raffie613
asked on
Creating a Trust relationship between two seperate somain
I am trying to somehow create a trust or "connection" between two different domains. I have a VPN connection between them already.
I want to have location B users be able to access the shared resources on the server at location A. The two location are actually partnered companies but two seperate companies. Both domains are running Windows 2003 DC. What is the best way to do this?
I want to have location B users be able to access the shared resources on the server at location A. The two location are actually partnered companies but two seperate companies. Both domains are running Windows 2003 DC. What is the best way to do this?
ASKER
Daniel,
From which interface in AD can I initiate the trust?
Will this allow users from Domain B, to freely access resources on Domain A, even if they are on site at domain A for the day?
Thanks.
From which interface in AD can I initiate the trust?
Will this allow users from Domain B, to freely access resources on Domain A, even if they are on site at domain A for the day?
Thanks.
Check if your DCs from both domains are able to ping each other. Then in each domain's DNS server configure Conditional Forwarders for those domains or create Stub DNS zones. AD is based on DNS and it will be necessary before you would be able to create trust relationship.
After that, open Active Directory Domains and Trusts management console and under "Trusts" tab create two-way trust. Then you will be able to grant users from domain A rights to the resources in domain B and vice-versa.
For that I strongly suggest creating in each domain Domain Local Groups and put there global groups from both domains for easier management.
How to create DNS Conditional Forwarders or Stub Zone you can check in attached guides.
If you have any other questions, do not hesitate to contact me.
Regards,
Krzysztof
DNS-conditional-forwarders.pdf
Configuring-Stub-zone.pdf
After that, open Active Directory Domains and Trusts management console and under "Trusts" tab create two-way trust. Then you will be able to grant users from domain A rights to the resources in domain B and vice-versa.
For that I strongly suggest creating in each domain Domain Local Groups and put there global groups from both domains for easier management.
How to create DNS Conditional Forwarders or Stub Zone you can check in attached guides.
If you have any other questions, do not hesitate to contact me.
Regards,
Krzysztof
DNS-conditional-forwarders.pdf
Configuring-Stub-zone.pdf
ASKER
Isiek,
Will users from Domain B that are physically visiting on location at domain A, be able to use their logon credential for domain B, to log in at Domain A?
Thanks.
Will users from Domain B that are physically visiting on location at domain A, be able to use their logon credential for domain B, to log in at Domain A?
Thanks.
No, they still have to log on to domain B but if you grant them NTFS permissions to network resources they would be able to access them. It could take some time for authentication, so you should consider placing in each domain one domain controller from other domain to shorten authentication time. In Example in domain A put domain's B DC and in domain B put domain's A DC. Configure appropriate Site and Subnet for that and everything would be fine.
Krzysztof
Krzysztof
ASKER
Iseik:
What do you mean "grant them NTFS permissions to network resources"? Grant them NTFS permission from wheret?
What do you mean "grant them NTFS permissions to network resources"? Grant them NTFS permission from wheret?
When you have folders and files in domainA, you need to add on those folders/files porperties under "Security" tab, user accounts/group accounts from domainB to allow to access them .
Krzysztof
Krzysztof
ASKER
ok,
So It will see the trusted domain in there.
I will try and let you know.
Thanks.
So It will see the trusted domain in there.
I will try and let you know.
Thanks.
ASKER
Iseik:
regarding having users from domain B, be able to log onto Domain A while on site at Domain A, If I have a DC from domain B on site at location Domain A, then would the users from domain B, be able to log on while at Domain A?
Or is the only way, for me to create user accounts on Domain A for those users when they are on location at Domain A?
Thanks.
regarding having users from domain B, be able to log onto Domain A while on site at Domain A, If I have a DC from domain B on site at location Domain A, then would the users from domain B, be able to log on while at Domain A?
Or is the only way, for me to create user accounts on Domain A for those users when they are on location at Domain A?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Iseik:
But if I take a DC from domain B and put it in the physical location of Domain A, Then if a user from the physical location (office) of Domain B, should be able to log in to domain B, while physically being at location Domain A, since there is a Domain B DC on site, no? Won't the Domain B DC be able to authenticate him?
But if I take a DC from domain B and put it in the physical location of Domain A, Then if a user from the physical location (office) of Domain B, should be able to log in to domain B, while physically being at location Domain A, since there is a Domain B DC on site, no? Won't the Domain B DC be able to authenticate him?
