Solved

AD trusts and account login issues

Posted on 2010-11-27
11
462 Views
Last Modified: 2012-05-10
I created 3 domains and 2 forests,

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

Upon making all dc's and creating the sites, I created a user in intranet.treyresearch.net and tried to logon with that user to the treyresearch.net domain...could not authenticate. I thought that child domains had an automatic two-way trust with the parent (confirmed with the forests and trusts console), yet I can not login...any reason? (the user does not exist in the parent domain does not exist there, though it shouldn't, the child domain should refer the user to the parent domain and based on the trust, should authenticate right?)

treyresearch.net has a two way relationship with nepeangroup.net, yet the user can not login to that domain? Why is that? What am I missing?
0
Comment
Question by:Network_Padawan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 34224027


yes two way should be in place:
http://technet.microsoft.com/en-us/library/bb727030.aspx


you may need to put the intranet.treyresearch.net user into a treyresearch.net domain user group.  

The trust is in place however,  I do not believe users are added to groups automatically. you can look at logon on locally right on your workstation, etc.

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34224030
Hi mark,

Are you saying I need to add the user from the child domain to a domain user group in the parent domain?
0
 

Author Comment

by:Network_Padawan
ID: 34224087
I just tried that, in the parent domain, when I go to add the user and I try to change the "Location", only treyresearch shows up, i can not find the intranet.treyresearch domain to be able to select the user.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 4

Expert Comment

by:shudman
ID: 34226616
That's because you will only be able to add contacts or other objects from other domains.

What machine are you actually trying to logon to....a DC or a workstation/server ? when you say "authenticate"....what actually are you trying to achieve ?

You may either have to create a domain local (or universal) group in treyresearch and add your intranet user account to that group.  Then depending on what they are trying to auth with, you may need to create a GPO to allow that domain local/universal group to logon interactively/RDP
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 166 total points
ID: 34226813
You cannot logon to a domain while the using account does not exist in that domain. This is the fact. You can only logont to the domain where tha account exist. However when you access shared resourecs in another domain, that domain will authenticated you if trust is established. This simply by deafult via a group call authenticated users group exist in each domain that assume all users in trusted domains are member of. So logon and authenticated is not the same. By default the authenticated group is allowed all user to have view access to resources such acticve directory objrects. Now is you have a shared folder and only want to grant access to a specific group whcih consist users belong to both trusted domain the you sholud create a domain local group in the domain where your shared resources belong so that you can add users from another domain to this group then grant access to this domain local group.
0
 

Author Comment

by:Network_Padawan
ID: 34227519
Hi Americom,

Can I just confirm that a trust relationship is not there to allow a user from one domain to be able to logon to another trusted domain under any circumstances? Your saying that resources can be shared to accounts from trusted domains, but thats about it?

Is this correct?
0
 
LVL 15

Accepted Solution

by:
markpalinux earned 167 total points
ID: 34229360
both #1 and #2 should be true, from a previous post it seems like someone was stating users in domain A wouldn't be able to logon to machines in domain B, that should not be the case.
#1)
user accounts in Treyresearch.net
would be able to logon to intranet.treyresearch.net (workstations and servers). You have to look at the logon on locally permissions.

#2)
Likewise intranet.treyresearch.net users can logon to workstations and servers in the Treyresearch.net domain if the proper logon locally rights or group membership is assigned.


Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Also I would suggest you run dcdiag. do your two Treyresearch domains have dns zones replicated to the forest or domain?

You need visio ( you can get free trial ) and this will create a visio doc showing your domain setup.
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Mark
0
 

Author Comment

by:Network_Padawan
ID: 34236821
Hi Mark,

At the moment, I have three GC servers each with their own domain.

1. Treyresearch.net
2. intranet.treyresearch.net (obvious child domain)
3. Nepeangroup.com

I created a Universal group in nepeangroup.com, I added a bunch of user accounts in there. I went in the intranet DC server and created a share folder and when I wanted to give access to this universal group (called "staff"), I was able to browse the nepean domain, but it would not recognise the staff group.

Im not sure what I am doing wrong.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 167 total points
ID: 34242400
Create the universal group (staff) in intranet, add your users from nepeangroup, and then ACL the share on the DC with the universal group.
0
 

Author Comment

by:Network_Padawan
ID: 34254866
Thanks Shud Ill try that tomorrow and post back results. Sorry am swamped at the moment with other things.
0
 

Author Closing Comment

by:Network_Padawan
ID: 34327613
Thanks guys. I was able to configure the groups and share access successfully. I apologize for the delay in responding. Appreciated.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question