Authenticate as user from one domain to another

Hi All,
Really struggling (on a live system). We have had PCOUNTER and new network printers installed over the last few days on a domain STUDENTS this allows monitoring of print work etc and is working fine. However the people before us created a second domain called BUSINESS that also need access to these printers.

The printers are shared off a server called VIPER (on the STUDENTS domain) which we can connect to from the BUSINESS domain, however when we try and install the printers as a BUSINESS user we get the "Policy controls do not permit, blah blah"

So far the only way we have got it to print is by connecting to VIPER as an admin, then getting the printer installed, the problem is that then the admin account gets billed for the printing, even if we log off and log back in as a user. I have even set the print security to everyone but it still requires authentication.

If I were to run a VBS script at logon to connect the printer, how could I ensure this authentication between the two domains without using generic IDs and preferably without setting up network maps to VIPER on 80 BUSINESS users machines?

Many thanks in advance, proper headscratcher for me atm.
LVL 7
Ned RamsayNetwork Operations ManagerAsked:
Who is Participating?
 
AmericomCommented:
More info:
One-way trust--If a one way trust from DomainA trusts-->Domain B. Users in DomainB will be able to access resources(like printer) in DomainA since DomainA is the trusting domain which trusts DomainB, meaning allow DomainB users to access their resources. DomainB then considered the trusted domain as being trusted by DomainA. When Users from DomainA hit "ctrl+Alt+Del" there will be two Domains that they can select to logon from, Which is DomainA and DomainB. This is because when a UserB using a computer that is a member of DomainA, he/she will be able to use the account UserB to logon to DomainB from a computer in DomainA. This computer is considered one type of the resources in addition to web services, file and print services etc.  However, Users in DomainA will not have these available. Like a UserA cannot use a computer which is a member of DomainB to logon to DomainA as the option is not available due to the type of trust, one-way trust from DomainA to DomainB.

Two-Way trust--DomainA trusts DomainB and DomainB also trusts DmainA. This will allow users in both domains to be able to access resources in each other's domain.
0
 
AmericomCommented:
Have you established the trust between the STUDENTS and BUSINESS domain? Trust is needed when you need to share resources between domains. Unless you are using Internet Printing method which everyone group will allow non domain users to connect to shared network printers.
0
 
Ned RamsayNetwork Operations ManagerAuthor Commented:
There are no trusts between domains, this is the problem, I have taken over from a complete idiot of an IT manager!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Ned RamsayNetwork Operations ManagerAuthor Commented:
Does anyone have a step by step guide to setting up trusts between domains?
0
 
AmericomCommented:
What version of domains are you running? win2k, win2k3, or win2k8?
Here's an example to create a two-way trust(Assuming you can manage both Domain A & B):
DomainA         
Run Active Directory Domains and Trusts->Right Click on the Domain  and select Properties Then click the "Trusts" tab. Then click on New Trust. Provide DNS or NetBIOS name of other domain(DomainB). Here you need an "incoming trusts". If no other specific restriction, do forest trust. When done, you should have DomainB listed on the bottom box of the "Domains that trust this domain(incoming trusts)"

DomainB.
Do the same but the opposite of the above.
0
 
AmericomCommented:
Sorry I have provided you the one-way trust.
Here's the steps for two-way trust:
Scenarios, just an example:
DOMAIN-1--Domain Functional Level and Forest Functional Level is Windows Server 2003
Domain-2--Domain Functional Level is Windows Server 2003 and Forest Functional Level is Windows Server 2003

Note: you can start either on Domain1 or Domain2, the order of creation for the trust doesn't matter.
      
Domain-1         
New Trust-->DNS or NetBIOS name of other domain-->External Trust-->Two-Way-->This Domain only-->Domain-Wide Authentication-->Trust Password-->No Need to confirm any trust at the moment

Domain-2         
New Trust-->DNS or NetBIOS name of other domain-->Two-Way-->This Domain only--> Domain-Wide Authentication-->Trust Password-->No Need to confirm any trust at the moment

Note: Domain-Wide authentication above is just an example, you can also do selective authentication. But Domain-wide authentication should be used if you manage both domains.
0
 
AmericomCommented:
BTW, before you create the turst above, you need to make sure firewall is opened between the two domain.
0
 
Ned RamsayNetwork Operations ManagerAuthor Commented:
Thanks Americom, ill let you know how I get on.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.