Domain Trust

Hi,
I have setup a trust relation between our 2 domains.
But we have problems when Administrator1 wants to connect to resources to domain2 and visaver. What is the problem ?

The trust was created as selective, not all auth to the resources. How can I give the other Admin full access to my resources ?

The dns settings are done and also replicated to both domains. I think here is no error.

George
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
 
Bruno PACIConnect With a Mentor IT ConsultantCommented:
Hi,

The trust relationship by itself does NOT give any permission on any ressource of the domain. It will only permit you to include a global group or account of one domain in a local group of a ressource server in the other domain.

If you want DOMAIN-A administrators to have full access on ressources on a member server "FILESERV" in the DOMAIN-B, you need to include "Domain Admins" global group od DOMAIN-A in the "Administrators" local group of server FILESERV !

If you want DOMAIN-A administrators to manage all domain accounts of DOMAIN-B, you have to include "Domains Admins" global group of DOMAIN-A in the "Administrators" group of DOMAIN-B.

As you can see, the trust relationship alone won't give any permissions. You still have to include accounts or group in local groups that give access to ressources on the ressources servers.


Have a good day.
0
 
bluntTonyConnect With a Mentor Commented:
As you have used selective authentication, in addition to granting the access to the resources, you also need to grant the 'Allow to authenticate' right to the users or group to allow them to even authenticate in the first place.

As pacib has said to grant one domain admins group full admin rights to machines in the other domain, you need to add them to the 'Administrators' local groups on the servers in question. This can either be done manually on each server or via a restricted groups policy via GPO.

So add the Domain Admins group to the local 'Administrators' group on FILESERV in the other domain, then in ADUC grant the Domain Admins group the 'Allowed to authenticate right'. See here for how to do this : http://technet.microsoft.com/en-us/library/cc738653%28WS.10%29.aspx

Tony
0
 
AmericomConnect With a Mentor Commented:
As stated above, in other words:

If your administrator1 in "Domain 1" cannot access resources such as shares on file server2 in "Doamin 2", you need to right click on the Server2 object in ADUC and go to properties to check "Allowed to authenticate". This mainly due to the fact you have Selective Authentication configure in your trust.

If your administrator1 from Domain 1 wants to manage file server2 in in Domain 2, you need to add this user(better to do group) to the Local Administrators group of the server2. But you still need to have "Allowed to authenticate" check. Group Policy to allow the Domain Admins group is the way to go.

But if you have added the Administrator1 accout in Domain 1 as a member of the Builtin Administrators group of Domain2, your administrator1 really have all the rights, just not by default. The default rights is to manage the AD meaning that user administrator1 can create an admin account and make that account a member of the domain admins group and therefore have access to all servers and workstations in domain2.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok this works fine.
I have added the domainadmins from domain1 to svr1 of domain2.
And I have added the domainadmins of domain1 to the local administrators of domain2.
But it was not working directly after it. Is there a way to update it immediately ?

How can I achieve that the domainadmins from domain1 have full access to all machines in domain2 ?
And how to create the GPO for it ?
Can you tell me that in detail ?

0
 
Eprs_AdminSystem ArchitectAuthor Commented:
It was not exact the solution. But I found the rest in Google.
Thanks.
0
All Courses

From novice to tech pro — start learning today.