Solved

Problem with creating universal groups across forests

Posted on 2010-09-07
9
947 Views
Last Modified: 2012-05-10
In a test environment, I have two forests: abc.local and def.local.

I can ping computers by name from either forest.

There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.

In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.

In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.

I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.

I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.
Thanks.
0
Comment
Question by:ovidbailey
  • 5
  • 4
9 Comments
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33620448
Universal groups will only show up in the domain that they are created in. They will not automatically show up inside each domain. To add them to a group in the other domain, you have to do the following:
When you enter the dialog box where you enter the name of the group that you want to add, click on the Locations button and it should give you a list of all the domains that you can communicate with. If you select the domain that has the Universal group in it and hit okay, you should then be able to add that group to groups in the domain that you are working in or apply permissions to it.
0
 

Author Comment

by:ovidbailey
ID: 33620503
Yeah, that's the problem. I don't see the other domain in the Locations area.
0
 

Author Comment

by:ovidbailey
ID: 33620545
FWIW, I set up the trust to the other forest by adding a Conditional Forwarder to my DNS. Do I also need a stub zone?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 39

Expert Comment

by:Adam Brown
ID: 33620719
Ah. You should probably use a stub zone for this particular situation.
0
 

Author Comment

by:ovidbailey
ID: 33620870
Hmmm....didn't work. In DNS from def.local, I can see the zone files correctly from abc.local. But when I try to add to the security groups, the other forest's location is not there.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33620880
Let me do a little testing and get back to you.
0
 

Author Comment

by:ovidbailey
ID: 33621172
It looks like I can assign  the external forest group's permissions directly to the shared resource; when I go to the folder NTFS permissions, I see the other forest there. So it looks like I just can add the other forest groups to my forest's universal groups.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33621379
Okay, I think I figured it out. It goes like this:
According to the AGUDLP model, you should set your accounts as members of the Global group in the Domain. The Global group should be a member of the Universal group in the same Domain. Once that's done, the Universal group is made a member of a Domain Local group in the Domain the users need permissions in. Unfortunately, Domain Local groups are the only ones that can have members from a separate forest. Universal groups can have members from all over the forest they are in, but not from forests that they are not a part of. Global groups can only have members in the domain they are in, but they can be a member of a group in any domain they have a trust relationship with. It's possible to kick the Universal groups entirely out of the works by having the Global group be a member of the Domain Local group, but you should know that Domain Local and Global group membership is not replicated. This means that if you have a site without a Global Catalog (Or without Universal Membership caching), and a link between that site and a global catalog, permissions applied to the Universal group won't be usable.
0
 

Author Comment

by:ovidbailey
ID: 33624022
Makes a huge amount of sense. Also, had never heard of the AGUDLP model, so that's another learning experience. Thanks, Dude!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question