Solved

Problem with creating universal groups across forests

Posted on 2010-09-07
9
977 Views
Last Modified: 2012-05-10
In a test environment, I have two forests: abc.local and def.local.

I can ping computers by name from either forest.

There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.

In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.

In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.

I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.

I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.
Thanks.
0
Comment
Question by:ovidbailey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33620448
Universal groups will only show up in the domain that they are created in. They will not automatically show up inside each domain. To add them to a group in the other domain, you have to do the following:
When you enter the dialog box where you enter the name of the group that you want to add, click on the Locations button and it should give you a list of all the domains that you can communicate with. If you select the domain that has the Universal group in it and hit okay, you should then be able to add that group to groups in the domain that you are working in or apply permissions to it.
0
 

Author Comment

by:ovidbailey
ID: 33620503
Yeah, that's the problem. I don't see the other domain in the Locations area.
0
 

Author Comment

by:ovidbailey
ID: 33620545
FWIW, I set up the trust to the other forest by adding a Conditional Forwarder to my DNS. Do I also need a stub zone?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 41

Expert Comment

by:Adam Brown
ID: 33620719
Ah. You should probably use a stub zone for this particular situation.
0
 

Author Comment

by:ovidbailey
ID: 33620870
Hmmm....didn't work. In DNS from def.local, I can see the zone files correctly from abc.local. But when I try to add to the security groups, the other forest's location is not there.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33620880
Let me do a little testing and get back to you.
0
 

Author Comment

by:ovidbailey
ID: 33621172
It looks like I can assign  the external forest group's permissions directly to the shared resource; when I go to the folder NTFS permissions, I see the other forest there. So it looks like I just can add the other forest groups to my forest's universal groups.
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33621379
Okay, I think I figured it out. It goes like this:
According to the AGUDLP model, you should set your accounts as members of the Global group in the Domain. The Global group should be a member of the Universal group in the same Domain. Once that's done, the Universal group is made a member of a Domain Local group in the Domain the users need permissions in. Unfortunately, Domain Local groups are the only ones that can have members from a separate forest. Universal groups can have members from all over the forest they are in, but not from forests that they are not a part of. Global groups can only have members in the domain they are in, but they can be a member of a group in any domain they have a trust relationship with. It's possible to kick the Universal groups entirely out of the works by having the Global group be a member of the Domain Local group, but you should know that Domain Local and Global group membership is not replicated. This means that if you have a site without a Global Catalog (Or without Universal Membership caching), and a link between that site and a global catalog, permissions applied to the Universal group won't be usable.
0
 

Author Comment

by:ovidbailey
ID: 33624022
Makes a huge amount of sense. Also, had never heard of the AGUDLP model, so that's another learning experience. Thanks, Dude!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question