Solved

Sharing with a Trusted Connection

Posted on 2011-03-25
11
346 Views
Last Modified: 2012-05-11
Hello,

I just created a two way trust between two domains. I received positive results when going through the wizards. one Domain is Windows Server 2003 and the other domain is Windows Server 2008. Once my trusts were created, I restared the DNS Server and Client Services.

In 2k3, I tried to give the administrator from the 2K8 permission to access a share; however, when it try to resolve the name to the correctly chosen domain I cannot give the other admin rights/permissions to my local share. My goal is to give the 2K8 admin full control and receive-as permissions on the Exchange mailbox database (Information Store).

What did I miss, or what do I need to do so that I can give a member from the other domain permissions to a local share or resource?

Thanks,
John
0
Comment
Question by:jhieb
  • 6
  • 5
11 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
Generally, the best practice is to avoid assigning cross-forest permissions directly to users. You'll want to do this with groups using the AGUDLP model. http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3306-Active-Directory-Groups-How-they-Work-and-How-to-Use-Them.html is an article I wrote on managing groups, which has an explanation of the AGUDLP strategy.

If you have only one domain in each forest, you don't need to worry about Universal group Replication, and you can just use global groups in the implementation if you like. But basically here's what you'll want to do:

Create a Global group in the domain that has user accounts that need access across the forest (The account Domain) and add users that need access to it, then create a Domain Local group in the domain that contains the resources the Account Domain needs access to (The Resource Domain). Add the Global group from the Account Domain to the Domain Local group in the Resource Domain. Once that's done, assign permissions to the resources to the Domain Local group in the Resource Domain.

If you have multiple domains in the Account forest, you can use a Universal group that exists in that forest to group Global Groups in all the domains for that forest so you don't have to add numerous groups to the Domain Local group in the resource domain.
0
 
LVL 1

Author Comment

by:jhieb
Comment Utility
Have a domain group in W2k8 called Migration. I created a domain local group called MigrationTrust in W2k3. I went to add the w2k8 group to the 2k3 group. I went to add the Migration domain group from the 2k8 domain and went to add members. I select "from this location" and choose the 2k8 domain. Then, enter the object name of Migration" and the name is not resolved. I receive an error message saying "name not found". This is the same error I was getting when I was setting up a trusted share for an individual user.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
What is the scope of the group in your W2k8 domain?
0
 
LVL 1

Author Comment

by:jhieb
Comment Utility
The group is a Global group, and the Group Type is Security.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
When creating the trust, did you specify Forest-Wide authentication or Selective Authentication?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:jhieb
Comment Utility
Forest Wide authentication
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
Comment Utility
Check the properties of the Incoming and Outgoing trusts for each forest to ensure that Forest-wide authentication is actually set on all the trust links. I'm running a test in my own environment and running into the same problem. It's partly due to the fact that I didn't have a zone set up to point to the DNS of the Resource domain in the Account domain when I created the trust. Once I made sure there was a Stub zone in DNS that pointed to a Domain controller in each opposing domain (Resource domain has a Stub zone with a DNS server in the Account domain and vice verse), then then deleted and recreated the trust, it worked great, so double check that your DNS settings are working properly. If you are using a Forwarder to provide DNS between forests, I'd recommend changing things so you are using Stub zones instead.
0
 
LVL 1

Author Comment

by:jhieb
Comment Utility
The 2K8 server shows the outgoing and incoming wide trust to be Forest.

Maybe, theproblem is on my 2K3 server. The trust type is External on incoming and outgoing trust. The Authentication is Domain-Wide authentication for both. The Forest functional level is Windows 2000.

Both servers/domains are using my primary domains DNS server (yes there is a 3rd domain), and then they both point to the 2K8 server for secondary DNS.

I haven't setup a trust since NT 3.5 and that was in a classroom at Sequent. So, all this is really new to me.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
Comment Utility
Okay, so, part of the problem is that your domains are using a server that is external to their domains for primary DNS. In most situations, you want all of the Domain Controllers in each forest to point to themselves as their Primary DNS server (127.0.0.1). There are a lot of reasons for this. The biggest is because each forest controls the SRV records for their own DNS zone. Those SRV records won't show up in any other forest. SRV Records are used to tell client systems where the AD servers are located. Any DNS servers external to the Domain/Forest should be set up as Forwarders or Stub zones. They shouldn't be configured on the NIC. So check your Primary DNS server. I'm guessing it is not properly configured to manage the DNS of the two other domains. I would highly recommend changing the configuration on your servers so they point to themselves for DNS in the NIC configuration. Once that's done, create a Stub zone for each forest and point it to the DNS server for each forest.
0
 
LVL 1

Author Comment

by:jhieb
Comment Utility
OK, thanks. I think you have narrowed it down for me. For now, I will have to leave DNS the way it is because I need other resources. Thank you for your help, and this is the help I needed.

I created a fake trust. My goal is to give myself full permissions to both Exchange mailbox databases, and so I just mapped a drive with an account from the 2k3 domain. Exchange is happy on both ends with this.

These two servers are vmware servers so it this is a test environment.
0
 
LVL 1

Author Closing Comment

by:jhieb
Comment Utility
Outstanding!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now