Solved

Setting up a domain trust to allow Exchange access from second domain with file sharing

Posted on 2008-06-20
12
1,789 Views
Last Modified: 2010-04-21
I have one domain domain1.local 192.168.15.0 (With Exchange 2003) and a second domain domain2.local 192.168.2.0 . they are connected via a PIX 506E site to site VPN . Both DC's can ping each other. I can connected to both DCs from the other (ie start/run \\192.168.15.1 will bring up the shares on the DC from the other network) . The DNS MMC sees the other DNS server and I can do a "connect to other DNS server" no problem. What I need to do is have a domain trust that allows domain2.local clients to log on to the exchange server and for both sides to be able to access shares on the opposite side. The permissions cannot be "everyone". So I guess I will need both ADs communicating with each other or joined somehow. Any help would be greatly appreciated. Please include links for any DNS manipulation if possible , eg for adding forwarders , stub zones , etc. Any help would be greatly appreciated.
0
Comment
Question by:Davidloc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21834197

Hi there,

First a "just in case". If either of these networks are Small Business Server based it just won't happen.

If they're not, we can carry on :)

1. DNS

You must consider name resolution in both directions. If they're both Windows 2003 the easiest / simplest way would be to use Conditional Forwarders as follows (two methods):

a. Open the DNS Console
b. Select the DNS Server
c. Right click and open Properties
d. Select the Forwarders Tab
e. Enter a Domain Name to forward to (the remote domain)
f. Enter the IP Address of the remote server
g. Repeat for every DNS Server operating for your network (or anything in use at least).

Or you can configure the Conditional Forwarder as AD Integrated. Extremely useful if you have a number of domain controllers:

a. Ensure the Support Tools are installed, this uses dnscmd
b. Open the Command Prompt
c. Type:

dnscmd <Server> /ZoneAdd <remotedomainname> /DsForwarder <ServerIP> /dp /domain

Do this for both domains. Then once these are done, test you can resolve names (full names, e.g. server.remotedomain.com).

2. The Trust

Open the up AD Domains and Trusts, right click on your domain and open up the Properties. Then you can go ahead and form the trust.

Please just yell if anything isn't clear, or if it doesn't get you far enough.

Chris
0
 

Author Comment

by:Davidloc
ID: 21835538
Thanks Chris ,

I'll try this on Monday morning and get back to you. I guess that once the trust is made the Exchange can be set up from the second domain by pointing to it and putting in the domain1.local/user? Will it ask everytime for the password or will it remember it ? The set up is 3 PIX 506E with site-site-site where only 2 need Exchange/folder access , will the AD of the first domain allow users from the second domain to be added to the ACL of a folder in the first  domain ?

Regards

David
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21836865

Hi David,

Once you have the trust you can add the account from the remote domain to the Exchange Mailbox as "Associated External Account" and grant it full mailbox access. Then no further authentication is required.

Chris
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:Davidloc
ID: 21837500
Right now the domain2 clients are using OWA to access the Exchange server to a user account using the same logon name in domain1 that they use on domain2.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21837617

That makes sense, and you can continue to use that if you want. But if you manage to get a trust up there's no need to maintain two passwords for them (although the two account requirement remains).

In case it makes things simpler :)

Chris
0
 

Author Comment

by:Davidloc
ID: 21892296
It works great but now after I connected a workstation's email client from domain2 to the exchange server on domain1 it now only gives domain1 as the logon option even though I never took it off domain2 and put it on domain1. Is there a way to always show the 2 domains in the drop down box on the logon screen ?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21897656

The "Log On To" box on the main Windows Logon?

That should reflect the machines Domain Membership, and should also allow any Trusted domains.

Chris
0
 

Author Comment

by:Davidloc
ID: 21902891
Yes the logon box on that machine in domain2 now only shows domain1 as an available domain. All I did was as stated above. I don't see any "allow any Trusted domains" , whare is that ?.


Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21902911

That's odd, it must show the local domain. It definitely isn't a member of Domain1 now?

Normally the drop down box contains the current domain, plus any Trusted Domains which is what we'd be looking to see.

Chris
0
 

Author Comment

by:Davidloc
ID: 21934649
Last question and I'll close this up. If I uninstall active directory in domain2 and this re-install it can I make domain2 site2.domain1.local or is there restrictions on the .local domain name. will this work to get over the trust problem ? I would like domain.local to authenticate users in both domains and hopefully the server at site2.domain1.local would be able to authenticate site2 users if/when the connection breaks. Both again are Server 2003 standard edition domains.

thanks again
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21934684

There are no restrictions on the .local domain, so yes, you could do that.

Were you thinking of making it part of the root domain (domain1) or a new child domain?

The child domain would be the site2.domain.local domain name. If they were part of the same domain they would both be domain.local.

If you've only got a small number of users merging the domains would perhaps be more sensible. It gives you greater fault tolerance (or reduced cost) because you have more Domain Controllers.

Having both in the same domain is also a far simpler configuration (which is a good thing). You can control who logs on where by configuring AD Sites and Services, placing the DCs in Sites, and configuring Subnets to associate with those.

Chris
0
 

Author Closing Comment

by:Davidloc
ID: 31469240
Thank you Chris
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question