Domain Trust

Posted on 2010-01-13
Medium Priority
Last Modified: 2012-05-08
I have setup a trust relation between our 2 domains.
But we have problems when Administrator1 wants to connect to resources to domain2 and visaver. What is the problem ?

The trust was created as selective, not all auth to the resources. How can I give the other Admin full access to my resources ?

The dns settings are done and also replicated to both domains. I think here is no error.

Question by:Eprs_Admin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Accepted Solution

Bruno PACI earned 501 total points
ID: 26303503

The trust relationship by itself does NOT give any permission on any ressource of the domain. It will only permit you to include a global group or account of one domain in a local group of a ressource server in the other domain.

If you want DOMAIN-A administrators to have full access on ressources on a member server "FILESERV" in the DOMAIN-B, you need to include "Domain Admins" global group od DOMAIN-A in the "Administrators" local group of server FILESERV !

If you want DOMAIN-A administrators to manage all domain accounts of DOMAIN-B, you have to include "Domains Admins" global group of DOMAIN-A in the "Administrators" group of DOMAIN-B.

As you can see, the trust relationship alone won't give any permissions. You still have to include accounts or group in local groups that give access to ressources on the ressources servers.

Have a good day.
LVL 27

Assisted Solution

bluntTony earned 501 total points
ID: 26303616
As you have used selective authentication, in addition to granting the access to the resources, you also need to grant the 'Allow to authenticate' right to the users or group to allow them to even authenticate in the first place.

As pacib has said to grant one domain admins group full admin rights to machines in the other domain, you need to add them to the 'Administrators' local groups on the servers in question. This can either be done manually on each server or via a restricted groups policy via GPO.

So add the Domain Admins group to the local 'Administrators' group on FILESERV in the other domain, then in ADUC grant the Domain Admins group the 'Allowed to authenticate right'. See here for how to do this : http://technet.microsoft.com/en-us/library/cc738653%28WS.10%29.aspx

LVL 18

Assisted Solution

Americom earned 498 total points
ID: 26307935
As stated above, in other words:

If your administrator1 in "Domain 1" cannot access resources such as shares on file server2 in "Doamin 2", you need to right click on the Server2 object in ADUC and go to properties to check "Allowed to authenticate". This mainly due to the fact you have Selective Authentication configure in your trust.

If your administrator1 from Domain 1 wants to manage file server2 in in Domain 2, you need to add this user(better to do group) to the Local Administrators group of the server2. But you still need to have "Allowed to authenticate" check. Group Policy to allow the Domain Admins group is the way to go.

But if you have added the Administrator1 accout in Domain 1 as a member of the Builtin Administrators group of Domain2, your administrator1 really have all the rights, just not by default. The default rights is to manage the AD meaning that user administrator1 can create an admin account and make that account a member of the domain admins group and therefore have access to all servers and workstations in domain2.

Author Comment

ID: 26311980
ok this works fine.
I have added the domainadmins from domain1 to svr1 of domain2.
And I have added the domainadmins of domain1 to the local administrators of domain2.
But it was not working directly after it. Is there a way to update it immediately ?

How can I achieve that the domainadmins from domain1 have full access to all machines in domain2 ?
And how to create the GPO for it ?
Can you tell me that in detail ?


Author Closing Comment

ID: 31676650
It was not exact the solution. But I found the rest in Google.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question