Yes of course :) because it will be part of an existing domain :) This will increase authentication time on site because authentication query doesn't have to use WAN link.
Krzysztof
Krzysztof
ASKER
ok,
So in the Domain B DC, that will physically be on site at Domain A, what DNS server do I point it to? Or should I make it it's own primary DNS server since it will be doing authentication for any Domain B users?
Thanks.
So in the Domain B DC, that will physically be on site at Domain A, what DNS server do I point it to? Or should I make it it's own primary DNS server since it will be doing authentication for any Domain B users?
Thanks.
No no, create additional DC for domainB, make it as DNS and Global Catalog, to server all features on site. But during server set up process point to one of DNS servers for domainB. After DC promotion, point alternate DNS server to 127.0.0.1 (loopback interface)
Krzysztof
Krzysztof
ASKER
what about DHCP? Do I need to have that configured on it once I move it to Domain A site? Or can the Domain A DHCP server privide addresses even though it is a different domain?
Also, what about IP address sceme? Do they need to be on different subnets?
Also, what about IP address sceme? Do they need to be on different subnets?
You can simply use DHCP of other domain. Configure only GPO for all clients to provide DNS suffix list for both domains.
Create new sites and subnets for those new DCs. That's all :)
Krzysztof
Create new sites and subnets for those new DCs. That's all :)
Krzysztof
ASKER
"Configure only GPO for all clients to provide DNS suffix list for both domains.
Create new sites and subnets for those new DCs"
You lost me there. Create GPO on which DC? Where in GPO do I find an option to provide DNS suffix list?
Where do I create the new sites and subnets for the new DC (domain B on site at location of domain A)?
Thanks.
Create new sites and subnets for those new DCs"
You lost me there. Create GPO on which DC? Where in GPO do I find an option to provide DNS suffix list?
Where do I create the new sites and subnets for the new DC (domain B on site at location of domain A)?
Thanks.
ASKER
ok , but I still do not know at which sites I should create the new sites and subnets for the new DC at?
Also, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?
Thanks.
Also, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?
Thanks.
ASKER
would it be easier to just put all these locations under one main domain forest? Is there a way to do that even though they currently exists in seperate domains?
Thanks.
Thanks.
Yes of course, that's the most simple way and it's much more convenient in management :)
When you have two-way forest trust you can migrate one domain into another using Microsoft ADMT
http://www.microsoft.com/downloads/en/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en
and read this good Microsoft guide about that process
http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
Users/Computers/Groups SID history will be saved and nobody would have problem with accessing resources.
Krzysztof
When you have two-way forest trust you can migrate one domain into another using Microsoft ADMT
http://www.microsoft.com/downloads/en/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en
and read this good Microsoft guide about that process
http://www.microsoft.com/downloads/en/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
Users/Computers/Groups SID history will be saved and nobody would have problem with accessing resources.
Krzysztof
ASKER
ok,
but since they are really seperate companies, if we just do full trusts between them all, then what about the issue of, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?
Thanks.
but since they are really seperate companies, if we just do full trusts between them all, then what about the issue of, most users wanting to log in at location A while visiting from location B, have laptops with XP pro on them. If I do not want to spend the extra money on DC to place in each trusted site location for visiting users from other locations to be able to log on, AND I just create them a log on id at Domain A, how will the XP machine allow them to log into Domain A, when the machine is a member of the domain at location B? XP doesn't allow you to log on to two different domain, right?
Thanks.
ASKER
Krzysztof
I found this on the issue of XP login onto a trusted domain. This says that it CAN be done in a full trust.
It says I should start to see a drop down menu showing both trusted domains. I thought you said it was not possible to logon to a trusted domain and that I had to place a DC in each location for the visiting user to be able to logon?
https://www.experts-exchange.com/questions/26424660/Unable-to-browse-trusted-domain-from-XP-clients.html
I found this on the issue of XP login onto a trusted domain. This says that it CAN be done in a full trust.
It says I should start to see a drop down menu showing both trusted domains. I thought you said it was not possible to logon to a trusted domain and that I had to place a DC in each location for the visiting user to be able to logon?
https://www.experts-exchange.com/questions/26424660/Unable-to-browse-trusted-domain-from-XP-clients.html
ASKER
Krzysztof
Anything on the XP situation?
thanks.
Anything on the XP situation?
thanks.
More information:
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://technet.microsoft.com/en-us/library/bb727062.aspx#E0RD0AA
-Daniel