Solved

login/sign-in to domain on another forest

Posted on 2010-08-12
5
844 Views
Last Modified: 2012-05-10
Hello,
I have a question on login/sign-in to a domain in another forest.  

In our current structure we have a root forest, Forest 1, and 2 domains under it, Domain 1 and Domain 2.  Domain 2 is a resource domain so we login to Domain 1 to access email on the exchange server and share resources across the domain.  

We have setup another forest, Forest 2 and established trust relationship with Forest 1.  We will eventually move Domain 2 and all the objects under Forest 2.  Since Forest 2 will be a resource forest only, all our users from Domain 2 will have to login/sign-in to Domain1 so we can access the exchange server and continue sharing resources.

My question is that I am not able to see Domain 1 in drop down menu on Windows XP nor can I sign-on using Domain1\joe option.  If we have a bi-directional trust established between forests, I should be able to see Domain 1 in Forest 1 from Domain 2 under Forest 2 to login/sign-in but I can't.  I checked the DNS configuration and the forward lookup zones for the DNS is loading all the information across the forest but the reverse lookup zones cannot load all the information.  Is that the reason I'm not able to see domain1 or is there something I'm missing that I need to look into so I can see Domain 1 as an option to logon/sign-on?  What steps do I have to take so I am able to login/sign-in to Domain 1?
0
Comment
Question by:BiosIT-STJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33421663
did you try the UPN method ? i.e user@otherdomain.fulldnsname
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33421680
its been my experience that forest trusts dont populate the traditional dropdown domain selector and the above UPN method is needed.

0
 
LVL 20

Accepted Solution

by:
woolnoir earned 250 total points
ID: 33421763
( Taken from http://blogs.technet.com/b/ad/archive/2008/01/04/the-domain-logon-dialogue.aspx )

The Windows interactive logon pull down menu for domains is created by contacting a Global Catalog and querying for domains. Global Catalogs are forest specific and hence will only know of domains in their own forest. Therefore, the list will not contain domains in a trusted forest other than the root domain.
 
In other words, the MSGINA domain drop-down list retains the same functionality but with the use of forest trust rather than external trusts the list will contain only the root domain of each forest trusted by the forest in which the machine account resides.
 
Additionally, there is no built-in method in the interactive logon menu which knows to query Global Catalogs of trusted forest(s).
 
Windows Vista and Server 2008 interactive logon menu behavior does not provide a pull down menu at all and hence this is not a concern in those releases (this stems from the new CredUI replacing GINA functionality). For Vista and 2008 UPN or UNC are the typical format for the user account name for domain logon.
 
This behavior is discussed at length in the Technet article below.  That article goes into great depth on other places where the user interface behaves differently across forests as well in the Logons and Authentication section, things which I am not discussing here.
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx
 
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33483240
any luck with this one ?
0
 

Author Comment

by:BiosIT-STJ
ID: 33485043
Yes, actually once we added the reverse lookup zone we were able to login using domain\username.  The UPN method didn't work but all your suggestions did guide us toward getting our problem resolved.
Thanks for taking time to address our question.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question