[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 469
  • Last Modified:

AD trusts and account login issues

I created 3 domains and 2 forests,

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

Upon making all dc's and creating the sites, I created a user in intranet.treyresearch.net and tried to logon with that user to the treyresearch.net domain...could not authenticate. I thought that child domains had an automatic two-way trust with the parent (confirmed with the forests and trusts console), yet I can not login...any reason? (the user does not exist in the parent domain does not exist there, though it shouldn't, the child domain should refer the user to the parent domain and based on the trust, should authenticate right?)

treyresearch.net has a two way relationship with nepeangroup.net, yet the user can not login to that domain? Why is that? What am I missing?
0
Network_Padawan
Asked:
Network_Padawan
  • 6
  • 2
  • 2
  • +1
3 Solutions
 
markpalinuxCommented:


yes two way should be in place:
http://technet.microsoft.com/en-us/library/bb727030.aspx


you may need to put the intranet.treyresearch.net user into a treyresearch.net domain user group.  

The trust is in place however,  I do not believe users are added to groups automatically. you can look at logon on locally right on your workstation, etc.

Mark
0
 
Network_PadawanAuthor Commented:
Hi mark,

Are you saying I need to add the user from the child domain to a domain user group in the parent domain?
0
 
Network_PadawanAuthor Commented:
I just tried that, in the parent domain, when I go to add the user and I try to change the "Location", only treyresearch shows up, i can not find the intranet.treyresearch domain to be able to select the user.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
shudmanCommented:
That's because you will only be able to add contacts or other objects from other domains.

What machine are you actually trying to logon to....a DC or a workstation/server ? when you say "authenticate"....what actually are you trying to achieve ?

You may either have to create a domain local (or universal) group in treyresearch and add your intranet user account to that group.  Then depending on what they are trying to auth with, you may need to create a GPO to allow that domain local/universal group to logon interactively/RDP
0
 
AmericomCommented:
You cannot logon to a domain while the using account does not exist in that domain. This is the fact. You can only logont to the domain where tha account exist. However when you access shared resourecs in another domain, that domain will authenticated you if trust is established. This simply by deafult via a group call authenticated users group exist in each domain that assume all users in trusted domains are member of. So logon and authenticated is not the same. By default the authenticated group is allowed all user to have view access to resources such acticve directory objrects. Now is you have a shared folder and only want to grant access to a specific group whcih consist users belong to both trusted domain the you sholud create a domain local group in the domain where your shared resources belong so that you can add users from another domain to this group then grant access to this domain local group.
0
 
Network_PadawanAuthor Commented:
Hi Americom,

Can I just confirm that a trust relationship is not there to allow a user from one domain to be able to logon to another trusted domain under any circumstances? Your saying that resources can be shared to accounts from trusted domains, but thats about it?

Is this correct?
0
 
markpalinuxCommented:
both #1 and #2 should be true, from a previous post it seems like someone was stating users in domain A wouldn't be able to logon to machines in domain B, that should not be the case.
#1)
user accounts in Treyresearch.net
would be able to logon to intranet.treyresearch.net (workstations and servers). You have to look at the logon on locally permissions.

#2)
Likewise intranet.treyresearch.net users can logon to workstations and servers in the Treyresearch.net domain if the proper logon locally rights or group membership is assigned.


Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Also I would suggest you run dcdiag. do your two Treyresearch domains have dns zones replicated to the forest or domain?

You need visio ( you can get free trial ) and this will create a visio doc showing your domain setup.
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Mark
0
 
Network_PadawanAuthor Commented:
Hi Mark,

At the moment, I have three GC servers each with their own domain.

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

I created a Universal group in nepeangroup.com, I added a bunch of user accounts in there. I went in the intranet DC server and created a share folder and when I wanted to give access to this universal group (called "staff"), I was able to browse the nepean domain, but it would not recognise the staff group.

Im not sure what I am doing wrong.
0
 
shudmanCommented:
Create the universal group (staff) in intranet, add your users from nepeangroup, and then ACL the share on the DC with the universal group.
0
 
Network_PadawanAuthor Commented:
Thanks Shud Ill try that tomorrow and post back results. Sorry am swamped at the moment with other things.
0
 
Network_PadawanAuthor Commented:
Thanks guys. I was able to configure the groups and share access successfully. I apologize for the delay in responding. Appreciated.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now