Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problem with creating universal groups across forests

Posted on 2010-09-07
9
Medium Priority
?
983 Views
Last Modified: 2012-05-10
In a test environment, I have two forests: abc.local and def.local.

I can ping computers by name from either forest.

There is a forest to forest trust created and working. The authentication is forest-wide, although I previously had it set to selective; no difference in the symptom below.

In each, I have one global security group called AbcUsersGlobal and DefUsersGlobal, respectively.

In def.local, I created a universal group called AbcDefUsersUniversal and added the DefUsersGlobal group to that.

I have two problems:
1. When I force replication, I cannot see the newly-created universal group in abc.local.
2. From the def.local machine, I tried to add abc.local's AbcUsersGlobal group to the AbcDefUsersUniversal group, and could not find the groups from the other domain. Says "The following object is not from a domain listed in the Select Locations dialog box." That's true, but I don't know how to point to a different domain.

I think I have to explicitly identify a domain in the other forest, but I don't know how to get this to work.
Thanks.
0
Comment
Question by:ovidbailey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 33620448
Universal groups will only show up in the domain that they are created in. They will not automatically show up inside each domain. To add them to a group in the other domain, you have to do the following:
When you enter the dialog box where you enter the name of the group that you want to add, click on the Locations button and it should give you a list of all the domains that you can communicate with. If you select the domain that has the Universal group in it and hit okay, you should then be able to add that group to groups in the domain that you are working in or apply permissions to it.
0
 

Author Comment

by:ovidbailey
ID: 33620503
Yeah, that's the problem. I don't see the other domain in the Locations area.
0
 

Author Comment

by:ovidbailey
ID: 33620545
FWIW, I set up the trust to the other forest by adding a Conditional Forwarder to my DNS. Do I also need a stub zone?
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 42

Expert Comment

by:Adam Brown
ID: 33620719
Ah. You should probably use a stub zone for this particular situation.
0
 

Author Comment

by:ovidbailey
ID: 33620870
Hmmm....didn't work. In DNS from def.local, I can see the zone files correctly from abc.local. But when I try to add to the security groups, the other forest's location is not there.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 33620880
Let me do a little testing and get back to you.
0
 

Author Comment

by:ovidbailey
ID: 33621172
It looks like I can assign  the external forest group's permissions directly to the shared resource; when I go to the folder NTFS permissions, I see the other forest there. So it looks like I just can add the other forest groups to my forest's universal groups.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 33621379
Okay, I think I figured it out. It goes like this:
According to the AGUDLP model, you should set your accounts as members of the Global group in the Domain. The Global group should be a member of the Universal group in the same Domain. Once that's done, the Universal group is made a member of a Domain Local group in the Domain the users need permissions in. Unfortunately, Domain Local groups are the only ones that can have members from a separate forest. Universal groups can have members from all over the forest they are in, but not from forests that they are not a part of. Global groups can only have members in the domain they are in, but they can be a member of a group in any domain they have a trust relationship with. It's possible to kick the Universal groups entirely out of the works by having the Global group be a member of the Domain Local group, but you should know that Domain Local and Global group membership is not replicated. This means that if you have a site without a Global Catalog (Or without Universal Membership caching), and a link between that site and a global catalog, permissions applied to the Universal group won't be usable.
0
 

Author Comment

by:ovidbailey
ID: 33624022
Makes a huge amount of sense. Also, had never heard of the AGUDLP model, so that's another learning experience. Thanks, Dude!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question