Solved

Cross-Domain Share?

Posted on 2011-03-21
15
1,621 Views
Last Modified: 2012-05-11
Hello,
I recently moved our file server to a new server and although everything is properly configured, users from our other domain are no longer able to access the shares.  The users from the other domain have identical usernames and password created in the file servers domain.  Before the move to the new server, they were connecting file without having to specify a username and password but now it requests authentication for any of the shares.  Share and file permissions are identical to the old server.  Any ideas?

0
Comment
Question by:sthubert
  • 10
  • 4
15 Comments
 
LVL 2

Expert Comment

by:ReesAssociates
Comment Utility
What OS was the old server and what OS does the new server have?
0
 

Author Comment

by:sthubert
Comment Utility
OLD = Windows 2003 Server - Domain Controller
NEW = Windows 2008 Server R2 - Application Server

I managed to get Anonymous Authentication working by enabling the guest account and the local policy "Let everyone permission apply to anonymous users".

But now I still cannot control the security with usernames.  In other words, the user can connect to the share and open all folders that are opened to everyone but if there are non inherited permissions set on a subfolder that the user should have access to it is denied.  So the user is being seen as anonymous rather than as his domain user.
0
 

Author Comment

by:sthubert
Comment Utility
Just so everyone understand better, because I think I am a little unclear...

Domain 1 = domain1.com
Domain 2 = domain2.com

All users belonging to domain2.com exist in domain1.com with identical username and password.

TestUser is on a workstation in domain2.com and needs to access a shared folder on FileServer1 in domain1.com.

TestUser exists on domain1.com and domain2.com.

There are NO TRUSTS between the domains!
0
 
LVL 2

Expert Comment

by:ReesAssociates
Comment Utility
Are the users mapping to the file shares?  If so, are they authenticating to the share with domain1\username?
0
 

Author Comment

by:sthubert
Comment Utility
They are simply connecting to \\FileServer1.domain1.com\share.
I don't want them to have to authenticate at all since their users exist on both domains.  I need transparent authenitcation.
0
 

Author Comment

by:sthubert
Comment Utility
It's like when we do file sharing from workgroup to workgroup we create the exact same user on both workstations and the user is able to connect to the share.  In my situation I'm doing domain to domain with exact same users on both domains.
0
 

Author Comment

by:sthubert
Comment Utility
It used to work but can it be because our old fileserver was on one of our Domain Controllers?
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:sthubert
Comment Utility
I just tested creating a share on one of our DC's and it works perfectly.  The user from domain2.com is able to access the share on the DC of domain1.com without providing any credentials.

Is there anyway I can get this working on my FileServer that is not a DC?
0
 

Author Comment

by:sthubert
Comment Utility
Just as I thought.  If I create an identical Local User on FileServer1 the user is then able to access the file shares.  I need this to work without having to create the users locally.  I need my FileServer1 to somehow traverse the authentication to a DC.
0
 
LVL 2

Expert Comment

by:ReesAssociates
Comment Utility
Just for clarification, why the lack of trust between the domains?  This would remove the need to enter duplicate username on each domain.
0
 

Author Comment

by:sthubert
Comment Utility
We needed to duplicate the users so that we can all be on the same exchange server.  So there was no need for a trust between the 2 domains.
0
 
LVL 2

Expert Comment

by:ReesAssociates
Comment Utility
What are your file sharing permissions set to?  Are you using your file system permissions to govern access?
0
 

Author Comment

by:sthubert
Comment Utility
I don't know what the results of putting up a trust would be at this point since we have duplicate users on both domains.

I set the share to Everyone -Full and then use NTFS to manage the access.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
Pass-through authentication only works against the local account database of the target server. In the case of a DC, the "local" account database is the domain user database, that's why it works when you're accessing a share on a DC that way.
There is no way to tell a member server to "redirect" a pass-through user to any other account database.
So that leaves you with four possibilities:
* Promote the file server to a DC (which can create other issues)
* Create local accounts on the file server
* use a logon script that asks the user for the account information in the other domain:
net use X: \\Server2008\SomeShare * /user:2008DOMAIN\%Username%
This is only necessary for the first share, once a secure connection has been established, you can map other drives without logon information.
* The recommended method when doing domain migrations: create a trust. A trust does NOT care about duplicate user names.
0
 

Author Comment

by:sthubert
Comment Utility
Thanks oBdA for the useful info but I used option 5 where I put the 2 shares they required access to on our existing DC temporarily until we migrate everyone to domain1.com.

:)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now