The only issue is if it's on a server in the location and it will take time to load.  You can get around this using DFS and Sites.

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

inverted_2000Author Commented:
It was a question on my 290 exam that I know I missed because I didn't understand why they would want me to do that...but none the less...they did.

So in AD I had both Euope and Asia listed as domains.  There was a group called Sales in the Asia Users bucket.  I needed to add the users from the Europe domain to have the same permissions and resources as the Asia domain's users that where in the Sales OU...

I didn't think it would be hard...but they took out a bunch of options and I couldn't simply add the Users OU from the Europe domain to the Asia domain...
Well, for starters, you can't add a Global Group from one domain into a Global Group from another.

The correct method is to add a Global Group from Europe into a Domain Local Group in Asia.


Create a Universal Group, place Global Groups from each domain containing the users from each domain that you want to affect, then add the UG to the domain local group that has access to the resources.

UGs require both domains to be in Native mode and have a 2 way trust between Forest Root DCs.

Global groups do not require Native mode, but do require the 2 way trust.

Anything there look familiar in the answers?
inverted_2000Author Commented:
Well I didn't get the answers via MS...but let me kick it around and I'll award you the correct reponse if my mentors at school verify looks to me that both would sufice...but we all know how that is.   Thanks and I'll be back in a day or two (o:
mcsweenSr. Network AdministratorCommented:
I wasn't suggesting you add a global group from asia into a global group in Europe.  I was saying you can add the USERS from one domain into a global group in another domain.
mcsweenSr. Network AdministratorCommented:
Oops, typing waaay to fast.  I mean Domain Local Group, not Global Group...sorry :(
I wasn't suggesting you were - I was simply making a statement.

Let's see what his prof has to say.  Should I gas up the grill now!! :o)

mcsweenSr. Network AdministratorCommented:
LOL, Gas it up!!
inverted_2000Author Commented:
The professor is on have to figure this one out with you guys (o:
inverted_2000Author Commented: goes my suggestion.

Create a new universal group in the Europe domain and add all of the users in the Europe domain to the new group...lets call it EupUni.

Place the new group EupUni into the built-in Users group for the Asia domain.

This would allow the users of the Europe domain access to the resources of the Asia domain.

Can we agree on that?

Thanks a lot

Are both Forests in Native mode?

inverted_2000Author Commented:
I don't know...should they be and how do I check?
This article tells you how to raise the levels - therefore, you can also use it to see what levels you are currently at:

You must be running in Native mode to use Universal Groups.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.