Solved

Attempting to Create Trust Between Two Domains But Still Cannot Access Resources

Posted on 2008-06-11
13
680 Views
Last Modified: 2010-05-18
I have two separate networks, different locations, connected with a VPN connection.

I need to be able to map drives on workstations and servers in the "other" domain.  Here is what I've done so far.

One domain is named ABC.com.  The other is DEF.local.com.  The AD controller in each Domain has the other domain set up as a secondary zone.  Both are at the highest AD Level - Windows Server 2003.

When I go through the Add Trust Wizard for ABC.com, I entered DEF.local.com as the name of the "domain, forest or realm" for the Trust.  
I choose Realm Trust on the next screen because if I select "Trust With a Windows Domain" the WIzard says it cannot complete as the other domain cannot be contacted.
I choose Transitive Trust and Two-Way on the next two screens.
I enter a Trust Password.

I did the same on the AD controller in the DEF.local.com domain, reversing everything except the Trust Password which is exactly the same.

A set of folders on a server in the DEF.local.com network are Shared out to Everyone and to Authenticated users.

From a workstation in the ABC.com domain, when I try to map a drive on that server, I can see the servers and workstations on DEF.local.com network.  When I attempt to Open or Explore the Server, I get the message that "\\Server is not accessible.  You might not have permission to use this network resource.  Contact the adminstrator......".  

In addtion to sharing specific folders, is the another step required to allow users authenticated to the "other" domain to access those resources?  

0
Comment
Question by:CBrien
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 250 total points
ID: 21763318
It shouldn't ask you for a Realm, it should go straight into the screen specifying whether you want a Domain wide trust etc.  When you've finished setting up the trust, if you have a folder in ABC.com, can you add resources from domain DEF.local.com  ie "DEF.local.com\Domain Users"?

Remove the secondary zones, and use conditional forwards? It should go straight to the screen you can see in this webpage when you type the domain name and click next:

http://images.google.co.uk/imgres?imgurl=http://searchwin2000.techtarget.com/digitalguide/images/Misc/new_trust_wizard_pic_1.gif&imgrefurl=http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci901561,00.html&h=379&w=499&sz=25&hl=en&start=1&um=1&tbnid=ALHKzLcSbzETXM:&tbnh=99&tbnw=130&prev=/images%3Fq%3Dcreating%2Ba%2Bforest%2Btrust%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26channel%3Ds%26rls%3Dorg.mozilla:en-GB:official%26sa%3DN
0
 

Author Comment

by:CBrien
ID: 21763963
One error from my original description.  The other domain is DEF.local NOT DEF.local.com.

I removed the existing Trusts and changed DNS to remove the secondary zones as suggested.  
On the ABC.com server, the Add Trust still wanted to add it as a REALM Trust???
On the DEF.local server, when I went into the Wizard, Forest Trust was an option.  I went through the process including letting it set up the Trust on the 'other' server.  The Outgoing Trust from DEF verified, it could not verify the trust from ABC.  When I go to the ABC server and attempt to verify the Trust, it comes back with the message that "Windows cannot find a domain controller for the DEF.local domain. Verify that a DC is available and then try again."
The DEF.local AD server is set up as the server in the forwarding on the ABC.com server and is the DC for the DEF.local network.
0
 

Author Comment

by:CBrien
ID: 21764026
I forgot to answer your other question.
On the either side, I can see the users on the other domain in the Permission section of security and sharing.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:CBrien
ID: 21764271
Both Trusts now verify.  

However I still cannot access resources on the "other" domain.  The primary purpose for putting the Trusts in place from the beginning.

From an ABC.com workstation, I can "see" all the computers on the DEF.local domain but cannot open any EXCEPT two that are on the same subnet as the ABC.com workstation.

From the DEF.local end, I cannot even see any of the computers on the ABC.com domain.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764749
if you are running 2003 functional then scrap the realm trusts - use forest trusts between the two
0
 

Author Comment

by:CBrien
ID: 21768551
When I re-did the trusts from the DEF.local AD server, it allowed me to choose forest trusts.  That is now in place.  I also went onto the target server in the DEF.local network and added my ABC.com ID with specific permission with full access privileges on the server.  When I attempt to open the Server in Map Network Drives, I get the error message that I "do not have permission to access the network resource".

Is there some Server level permissions required that have to be added?
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 21770236
Are all your workstations using WINS?  Are they registered in DNS?  If they're in WINS is there a push/pull replication between the two wins servers (assuming you have one for each domain)?  Are your domain controllers pointing to these WINS servers?  

It sounds like a name resolution issue that you can't get into these computers, you may also need to use Restricted groups to Add the Domain Admins from ABC.com to computers in DEF.local and visa versa.
0
 

Author Comment

by:CBrien
ID: 21770667
Making some progress.  Thanks for all the help.
Neither domain is using WINS.
Your comment about name resolution hit a chord.  I went back to map a drive and rather than trying to browse the resoures in the other domain, I entered the server name directly.  First I tried: \\servername\d$.  That did not work.  I next tried  \servername.DEF.local\d$.  A login dialog box popped up.  I tried my "this domain" credentials since in theory that domain should accept my credentials if they authenticate in this domain.  Didn't work.  So I entered the Administrator ID and Password for that domain.  The mapping completed and I can access folders and files on the server.

I still don't get that it doesn't explicitly recognize an authenticated user from a trusted domain but I will take this for now because the problem is "solved".  If anyone has suggestions about why the trust doesn't seem to function completely, I'd love to hear it.

Will accept solution from Sinder255248 as it was the first step in getting the trusts to come up.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 21770850
Just a note, if you put .DEF.local in your search suffix (within the DNS tab on TCP/IP properties) you'll be able to type Servername.  

"still don't get that it doesn't explicitly recognize an authenticated user"  - Authenticated users in DEF.local is different than the one in your other domain.  If you add Domain Users from both Domains into the Local Users group on your server you'll be able to authenticate from either domain.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 21770877
You'll also be able to place users/groups from one domain into resources in the other domain.  
0
 

Author Comment

by:CBrien
ID: 21771045
Thanks.

I added the ABC.com DomainUsers to the Window Authorizatin Acess Group on the DEF.local AD server and I can now map without using the DEF.local Admin account.  

I am less worried about the shares coming the other direction as there shouldn't be any.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21774874
what sort of security did you set on the trust?
0
 

Author Comment

by:CBrien
ID: 21778053
What do you mean by "security"?
The trusts are set up as Transitive which doesn't mean much since both environmnets are top level domains and have no lower level domains or other trusted domains.
Is there something else you mean by security?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question