Solved

Cross-Domain Share?

Posted on 2011-03-21
15
1,648 Views
Last Modified: 2012-05-11
Hello,
I recently moved our file server to a new server and although everything is properly configured, users from our other domain are no longer able to access the shares.  The users from the other domain have identical usernames and password created in the file servers domain.  Before the move to the new server, they were connecting file without having to specify a username and password but now it requests authentication for any of the shares.  Share and file permissions are identical to the old server.  Any ideas?

0
Comment
Question by:sthubert
  • 10
  • 4
15 Comments
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183760
What OS was the old server and what OS does the new server have?
0
 

Author Comment

by:sthubert
ID: 35183807
OLD = Windows 2003 Server - Domain Controller
NEW = Windows 2008 Server R2 - Application Server

I managed to get Anonymous Authentication working by enabling the guest account and the local policy "Let everyone permission apply to anonymous users".

But now I still cannot control the security with usernames.  In other words, the user can connect to the share and open all folders that are opened to everyone but if there are non inherited permissions set on a subfolder that the user should have access to it is denied.  So the user is being seen as anonymous rather than as his domain user.
0
 

Author Comment

by:sthubert
ID: 35183846
Just so everyone understand better, because I think I am a little unclear...

Domain 1 = domain1.com
Domain 2 = domain2.com

All users belonging to domain2.com exist in domain1.com with identical username and password.

TestUser is on a workstation in domain2.com and needs to access a shared folder on FileServer1 in domain1.com.

TestUser exists on domain1.com and domain2.com.

There are NO TRUSTS between the domains!
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183886
Are the users mapping to the file shares?  If so, are they authenticating to the share with domain1\username?
0
 

Author Comment

by:sthubert
ID: 35183906
They are simply connecting to \\FileServer1.domain1.com\share.
I don't want them to have to authenticate at all since their users exist on both domains.  I need transparent authenitcation.
0
 

Author Comment

by:sthubert
ID: 35183963
It's like when we do file sharing from workgroup to workgroup we create the exact same user on both workstations and the user is able to connect to the share.  In my situation I'm doing domain to domain with exact same users on both domains.
0
 

Author Comment

by:sthubert
ID: 35184001
It used to work but can it be because our old fileserver was on one of our Domain Controllers?
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:sthubert
ID: 35184045
I just tested creating a share on one of our DC's and it works perfectly.  The user from domain2.com is able to access the share on the DC of domain1.com without providing any credentials.

Is there anyway I can get this working on my FileServer that is not a DC?
0
 

Author Comment

by:sthubert
ID: 35184183
Just as I thought.  If I create an identical Local User on FileServer1 the user is then able to access the file shares.  I need this to work without having to create the users locally.  I need my FileServer1 to somehow traverse the authentication to a DC.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184236
Just for clarification, why the lack of trust between the domains?  This would remove the need to enter duplicate username on each domain.
0
 

Author Comment

by:sthubert
ID: 35184249
We needed to duplicate the users so that we can all be on the same exchange server.  So there was no need for a trust between the 2 domains.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184261
What are your file sharing permissions set to?  Are you using your file system permissions to govern access?
0
 

Author Comment

by:sthubert
ID: 35184293
I don't know what the results of putting up a trust would be at this point since we have duplicate users on both domains.

I set the share to Everyone -Full and then use NTFS to manage the access.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 35187213
Pass-through authentication only works against the local account database of the target server. In the case of a DC, the "local" account database is the domain user database, that's why it works when you're accessing a share on a DC that way.
There is no way to tell a member server to "redirect" a pass-through user to any other account database.
So that leaves you with four possibilities:
* Promote the file server to a DC (which can create other issues)
* Create local accounts on the file server
* use a logon script that asks the user for the account information in the other domain:
net use X: \\Server2008\SomeShare * /user:2008DOMAIN\%Username%
This is only necessary for the first share, once a secure connection has been established, you can map other drives without logon information.
* The recommended method when doing domain migrations: create a trust. A trust does NOT care about duplicate user names.
0
 

Author Comment

by:sthubert
ID: 35190360
Thanks oBdA for the useful info but I used option 5 where I put the 2 shares they required access to on our existing DC temporarily until we migrate everyone to domain1.com.

:)
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS Scavenging configuration 5 60
Active Directory delegation of control to a user 3 77
VMware Black Screen 13 81
Windows 7 won't join domain 4 42
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now