Solved

Sharing with a Trusted Connection

Posted on 2011-03-25
11
376 Views
Last Modified: 2012-05-11
Hello,

I just created a two way trust between two domains. I received positive results when going through the wizards. one Domain is Windows Server 2003 and the other domain is Windows Server 2008. Once my trusts were created, I restared the DNS Server and Client Services.

In 2k3, I tried to give the administrator from the 2K8 permission to access a share; however, when it try to resolve the name to the correctly chosen domain I cannot give the other admin rights/permissions to my local share. My goal is to give the 2K8 admin full control and receive-as permissions on the Exchange mailbox database (Information Store).

What did I miss, or what do I need to do so that I can give a member from the other domain permissions to a local share or resource?

Thanks,
John
0
Comment
Question by:jhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 35219232
Generally, the best practice is to avoid assigning cross-forest permissions directly to users. You'll want to do this with groups using the AGUDLP model. http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3306-Active-Directory-Groups-How-they-Work-and-How-to-Use-Them.html is an article I wrote on managing groups, which has an explanation of the AGUDLP strategy.

If you have only one domain in each forest, you don't need to worry about Universal group Replication, and you can just use global groups in the implementation if you like. But basically here's what you'll want to do:

Create a Global group in the domain that has user accounts that need access across the forest (The account Domain) and add users that need access to it, then create a Domain Local group in the domain that contains the resources the Account Domain needs access to (The Resource Domain). Add the Global group from the Account Domain to the Domain Local group in the Resource Domain. Once that's done, assign permissions to the resources to the Domain Local group in the Resource Domain.

If you have multiple domains in the Account forest, you can use a Universal group that exists in that forest to group Global Groups in all the domains for that forest so you don't have to add numerous groups to the Domain Local group in the resource domain.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219289
Have a domain group in W2k8 called Migration. I created a domain local group called MigrationTrust in W2k3. I went to add the w2k8 group to the 2k3 group. I went to add the Migration domain group from the 2k8 domain and went to add members. I select "from this location" and choose the 2k8 domain. Then, enter the object name of Migration" and the name is not resolved. I receive an error message saying "name not found". This is the same error I was getting when I was setting up a trusted share for an individual user.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 35219296
What is the scope of the group in your W2k8 domain?
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 1

Author Comment

by:jhieb
ID: 35219311
The group is a Global group, and the Group Type is Security.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 35219319
When creating the trust, did you specify Forest-Wide authentication or Selective Authentication?
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219325
Forest Wide authentication
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219430
Check the properties of the Incoming and Outgoing trusts for each forest to ensure that Forest-wide authentication is actually set on all the trust links. I'm running a test in my own environment and running into the same problem. It's partly due to the fact that I didn't have a zone set up to point to the DNS of the Resource domain in the Account domain when I created the trust. Once I made sure there was a Stub zone in DNS that pointed to a Domain controller in each opposing domain (Resource domain has a Stub zone with a DNS server in the Account domain and vice verse), then then deleted and recreated the trust, it worked great, so double check that your DNS settings are working properly. If you are using a Forwarder to provide DNS between forests, I'd recommend changing things so you are using Stub zones instead.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219510
The 2K8 server shows the outgoing and incoming wide trust to be Forest.

Maybe, theproblem is on my 2K3 server. The trust type is External on incoming and outgoing trust. The Authentication is Domain-Wide authentication for both. The Forest functional level is Windows 2000.

Both servers/domains are using my primary domains DNS server (yes there is a 3rd domain), and then they both point to the 2K8 server for secondary DNS.

I haven't setup a trust since NT 3.5 and that was in a classroom at Sequent. So, all this is really new to me.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219544
Okay, so, part of the problem is that your domains are using a server that is external to their domains for primary DNS. In most situations, you want all of the Domain Controllers in each forest to point to themselves as their Primary DNS server (127.0.0.1). There are a lot of reasons for this. The biggest is because each forest controls the SRV records for their own DNS zone. Those SRV records won't show up in any other forest. SRV Records are used to tell client systems where the AD servers are located. Any DNS servers external to the Domain/Forest should be set up as Forwarders or Stub zones. They shouldn't be configured on the NIC. So check your Primary DNS server. I'm guessing it is not properly configured to manage the DNS of the two other domains. I would highly recommend changing the configuration on your servers so they point to themselves for DNS in the NIC configuration. Once that's done, create a Stub zone for each forest and point it to the DNS server for each forest.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219626
OK, thanks. I think you have narrowed it down for me. For now, I will have to leave DNS the way it is because I need other resources. Thank you for your help, and this is the help I needed.

I created a fake trust. My goal is to give myself full permissions to both Exchange mailbox databases, and so I just mapped a drive with an account from the 2k3 domain. Exchange is happy on both ends with this.

These two servers are vmware servers so it this is a test environment.
0
 
LVL 1

Author Closing Comment

by:jhieb
ID: 35219631
Outstanding!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question