Solved

Attempting to Create Trust Between Two Domains But Still Cannot Access Resources

Posted on 2008-06-11
13
673 Views
Last Modified: 2010-05-18
I have two separate networks, different locations, connected with a VPN connection.

I need to be able to map drives on workstations and servers in the "other" domain.  Here is what I've done so far.

One domain is named ABC.com.  The other is DEF.local.com.  The AD controller in each Domain has the other domain set up as a secondary zone.  Both are at the highest AD Level - Windows Server 2003.

When I go through the Add Trust Wizard for ABC.com, I entered DEF.local.com as the name of the "domain, forest or realm" for the Trust.  
I choose Realm Trust on the next screen because if I select "Trust With a Windows Domain" the WIzard says it cannot complete as the other domain cannot be contacted.
I choose Transitive Trust and Two-Way on the next two screens.
I enter a Trust Password.

I did the same on the AD controller in the DEF.local.com domain, reversing everything except the Trust Password which is exactly the same.

A set of folders on a server in the DEF.local.com network are Shared out to Everyone and to Authenticated users.

From a workstation in the ABC.com domain, when I try to map a drive on that server, I can see the servers and workstations on DEF.local.com network.  When I attempt to Open or Explore the Server, I get the message that "\\Server is not accessible.  You might not have permission to use this network resource.  Contact the adminstrator......".  

In addtion to sharing specific folders, is the another step required to allow users authenticated to the "other" domain to access those resources?  

0
Comment
Question by:CBrien
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 250 total points
Comment Utility
It shouldn't ask you for a Realm, it should go straight into the screen specifying whether you want a Domain wide trust etc.  When you've finished setting up the trust, if you have a folder in ABC.com, can you add resources from domain DEF.local.com  ie "DEF.local.com\Domain Users"?

Remove the secondary zones, and use conditional forwards? It should go straight to the screen you can see in this webpage when you type the domain name and click next:

http://images.google.co.uk/imgres?imgurl=http://searchwin2000.techtarget.com/digitalguide/images/Misc/new_trust_wizard_pic_1.gif&imgrefurl=http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci901561,00.html&h=379&w=499&sz=25&hl=en&start=1&um=1&tbnid=ALHKzLcSbzETXM:&tbnh=99&tbnw=130&prev=/images%3Fq%3Dcreating%2Ba%2Bforest%2Btrust%26um%3D1%26hl%3Den%26client%3Dfirefox-a%26channel%3Ds%26rls%3Dorg.mozilla:en-GB:official%26sa%3DN
0
 

Author Comment

by:CBrien
Comment Utility
One error from my original description.  The other domain is DEF.local NOT DEF.local.com.

I removed the existing Trusts and changed DNS to remove the secondary zones as suggested.  
On the ABC.com server, the Add Trust still wanted to add it as a REALM Trust???
On the DEF.local server, when I went into the Wizard, Forest Trust was an option.  I went through the process including letting it set up the Trust on the 'other' server.  The Outgoing Trust from DEF verified, it could not verify the trust from ABC.  When I go to the ABC server and attempt to verify the Trust, it comes back with the message that "Windows cannot find a domain controller for the DEF.local domain. Verify that a DC is available and then try again."
The DEF.local AD server is set up as the server in the forwarding on the ABC.com server and is the DC for the DEF.local network.
0
 

Author Comment

by:CBrien
Comment Utility
I forgot to answer your other question.
On the either side, I can see the users on the other domain in the Permission section of security and sharing.
0
 

Author Comment

by:CBrien
Comment Utility
Both Trusts now verify.  

However I still cannot access resources on the "other" domain.  The primary purpose for putting the Trusts in place from the beginning.

From an ABC.com workstation, I can "see" all the computers on the DEF.local domain but cannot open any EXCEPT two that are on the same subnet as the ABC.com workstation.

From the DEF.local end, I cannot even see any of the computers on the ABC.com domain.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
if you are running 2003 functional then scrap the realm trusts - use forest trusts between the two
0
 

Author Comment

by:CBrien
Comment Utility
When I re-did the trusts from the DEF.local AD server, it allowed me to choose forest trusts.  That is now in place.  I also went onto the target server in the DEF.local network and added my ABC.com ID with specific permission with full access privileges on the server.  When I attempt to open the Server in Map Network Drives, I get the error message that I "do not have permission to access the network resource".

Is there some Server level permissions required that have to be added?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Expert Comment

by:Sinder255248
Comment Utility
Are all your workstations using WINS?  Are they registered in DNS?  If they're in WINS is there a push/pull replication between the two wins servers (assuming you have one for each domain)?  Are your domain controllers pointing to these WINS servers?  

It sounds like a name resolution issue that you can't get into these computers, you may also need to use Restricted groups to Add the Domain Admins from ABC.com to computers in DEF.local and visa versa.
0
 

Author Comment

by:CBrien
Comment Utility
Making some progress.  Thanks for all the help.
Neither domain is using WINS.
Your comment about name resolution hit a chord.  I went back to map a drive and rather than trying to browse the resoures in the other domain, I entered the server name directly.  First I tried: \\servername\d$.  That did not work.  I next tried  \servername.DEF.local\d$.  A login dialog box popped up.  I tried my "this domain" credentials since in theory that domain should accept my credentials if they authenticate in this domain.  Didn't work.  So I entered the Administrator ID and Password for that domain.  The mapping completed and I can access folders and files on the server.

I still don't get that it doesn't explicitly recognize an authenticated user from a trusted domain but I will take this for now because the problem is "solved".  If anyone has suggestions about why the trust doesn't seem to function completely, I'd love to hear it.

Will accept solution from Sinder255248 as it was the first step in getting the trusts to come up.
0
 
LVL 8

Expert Comment

by:Sinder255248
Comment Utility
Just a note, if you put .DEF.local in your search suffix (within the DNS tab on TCP/IP properties) you'll be able to type Servername.  

"still don't get that it doesn't explicitly recognize an authenticated user"  - Authenticated users in DEF.local is different than the one in your other domain.  If you add Domain Users from both Domains into the Local Users group on your server you'll be able to authenticate from either domain.
0
 
LVL 8

Expert Comment

by:Sinder255248
Comment Utility
You'll also be able to place users/groups from one domain into resources in the other domain.  
0
 

Author Comment

by:CBrien
Comment Utility
Thanks.

I added the ABC.com DomainUsers to the Window Authorizatin Acess Group on the DEF.local AD server and I can now map without using the DEF.local Admin account.  

I am less worried about the shares coming the other direction as there shouldn't be any.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
what sort of security did you set on the trust?
0
 

Author Comment

by:CBrien
Comment Utility
What do you mean by "security"?
The trusts are set up as Transitive which doesn't mean much since both environmnets are top level domains and have no lower level domains or other trusted domains.
Is there something else you mean by security?
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now