Solved

AD trusts and account login issues

Posted on 2010-11-27
11
455 Views
Last Modified: 2012-05-10
I created 3 domains and 2 forests,

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

Upon making all dc's and creating the sites, I created a user in intranet.treyresearch.net and tried to logon with that user to the treyresearch.net domain...could not authenticate. I thought that child domains had an automatic two-way trust with the parent (confirmed with the forests and trusts console), yet I can not login...any reason? (the user does not exist in the parent domain does not exist there, though it shouldn't, the child domain should refer the user to the parent domain and based on the trust, should authenticate right?)

treyresearch.net has a two way relationship with nepeangroup.net, yet the user can not login to that domain? Why is that? What am I missing?
0
Comment
Question by:Network_Padawan
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility


yes two way should be in place:
http://technet.microsoft.com/en-us/library/bb727030.aspx


you may need to put the intranet.treyresearch.net user into a treyresearch.net domain user group.  

The trust is in place however,  I do not believe users are added to groups automatically. you can look at logon on locally right on your workstation, etc.

Mark
0
 

Author Comment

by:Network_Padawan
Comment Utility
Hi mark,

Are you saying I need to add the user from the child domain to a domain user group in the parent domain?
0
 

Author Comment

by:Network_Padawan
Comment Utility
I just tried that, in the parent domain, when I go to add the user and I try to change the "Location", only treyresearch shows up, i can not find the intranet.treyresearch domain to be able to select the user.
0
 
LVL 4

Expert Comment

by:shudman
Comment Utility
That's because you will only be able to add contacts or other objects from other domains.

What machine are you actually trying to logon to....a DC or a workstation/server ? when you say "authenticate"....what actually are you trying to achieve ?

You may either have to create a domain local (or universal) group in treyresearch and add your intranet user account to that group.  Then depending on what they are trying to auth with, you may need to create a GPO to allow that domain local/universal group to logon interactively/RDP
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 166 total points
Comment Utility
You cannot logon to a domain while the using account does not exist in that domain. This is the fact. You can only logont to the domain where tha account exist. However when you access shared resourecs in another domain, that domain will authenticated you if trust is established. This simply by deafult via a group call authenticated users group exist in each domain that assume all users in trusted domains are member of. So logon and authenticated is not the same. By default the authenticated group is allowed all user to have view access to resources such acticve directory objrects. Now is you have a shared folder and only want to grant access to a specific group whcih consist users belong to both trusted domain the you sholud create a domain local group in the domain where your shared resources belong so that you can add users from another domain to this group then grant access to this domain local group.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:Network_Padawan
Comment Utility
Hi Americom,

Can I just confirm that a trust relationship is not there to allow a user from one domain to be able to logon to another trusted domain under any circumstances? Your saying that resources can be shared to accounts from trusted domains, but thats about it?

Is this correct?
0
 
LVL 15

Accepted Solution

by:
markpalinux earned 167 total points
Comment Utility
both #1 and #2 should be true, from a previous post it seems like someone was stating users in domain A wouldn't be able to logon to machines in domain B, that should not be the case.
#1)
user accounts in Treyresearch.net
would be able to logon to intranet.treyresearch.net (workstations and servers). You have to look at the logon on locally permissions.

#2)
Likewise intranet.treyresearch.net users can logon to workstations and servers in the Treyresearch.net domain if the proper logon locally rights or group membership is assigned.


Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Also I would suggest you run dcdiag. do your two Treyresearch domains have dns zones replicated to the forest or domain?

You need visio ( you can get free trial ) and this will create a visio doc showing your domain setup.
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Mark
0
 

Author Comment

by:Network_Padawan
Comment Utility
Hi Mark,

At the moment, I have three GC servers each with their own domain.

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

I created a Universal group in nepeangroup.com, I added a bunch of user accounts in there. I went in the intranet DC server and created a share folder and when I wanted to give access to this universal group (called "staff"), I was able to browse the nepean domain, but it would not recognise the staff group.

Im not sure what I am doing wrong.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 167 total points
Comment Utility
Create the universal group (staff) in intranet, add your users from nepeangroup, and then ACL the share on the DC with the universal group.
0
 

Author Comment

by:Network_Padawan
Comment Utility
Thanks Shud Ill try that tomorrow and post back results. Sorry am swamped at the moment with other things.
0
 

Author Closing Comment

by:Network_Padawan
Comment Utility
Thanks guys. I was able to configure the groups and share access successfully. I apologize for the delay in responding. Appreciated.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now