Solved

AD trusts and account login issues

Posted on 2010-11-27
11
456 Views
Last Modified: 2012-05-10
I created 3 domains and 2 forests,

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

Upon making all dc's and creating the sites, I created a user in intranet.treyresearch.net and tried to logon with that user to the treyresearch.net domain...could not authenticate. I thought that child domains had an automatic two-way trust with the parent (confirmed with the forests and trusts console), yet I can not login...any reason? (the user does not exist in the parent domain does not exist there, though it shouldn't, the child domain should refer the user to the parent domain and based on the trust, should authenticate right?)

treyresearch.net has a two way relationship with nepeangroup.net, yet the user can not login to that domain? Why is that? What am I missing?
0
Comment
Question by:Network_Padawan
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 34224027


yes two way should be in place:
http://technet.microsoft.com/en-us/library/bb727030.aspx


you may need to put the intranet.treyresearch.net user into a treyresearch.net domain user group.  

The trust is in place however,  I do not believe users are added to groups automatically. you can look at logon on locally right on your workstation, etc.

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34224030
Hi mark,

Are you saying I need to add the user from the child domain to a domain user group in the parent domain?
0
 

Author Comment

by:Network_Padawan
ID: 34224087
I just tried that, in the parent domain, when I go to add the user and I try to change the "Location", only treyresearch shows up, i can not find the intranet.treyresearch domain to be able to select the user.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34226616
That's because you will only be able to add contacts or other objects from other domains.

What machine are you actually trying to logon to....a DC or a workstation/server ? when you say "authenticate"....what actually are you trying to achieve ?

You may either have to create a domain local (or universal) group in treyresearch and add your intranet user account to that group.  Then depending on what they are trying to auth with, you may need to create a GPO to allow that domain local/universal group to logon interactively/RDP
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 166 total points
ID: 34226813
You cannot logon to a domain while the using account does not exist in that domain. This is the fact. You can only logont to the domain where tha account exist. However when you access shared resourecs in another domain, that domain will authenticated you if trust is established. This simply by deafult via a group call authenticated users group exist in each domain that assume all users in trusted domains are member of. So logon and authenticated is not the same. By default the authenticated group is allowed all user to have view access to resources such acticve directory objrects. Now is you have a shared folder and only want to grant access to a specific group whcih consist users belong to both trusted domain the you sholud create a domain local group in the domain where your shared resources belong so that you can add users from another domain to this group then grant access to this domain local group.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Network_Padawan
ID: 34227519
Hi Americom,

Can I just confirm that a trust relationship is not there to allow a user from one domain to be able to logon to another trusted domain under any circumstances? Your saying that resources can be shared to accounts from trusted domains, but thats about it?

Is this correct?
0
 
LVL 15

Accepted Solution

by:
markpalinux earned 167 total points
ID: 34229360
both #1 and #2 should be true, from a previous post it seems like someone was stating users in domain A wouldn't be able to logon to machines in domain B, that should not be the case.
#1)
user accounts in Treyresearch.net
would be able to logon to intranet.treyresearch.net (workstations and servers). You have to look at the logon on locally permissions.

#2)
Likewise intranet.treyresearch.net users can logon to workstations and servers in the Treyresearch.net domain if the proper logon locally rights or group membership is assigned.


Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Also I would suggest you run dcdiag. do your two Treyresearch domains have dns zones replicated to the forest or domain?

You need visio ( you can get free trial ) and this will create a visio doc showing your domain setup.
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34236821
Hi Mark,

At the moment, I have three GC servers each with their own domain.

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

I created a Universal group in nepeangroup.com, I added a bunch of user accounts in there. I went in the intranet DC server and created a share folder and when I wanted to give access to this universal group (called "staff"), I was able to browse the nepean domain, but it would not recognise the staff group.

Im not sure what I am doing wrong.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 167 total points
ID: 34242400
Create the universal group (staff) in intranet, add your users from nepeangroup, and then ACL the share on the DC with the universal group.
0
 

Author Comment

by:Network_Padawan
ID: 34254866
Thanks Shud Ill try that tomorrow and post back results. Sorry am swamped at the moment with other things.
0
 

Author Closing Comment

by:Network_Padawan
ID: 34327613
Thanks guys. I was able to configure the groups and share access successfully. I apologize for the delay in responding. Appreciated.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now