Solved

Setting up a domain trust to allow Exchange access from second domain with file sharing

Posted on 2008-06-20
12
1,783 Views
Last Modified: 2010-04-21
I have one domain domain1.local 192.168.15.0 (With Exchange 2003) and a second domain domain2.local 192.168.2.0 . they are connected via a PIX 506E site to site VPN . Both DC's can ping each other. I can connected to both DCs from the other (ie start/run \\192.168.15.1 will bring up the shares on the DC from the other network) . The DNS MMC sees the other DNS server and I can do a "connect to other DNS server" no problem. What I need to do is have a domain trust that allows domain2.local clients to log on to the exchange server and for both sides to be able to access shares on the opposite side. The permissions cannot be "everyone". So I guess I will need both ADs communicating with each other or joined somehow. Any help would be greatly appreciated. Please include links for any DNS manipulation if possible , eg for adding forwarders , stub zones , etc. Any help would be greatly appreciated.
0
Comment
Question by:Davidloc
  • 6
  • 6
12 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21834197

Hi there,

First a "just in case". If either of these networks are Small Business Server based it just won't happen.

If they're not, we can carry on :)

1. DNS

You must consider name resolution in both directions. If they're both Windows 2003 the easiest / simplest way would be to use Conditional Forwarders as follows (two methods):

a. Open the DNS Console
b. Select the DNS Server
c. Right click and open Properties
d. Select the Forwarders Tab
e. Enter a Domain Name to forward to (the remote domain)
f. Enter the IP Address of the remote server
g. Repeat for every DNS Server operating for your network (or anything in use at least).

Or you can configure the Conditional Forwarder as AD Integrated. Extremely useful if you have a number of domain controllers:

a. Ensure the Support Tools are installed, this uses dnscmd
b. Open the Command Prompt
c. Type:

dnscmd <Server> /ZoneAdd <remotedomainname> /DsForwarder <ServerIP> /dp /domain

Do this for both domains. Then once these are done, test you can resolve names (full names, e.g. server.remotedomain.com).

2. The Trust

Open the up AD Domains and Trusts, right click on your domain and open up the Properties. Then you can go ahead and form the trust.

Please just yell if anything isn't clear, or if it doesn't get you far enough.

Chris
0
 

Author Comment

by:Davidloc
ID: 21835538
Thanks Chris ,

I'll try this on Monday morning and get back to you. I guess that once the trust is made the Exchange can be set up from the second domain by pointing to it and putting in the domain1.local/user? Will it ask everytime for the password or will it remember it ? The set up is 3 PIX 506E with site-site-site where only 2 need Exchange/folder access , will the AD of the first domain allow users from the second domain to be added to the ACL of a folder in the first  domain ?

Regards

David
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21836865

Hi David,

Once you have the trust you can add the account from the remote domain to the Exchange Mailbox as "Associated External Account" and grant it full mailbox access. Then no further authentication is required.

Chris
0
 

Author Comment

by:Davidloc
ID: 21837500
Right now the domain2 clients are using OWA to access the Exchange server to a user account using the same logon name in domain1 that they use on domain2.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21837617

That makes sense, and you can continue to use that if you want. But if you manage to get a trust up there's no need to maintain two passwords for them (although the two account requirement remains).

In case it makes things simpler :)

Chris
0
 

Author Comment

by:Davidloc
ID: 21892296
It works great but now after I connected a workstation's email client from domain2 to the exchange server on domain1 it now only gives domain1 as the logon option even though I never took it off domain2 and put it on domain1. Is there a way to always show the 2 domains in the drop down box on the logon screen ?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 70

Expert Comment

by:Chris Dent
ID: 21897656

The "Log On To" box on the main Windows Logon?

That should reflect the machines Domain Membership, and should also allow any Trusted domains.

Chris
0
 

Author Comment

by:Davidloc
ID: 21902891
Yes the logon box on that machine in domain2 now only shows domain1 as an available domain. All I did was as stated above. I don't see any "allow any Trusted domains" , whare is that ?.


Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21902911

That's odd, it must show the local domain. It definitely isn't a member of Domain1 now?

Normally the drop down box contains the current domain, plus any Trusted Domains which is what we'd be looking to see.

Chris
0
 

Author Comment

by:Davidloc
ID: 21934649
Last question and I'll close this up. If I uninstall active directory in domain2 and this re-install it can I make domain2 site2.domain1.local or is there restrictions on the .local domain name. will this work to get over the trust problem ? I would like domain.local to authenticate users in both domains and hopefully the server at site2.domain1.local would be able to authenticate site2 users if/when the connection breaks. Both again are Server 2003 standard edition domains.

thanks again
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21934684

There are no restrictions on the .local domain, so yes, you could do that.

Were you thinking of making it part of the root domain (domain1) or a new child domain?

The child domain would be the site2.domain.local domain name. If they were part of the same domain they would both be domain.local.

If you've only got a small number of users merging the domains would perhaps be more sensible. It gives you greater fault tolerance (or reduced cost) because you have more Domain Controllers.

Having both in the same domain is also a far simpler configuration (which is a good thing). You can control who logs on where by configuring AD Sites and Services, placing the DCs in Sites, and configuring Subnets to associate with those.

Chris
0
 

Author Closing Comment

by:Davidloc
ID: 31469240
Thank you Chris
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now