Solved

Cross-Domain Share?

Posted on 2011-03-21
15
1,755 Views
Last Modified: 2012-05-11
Hello,
I recently moved our file server to a new server and although everything is properly configured, users from our other domain are no longer able to access the shares.  The users from the other domain have identical usernames and password created in the file servers domain.  Before the move to the new server, they were connecting file without having to specify a username and password but now it requests authentication for any of the shares.  Share and file permissions are identical to the old server.  Any ideas?

0
Comment
Question by:sthubert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
15 Comments
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183760
What OS was the old server and what OS does the new server have?
0
 

Author Comment

by:sthubert
ID: 35183807
OLD = Windows 2003 Server - Domain Controller
NEW = Windows 2008 Server R2 - Application Server

I managed to get Anonymous Authentication working by enabling the guest account and the local policy "Let everyone permission apply to anonymous users".

But now I still cannot control the security with usernames.  In other words, the user can connect to the share and open all folders that are opened to everyone but if there are non inherited permissions set on a subfolder that the user should have access to it is denied.  So the user is being seen as anonymous rather than as his domain user.
0
 

Author Comment

by:sthubert
ID: 35183846
Just so everyone understand better, because I think I am a little unclear...

Domain 1 = domain1.com
Domain 2 = domain2.com

All users belonging to domain2.com exist in domain1.com with identical username and password.

TestUser is on a workstation in domain2.com and needs to access a shared folder on FileServer1 in domain1.com.

TestUser exists on domain1.com and domain2.com.

There are NO TRUSTS between the domains!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35183886
Are the users mapping to the file shares?  If so, are they authenticating to the share with domain1\username?
0
 

Author Comment

by:sthubert
ID: 35183906
They are simply connecting to \\FileServer1.domain1.com\share.
I don't want them to have to authenticate at all since their users exist on both domains.  I need transparent authenitcation.
0
 

Author Comment

by:sthubert
ID: 35183963
It's like when we do file sharing from workgroup to workgroup we create the exact same user on both workstations and the user is able to connect to the share.  In my situation I'm doing domain to domain with exact same users on both domains.
0
 

Author Comment

by:sthubert
ID: 35184001
It used to work but can it be because our old fileserver was on one of our Domain Controllers?
0
 

Author Comment

by:sthubert
ID: 35184045
I just tested creating a share on one of our DC's and it works perfectly.  The user from domain2.com is able to access the share on the DC of domain1.com without providing any credentials.

Is there anyway I can get this working on my FileServer that is not a DC?
0
 

Author Comment

by:sthubert
ID: 35184183
Just as I thought.  If I create an identical Local User on FileServer1 the user is then able to access the file shares.  I need this to work without having to create the users locally.  I need my FileServer1 to somehow traverse the authentication to a DC.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184236
Just for clarification, why the lack of trust between the domains?  This would remove the need to enter duplicate username on each domain.
0
 

Author Comment

by:sthubert
ID: 35184249
We needed to duplicate the users so that we can all be on the same exchange server.  So there was no need for a trust between the 2 domains.
0
 
LVL 2

Expert Comment

by:ReesAssociates
ID: 35184261
What are your file sharing permissions set to?  Are you using your file system permissions to govern access?
0
 

Author Comment

by:sthubert
ID: 35184293
I don't know what the results of putting up a trust would be at this point since we have duplicate users on both domains.

I set the share to Everyone -Full and then use NTFS to manage the access.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 35187213
Pass-through authentication only works against the local account database of the target server. In the case of a DC, the "local" account database is the domain user database, that's why it works when you're accessing a share on a DC that way.
There is no way to tell a member server to "redirect" a pass-through user to any other account database.
So that leaves you with four possibilities:
* Promote the file server to a DC (which can create other issues)
* Create local accounts on the file server
* use a logon script that asks the user for the account information in the other domain:
net use X: \\Server2008\SomeShare * /user:2008DOMAIN\%Username%
This is only necessary for the first share, once a secure connection has been established, you can map other drives without logon information.
* The recommended method when doing domain migrations: create a trust. A trust does NOT care about duplicate user names.
0
 

Author Comment

by:sthubert
ID: 35190360
Thanks oBdA for the useful info but I used option 5 where I put the 2 shares they required access to on our existing DC temporarily until we migrate everyone to domain1.com.

:)
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question