Solved

Problem with creating universal groups across forests

Posted on 2010-09-07
9
927 Views
Last Modified: 2012-05-10
In a test environment, I have two forests: abc.local and def.local.

I can ping computers by name from either forest.

There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.

In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.

In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.

I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.

I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.
Thanks.
0
Comment
Question by:ovidbailey
  • 5
  • 4
9 Comments
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Universal groups will only show up in the domain that they are created in. They will not automatically show up inside each domain. To add them to a group in the other domain, you have to do the following:
When you enter the dialog box where you enter the name of the group that you want to add, click on the Locations button and it should give you a list of all the domains that you can communicate with. If you select the domain that has the Universal group in it and hit okay, you should then be able to add that group to groups in the domain that you are working in or apply permissions to it.
0
 

Author Comment

by:ovidbailey
Comment Utility
Yeah, that's the problem. I don't see the other domain in the Locations area.
0
 

Author Comment

by:ovidbailey
Comment Utility
FWIW, I set up the trust to the other forest by adding a Conditional Forwarder to my DNS. Do I also need a stub zone?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Ah. You should probably use a stub zone for this particular situation.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:ovidbailey
Comment Utility
Hmmm....didn't work. In DNS from def.local, I can see the zone files correctly from abc.local. But when I try to add to the security groups, the other forest's location is not there.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Let me do a little testing and get back to you.
0
 

Author Comment

by:ovidbailey
Comment Utility
It looks like I can assign  the external forest group's permissions directly to the shared resource; when I go to the folder NTFS permissions, I see the other forest there. So it looks like I just can add the other forest groups to my forest's universal groups.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
Okay, I think I figured it out. It goes like this:
According to the AGUDLP model, you should set your accounts as members of the Global group in the Domain. The Global group should be a member of the Universal group in the same Domain. Once that's done, the Universal group is made a member of a Domain Local group in the Domain the users need permissions in. Unfortunately, Domain Local groups are the only ones that can have members from a separate forest. Universal groups can have members from all over the forest they are in, but not from forests that they are not a part of. Global groups can only have members in the domain they are in, but they can be a member of a group in any domain they have a trust relationship with. It's possible to kick the Universal groups entirely out of the works by having the Global group be a member of the Domain Local group, but you should know that Domain Local and Global group membership is not replicated. This means that if you have a site without a Global Catalog (Or without Universal Membership caching), and a link between that site and a global catalog, permissions applied to the Universal group won't be usable.
0
 

Author Comment

by:ovidbailey
Comment Utility
Makes a huge amount of sense. Also, had never heard of the AGUDLP model, so that's another learning experience. Thanks, Dude!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now