Solved

Setting up a domain trust to allow Exchange access from second domain with file sharing

Posted on 2008-06-20
12
1,786 Views
Last Modified: 2010-04-21
I have one domain domain1.local 192.168.15.0 (With Exchange 2003) and a second domain domain2.local 192.168.2.0 . they are connected via a PIX 506E site to site VPN . Both DC's can ping each other. I can connected to both DCs from the other (ie start/run \\192.168.15.1 will bring up the shares on the DC from the other network) . The DNS MMC sees the other DNS server and I can do a "connect to other DNS server" no problem. What I need to do is have a domain trust that allows domain2.local clients to log on to the exchange server and for both sides to be able to access shares on the opposite side. The permissions cannot be "everyone". So I guess I will need both ADs communicating with each other or joined somehow. Any help would be greatly appreciated. Please include links for any DNS manipulation if possible , eg for adding forwarders , stub zones , etc. Any help would be greatly appreciated.
0
Comment
Question by:Davidloc
  • 6
  • 6
12 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21834197

Hi there,

First a "just in case". If either of these networks are Small Business Server based it just won't happen.

If they're not, we can carry on :)

1. DNS

You must consider name resolution in both directions. If they're both Windows 2003 the easiest / simplest way would be to use Conditional Forwarders as follows (two methods):

a. Open the DNS Console
b. Select the DNS Server
c. Right click and open Properties
d. Select the Forwarders Tab
e. Enter a Domain Name to forward to (the remote domain)
f. Enter the IP Address of the remote server
g. Repeat for every DNS Server operating for your network (or anything in use at least).

Or you can configure the Conditional Forwarder as AD Integrated. Extremely useful if you have a number of domain controllers:

a. Ensure the Support Tools are installed, this uses dnscmd
b. Open the Command Prompt
c. Type:

dnscmd <Server> /ZoneAdd <remotedomainname> /DsForwarder <ServerIP> /dp /domain

Do this for both domains. Then once these are done, test you can resolve names (full names, e.g. server.remotedomain.com).

2. The Trust

Open the up AD Domains and Trusts, right click on your domain and open up the Properties. Then you can go ahead and form the trust.

Please just yell if anything isn't clear, or if it doesn't get you far enough.

Chris
0
 

Author Comment

by:Davidloc
ID: 21835538
Thanks Chris ,

I'll try this on Monday morning and get back to you. I guess that once the trust is made the Exchange can be set up from the second domain by pointing to it and putting in the domain1.local/user? Will it ask everytime for the password or will it remember it ? The set up is 3 PIX 506E with site-site-site where only 2 need Exchange/folder access , will the AD of the first domain allow users from the second domain to be added to the ACL of a folder in the first  domain ?

Regards

David
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21836865

Hi David,

Once you have the trust you can add the account from the remote domain to the Exchange Mailbox as "Associated External Account" and grant it full mailbox access. Then no further authentication is required.

Chris
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Davidloc
ID: 21837500
Right now the domain2 clients are using OWA to access the Exchange server to a user account using the same logon name in domain1 that they use on domain2.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21837617

That makes sense, and you can continue to use that if you want. But if you manage to get a trust up there's no need to maintain two passwords for them (although the two account requirement remains).

In case it makes things simpler :)

Chris
0
 

Author Comment

by:Davidloc
ID: 21892296
It works great but now after I connected a workstation's email client from domain2 to the exchange server on domain1 it now only gives domain1 as the logon option even though I never took it off domain2 and put it on domain1. Is there a way to always show the 2 domains in the drop down box on the logon screen ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21897656

The "Log On To" box on the main Windows Logon?

That should reflect the machines Domain Membership, and should also allow any Trusted domains.

Chris
0
 

Author Comment

by:Davidloc
ID: 21902891
Yes the logon box on that machine in domain2 now only shows domain1 as an available domain. All I did was as stated above. I don't see any "allow any Trusted domains" , whare is that ?.


Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21902911

That's odd, it must show the local domain. It definitely isn't a member of Domain1 now?

Normally the drop down box contains the current domain, plus any Trusted Domains which is what we'd be looking to see.

Chris
0
 

Author Comment

by:Davidloc
ID: 21934649
Last question and I'll close this up. If I uninstall active directory in domain2 and this re-install it can I make domain2 site2.domain1.local or is there restrictions on the .local domain name. will this work to get over the trust problem ? I would like domain.local to authenticate users in both domains and hopefully the server at site2.domain1.local would be able to authenticate site2 users if/when the connection breaks. Both again are Server 2003 standard edition domains.

thanks again
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21934684

There are no restrictions on the .local domain, so yes, you could do that.

Were you thinking of making it part of the root domain (domain1) or a new child domain?

The child domain would be the site2.domain.local domain name. If they were part of the same domain they would both be domain.local.

If you've only got a small number of users merging the domains would perhaps be more sensible. It gives you greater fault tolerance (or reduced cost) because you have more Domain Controllers.

Having both in the same domain is also a far simpler configuration (which is a good thing). You can control who logs on where by configuring AD Sites and Services, placing the DCs in Sites, and configuring Subnets to associate with those.

Chris
0
 

Author Closing Comment

by:Davidloc
ID: 31469240
Thank you Chris
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now