Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 991
  • Last Modified:

Problem with creating universal groups across forests

In a test environment, I have two forests: abc.local and def.local.

I can ping computers by name from either forest.

There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.

In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.

In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.

I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.

I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.
Thanks.
0
ovidbailey
Asked:
ovidbailey
  • 5
  • 4
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
Universal groups will only show up in the domain that they are created in. They will not automatically show up inside each domain. To add them to a group in the other domain, you have to do the following:
When you enter the dialog box where you enter the name of the group that you want to add, click on the Locations button and it should give you a list of all the domains that you can communicate with. If you select the domain that has the Universal group in it and hit okay, you should then be able to add that group to groups in the domain that you are working in or apply permissions to it.
0
 
ovidbaileyAuthor Commented:
Yeah, that's the problem. I don't see the other domain in the Locations area.
0
 
ovidbaileyAuthor Commented:
FWIW, I set up the trust to the other forest by adding a Conditional Forwarder to my DNS. Do I also need a stub zone?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Adam BrownSr Solutions ArchitectCommented:
Ah. You should probably use a stub zone for this particular situation.
0
 
ovidbaileyAuthor Commented:
Hmmm....didn't work. In DNS from def.local, I can see the zone files correctly from abc.local. But when I try to add to the security groups, the other forest's location is not there.
0
 
Adam BrownSr Solutions ArchitectCommented:
Let me do a little testing and get back to you.
0
 
ovidbaileyAuthor Commented:
It looks like I can assign  the external forest group's permissions directly to the shared resource; when I go to the folder NTFS permissions, I see the other forest there. So it looks like I just can add the other forest groups to my forest's universal groups.
0
 
Adam BrownSr Solutions ArchitectCommented:
Okay, I think I figured it out. It goes like this:
According to the AGUDLP model, you should set your accounts as members of the Global group in the Domain. The Global group should be a member of the Universal group in the same Domain. Once that's done, the Universal group is made a member of a Domain Local group in the Domain the users need permissions in. Unfortunately, Domain Local groups are the only ones that can have members from a separate forest. Universal groups can have members from all over the forest they are in, but not from forests that they are not a part of. Global groups can only have members in the domain they are in, but they can be a member of a group in any domain they have a trust relationship with. It's possible to kick the Universal groups entirely out of the works by having the Global group be a member of the Domain Local group, but you should know that Domain Local and Global group membership is not replicated. This means that if you have a site without a Global Catalog (Or without Universal Membership caching), and a link between that site and a global catalog, permissions applied to the Universal group won't be usable.
0
 
ovidbaileyAuthor Commented:
Makes a huge amount of sense. Also, had never heard of the AGUDLP model, so that's another learning experience. Thanks, Dude!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now