Solved

Sharing with a Trusted Connection

Posted on 2011-03-25
11
368 Views
Last Modified: 2012-05-11
Hello,

I just created a two way trust between two domains. I received positive results when going through the wizards. one Domain is Windows Server 2003 and the other domain is Windows Server 2008. Once my trusts were created, I restared the DNS Server and Client Services.

In 2k3, I tried to give the administrator from the 2K8 permission to access a share; however, when it try to resolve the name to the correctly chosen domain I cannot give the other admin rights/permissions to my local share. My goal is to give the 2K8 admin full control and receive-as permissions on the Exchange mailbox database (Information Store).

What did I miss, or what do I need to do so that I can give a member from the other domain permissions to a local share or resource?

Thanks,
John
0
Comment
Question by:jhieb
  • 6
  • 5
11 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 35219232
Generally, the best practice is to avoid assigning cross-forest permissions directly to users. You'll want to do this with groups using the AGUDLP model. http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3306-Active-Directory-Groups-How-they-Work-and-How-to-Use-Them.html is an article I wrote on managing groups, which has an explanation of the AGUDLP strategy.

If you have only one domain in each forest, you don't need to worry about Universal group Replication, and you can just use global groups in the implementation if you like. But basically here's what you'll want to do:

Create a Global group in the domain that has user accounts that need access across the forest (The account Domain) and add users that need access to it, then create a Domain Local group in the domain that contains the resources the Account Domain needs access to (The Resource Domain). Add the Global group from the Account Domain to the Domain Local group in the Resource Domain. Once that's done, assign permissions to the resources to the Domain Local group in the Resource Domain.

If you have multiple domains in the Account forest, you can use a Universal group that exists in that forest to group Global Groups in all the domains for that forest so you don't have to add numerous groups to the Domain Local group in the resource domain.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219289
Have a domain group in W2k8 called Migration. I created a domain local group called MigrationTrust in W2k3. I went to add the w2k8 group to the 2k3 group. I went to add the Migration domain group from the 2k8 domain and went to add members. I select "from this location" and choose the 2k8 domain. Then, enter the object name of Migration" and the name is not resolved. I receive an error message saying "name not found". This is the same error I was getting when I was setting up a trusted share for an individual user.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35219296
What is the scope of the group in your W2k8 domain?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:jhieb
ID: 35219311
The group is a Global group, and the Group Type is Security.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35219319
When creating the trust, did you specify Forest-Wide authentication or Selective Authentication?
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219325
Forest Wide authentication
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219430
Check the properties of the Incoming and Outgoing trusts for each forest to ensure that Forest-wide authentication is actually set on all the trust links. I'm running a test in my own environment and running into the same problem. It's partly due to the fact that I didn't have a zone set up to point to the DNS of the Resource domain in the Account domain when I created the trust. Once I made sure there was a Stub zone in DNS that pointed to a Domain controller in each opposing domain (Resource domain has a Stub zone with a DNS server in the Account domain and vice verse), then then deleted and recreated the trust, it worked great, so double check that your DNS settings are working properly. If you are using a Forwarder to provide DNS between forests, I'd recommend changing things so you are using Stub zones instead.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219510
The 2K8 server shows the outgoing and incoming wide trust to be Forest.

Maybe, theproblem is on my 2K3 server. The trust type is External on incoming and outgoing trust. The Authentication is Domain-Wide authentication for both. The Forest functional level is Windows 2000.

Both servers/domains are using my primary domains DNS server (yes there is a 3rd domain), and then they both point to the 2K8 server for secondary DNS.

I haven't setup a trust since NT 3.5 and that was in a classroom at Sequent. So, all this is really new to me.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219544
Okay, so, part of the problem is that your domains are using a server that is external to their domains for primary DNS. In most situations, you want all of the Domain Controllers in each forest to point to themselves as their Primary DNS server (127.0.0.1). There are a lot of reasons for this. The biggest is because each forest controls the SRV records for their own DNS zone. Those SRV records won't show up in any other forest. SRV Records are used to tell client systems where the AD servers are located. Any DNS servers external to the Domain/Forest should be set up as Forwarders or Stub zones. They shouldn't be configured on the NIC. So check your Primary DNS server. I'm guessing it is not properly configured to manage the DNS of the two other domains. I would highly recommend changing the configuration on your servers so they point to themselves for DNS in the NIC configuration. Once that's done, create a Stub zone for each forest and point it to the DNS server for each forest.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219626
OK, thanks. I think you have narrowed it down for me. For now, I will have to leave DNS the way it is because I need other resources. Thank you for your help, and this is the help I needed.

I created a fake trust. My goal is to give myself full permissions to both Exchange mailbox databases, and so I just mapped a drive with an account from the 2k3 domain. Exchange is happy on both ends with this.

These two servers are vmware servers so it this is a test environment.
0
 
LVL 1

Author Closing Comment

by:jhieb
ID: 35219631
Outstanding!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question