Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cross-Domain Share?

Posted on 2011-03-21
15
Medium Priority
?
1,895 Views
Last Modified: 2012-05-11
Hello,
I recently moved our file server to a new server and although everything is properly configured, users from our other domain are no longer able to access the shares.  The users from the other domain have identical usernames and password created in the file servers domain.  Before the move to the new server, they were connecting file without having to specify a username and password but now it requests authentication for any of the shares.  Share and file permissions are identical to the old server.  Any ideas?

0
Comment
Question by:sthubert
  • 10
  • 4
15 Comments
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183760
What OS was the old server and what OS does the new server have?
0
 

Author Comment

by:sthubert
ID: 35183807
OLD = Windows 2003 Server - Domain Controller
NEW = Windows 2008 Server R2 - Application Server

I managed to get Anonymous Authentication working by enabling the guest account and the local policy "Let everyone permission apply to anonymous users".

But now I still cannot control the security with usernames.  In other words, the user can connect to the share and open all folders that are opened to everyone but if there are non inherited permissions set on a subfolder that the user should have access to it is denied.  So the user is being seen as anonymous rather than as his domain user.
0
 

Author Comment

by:sthubert
ID: 35183846
Just so everyone understand better, because I think I am a little unclear...

Domain 1 = domain1.com
Domain 2 = domain2.com

All users belonging to domain2.com exist in domain1.com with identical username and password.

TestUser is on a workstation in domain2.com and needs to access a shared folder on FileServer1 in domain1.com.

TestUser exists on domain1.com and domain2.com.

There are NO TRUSTS between the domains!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183886
Are the users mapping to the file shares?  If so, are they authenticating to the share with domain1\username?
0
 

Author Comment

by:sthubert
ID: 35183906
They are simply connecting to \\FileServer1.domain1.com\share.
I don't want them to have to authenticate at all since their users exist on both domains.  I need transparent authenitcation.
0
 

Author Comment

by:sthubert
ID: 35183963
It's like when we do file sharing from workgroup to workgroup we create the exact same user on both workstations and the user is able to connect to the share.  In my situation I'm doing domain to domain with exact same users on both domains.
0
 

Author Comment

by:sthubert
ID: 35184001
It used to work but can it be because our old fileserver was on one of our Domain Controllers?
0
 

Author Comment

by:sthubert
ID: 35184045
I just tested creating a share on one of our DC's and it works perfectly.  The user from domain2.com is able to access the share on the DC of domain1.com without providing any credentials.

Is there anyway I can get this working on my FileServer that is not a DC?
0
 

Author Comment

by:sthubert
ID: 35184183
Just as I thought.  If I create an identical Local User on FileServer1 the user is then able to access the file shares.  I need this to work without having to create the users locally.  I need my FileServer1 to somehow traverse the authentication to a DC.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184236
Just for clarification, why the lack of trust between the domains?  This would remove the need to enter duplicate username on each domain.
0
 

Author Comment

by:sthubert
ID: 35184249
We needed to duplicate the users so that we can all be on the same exchange server.  So there was no need for a trust between the 2 domains.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184261
What are your file sharing permissions set to?  Are you using your file system permissions to govern access?
0
 

Author Comment

by:sthubert
ID: 35184293
I don't know what the results of putting up a trust would be at this point since we have duplicate users on both domains.

I set the share to Everyone -Full and then use NTFS to manage the access.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 35187213
Pass-through authentication only works against the local account database of the target server. In the case of a DC, the "local" account database is the domain user database, that's why it works when you're accessing a share on a DC that way.
There is no way to tell a member server to "redirect" a pass-through user to any other account database.
So that leaves you with four possibilities:
* Promote the file server to a DC (which can create other issues)
* Create local accounts on the file server
* use a logon script that asks the user for the account information in the other domain:
net use X: \\Server2008\SomeShare * /user:2008DOMAIN\%Username%
This is only necessary for the first share, once a secure connection has been established, you can map other drives without logon information.
* The recommended method when doing domain migrations: create a trust. A trust does NOT care about duplicate user names.
0
 

Author Comment

by:sthubert
ID: 35190360
Thanks oBdA for the useful info but I used option 5 where I put the 2 shares they required access to on our existing DC temporarily until we migrate everyone to domain1.com.

:)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question