Forest/Domain Trusts

Posted on 2007-10-08
Last Modified: 2010-08-11
Is there anyway to accomplish the following:

Users in Forest A-Domain 1 need access to resources in Forest B Domain 1...

There is a one way trust between these domains....
ForestB Domain 1 - Trusts ForestA Domain 1

What I wanted to be able to do was add users in Forest A Domain 1 to a global group that exists in Forest B Domain 1...  However, I can't see resources in Forest A Domain 1.  I can add them by creating a Domain local group in Forest B Domain 1, but I cannot then add that Domain Local Group to the Global Group.

What I have come up with is creating the Domain Local Group in Forest B Domain 1, adding members to it from Forest A Domain 1 and then adding that domain local group to the local administrator group of the 5 servers that they need access to.
 Is this the only way this will work or is there some other way.

Take into account that for legal reason there cannot be a two way trust established AND we can't establish a Forest Trust because ForestA is a Windows 2000 domain/Forest and Forest B is Native Windows 2003.
Question by:dspent
    LVL 9

    Accepted Solution

    No additional trust requirements exist; you're good as you are on the trust front.  The issues with group membership across the trust boundary are by design I'm afraid since Global Groups only permit members from the same domain as they exist themselves.  Your solution (assuming you intended on granting admin.-level privs.) is by the book.  You could group the users in ForestAdomain1 into a global group first and add that global to your domain local but it only buys you a neglible reduction in administrative effort.
    LVL 30

    Expert Comment

    Global groups can only contain users from within the same domain as the group.

    In a multi-forest environment, the most scalable way to assign permissions is:

    Account in Domain A goes into Global Group in Domain A.
    Account in Domain B goes into Global Group in Domain B.

    Global Group in Domain A goes into Universal Group in Domain A.
    Global Group in Domain B goes into Universal Group in Domain B.

    Universal Group in Domain A goes into Domain Local Group in Domain B.
    Universal Group in Domain B goes into Domain Local Group in Domain B.

    Domain Local Group in Domain B receives permissions to resource in Domain B.

    By nesting your groups in this manner, when you add new users to DomainA or DomainB, you only need to add them to the appropriate Global Group in their respecitve domains.

    LVL 30

    Expert Comment

    Errr...what Dean said.  :-)
    LVL 1

    Author Comment

    Thanks.. I figured I was on the right track.  Just needed someone else to say it.  Since I have no access to Forest 1's environment.  I'll have to do it the way I stated.


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now