Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD trusts and account login issues

Posted on 2010-11-27
11
Medium Priority
?
467 Views
Last Modified: 2012-05-10
I created 3 domains and 2 forests,

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

Upon making all dc's and creating the sites, I created a user in intranet.treyresearch.net and tried to logon with that user to the treyresearch.net domain...could not authenticate. I thought that child domains had an automatic two-way trust with the parent (confirmed with the forests and trusts console), yet I can not login...any reason? (the user does not exist in the parent domain does not exist there, though it shouldn't, the child domain should refer the user to the parent domain and based on the trust, should authenticate right?)

treyresearch.net has a two way relationship with nepeangroup.net, yet the user can not login to that domain? Why is that? What am I missing?
0
Comment
Question by:Network_Padawan
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 34224027


yes two way should be in place:
http://technet.microsoft.com/en-us/library/bb727030.aspx


you may need to put the intranet.treyresearch.net user into a treyresearch.net domain user group.  

The trust is in place however,  I do not believe users are added to groups automatically. you can look at logon on locally right on your workstation, etc.

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34224030
Hi mark,

Are you saying I need to add the user from the child domain to a domain user group in the parent domain?
0
 

Author Comment

by:Network_Padawan
ID: 34224087
I just tried that, in the parent domain, when I go to add the user and I try to change the "Location", only treyresearch shows up, i can not find the intranet.treyresearch domain to be able to select the user.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 4

Expert Comment

by:shudman
ID: 34226616
That's because you will only be able to add contacts or other objects from other domains.

What machine are you actually trying to logon to....a DC or a workstation/server ? when you say "authenticate"....what actually are you trying to achieve ?

You may either have to create a domain local (or universal) group in treyresearch and add your intranet user account to that group.  Then depending on what they are trying to auth with, you may need to create a GPO to allow that domain local/universal group to logon interactively/RDP
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 664 total points
ID: 34226813
You cannot logon to a domain while the using account does not exist in that domain. This is the fact. You can only logont to the domain where tha account exist. However when you access shared resourecs in another domain, that domain will authenticated you if trust is established. This simply by deafult via a group call authenticated users group exist in each domain that assume all users in trusted domains are member of. So logon and authenticated is not the same. By default the authenticated group is allowed all user to have view access to resources such acticve directory objrects. Now is you have a shared folder and only want to grant access to a specific group whcih consist users belong to both trusted domain the you sholud create a domain local group in the domain where your shared resources belong so that you can add users from another domain to this group then grant access to this domain local group.
0
 

Author Comment

by:Network_Padawan
ID: 34227519
Hi Americom,

Can I just confirm that a trust relationship is not there to allow a user from one domain to be able to logon to another trusted domain under any circumstances? Your saying that resources can be shared to accounts from trusted domains, but thats about it?

Is this correct?
0
 
LVL 15

Accepted Solution

by:
markpalinux earned 668 total points
ID: 34229360
both #1 and #2 should be true, from a previous post it seems like someone was stating users in domain A wouldn't be able to logon to machines in domain B, that should not be the case.
#1)
user accounts in Treyresearch.net
would be able to logon to intranet.treyresearch.net (workstations and servers). You have to look at the logon on locally permissions.

#2)
Likewise intranet.treyresearch.net users can logon to workstations and servers in the Treyresearch.net domain if the proper logon locally rights or group membership is assigned.


Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Also I would suggest you run dcdiag. do your two Treyresearch domains have dns zones replicated to the forest or domain?

You need visio ( you can get free trial ) and this will create a visio doc showing your domain setup.
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34236821
Hi Mark,

At the moment, I have three GC servers each with their own domain.

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

I created a Universal group in nepeangroup.com, I added a bunch of user accounts in there. I went in the intranet DC server and created a share folder and when I wanted to give access to this universal group (called "staff"), I was able to browse the nepean domain, but it would not recognise the staff group.

Im not sure what I am doing wrong.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 668 total points
ID: 34242400
Create the universal group (staff) in intranet, add your users from nepeangroup, and then ACL the share on the DC with the universal group.
0
 

Author Comment

by:Network_Padawan
ID: 34254866
Thanks Shud Ill try that tomorrow and post back results. Sorry am swamped at the moment with other things.
0
 

Author Closing Comment

by:Network_Padawan
ID: 34327613
Thanks guys. I was able to configure the groups and share access successfully. I apologize for the delay in responding. Appreciated.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question