Sharing with a Trusted Connection

Hello,

I just created a two way trust between two domains. I received positive results when going through the wizards. one Domain is Windows Server 2003 and the other domain is Windows Server 2008. Once my trusts were created, I restared the DNS Server and Client Services.

In 2k3, I tried to give the administrator from the 2K8 permission to access a share; however, when it try to resolve the name to the correctly chosen domain I cannot give the other admin rights/permissions to my local share. My goal is to give the 2K8 admin full control and receive-as permissions on the Exchange mailbox database (Information Store).

What did I miss, or what do I need to do so that I can give a member from the other domain permissions to a local share or resource?

Thanks,
John
LVL 1
jhiebAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Generally, the best practice is to avoid assigning cross-forest permissions directly to users. You'll want to do this with groups using the AGUDLP model. http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3306-Active-Directory-Groups-How-they-Work-and-How-to-Use-Them.html is an article I wrote on managing groups, which has an explanation of the AGUDLP strategy.

If you have only one domain in each forest, you don't need to worry about Universal group Replication, and you can just use global groups in the implementation if you like. But basically here's what you'll want to do:

Create a Global group in the domain that has user accounts that need access across the forest (The account Domain) and add users that need access to it, then create a Domain Local group in the domain that contains the resources the Account Domain needs access to (The Resource Domain). Add the Global group from the Account Domain to the Domain Local group in the Resource Domain. Once that's done, assign permissions to the resources to the Domain Local group in the Resource Domain.

If you have multiple domains in the Account forest, you can use a Universal group that exists in that forest to group Global Groups in all the domains for that forest so you don't have to add numerous groups to the Domain Local group in the resource domain.
0
 
jhiebAuthor Commented:
Have a domain group in W2k8 called Migration. I created a domain local group called MigrationTrust in W2k3. I went to add the w2k8 group to the 2k3 group. I went to add the Migration domain group from the 2k8 domain and went to add members. I select "from this location" and choose the 2k8 domain. Then, enter the object name of Migration" and the name is not resolved. I receive an error message saying "name not found". This is the same error I was getting when I was setting up a trusted share for an individual user.
0
 
Adam BrownSr Solutions ArchitectCommented:
What is the scope of the group in your W2k8 domain?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
jhiebAuthor Commented:
The group is a Global group, and the Group Type is Security.
0
 
Adam BrownSr Solutions ArchitectCommented:
When creating the trust, did you specify Forest-Wide authentication or Selective Authentication?
0
 
jhiebAuthor Commented:
Forest Wide authentication
0
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Check the properties of the Incoming and Outgoing trusts for each forest to ensure that Forest-wide authentication is actually set on all the trust links. I'm running a test in my own environment and running into the same problem. It's partly due to the fact that I didn't have a zone set up to point to the DNS of the Resource domain in the Account domain when I created the trust. Once I made sure there was a Stub zone in DNS that pointed to a Domain controller in each opposing domain (Resource domain has a Stub zone with a DNS server in the Account domain and vice verse), then then deleted and recreated the trust, it worked great, so double check that your DNS settings are working properly. If you are using a Forwarder to provide DNS between forests, I'd recommend changing things so you are using Stub zones instead.
0
 
jhiebAuthor Commented:
The 2K8 server shows the outgoing and incoming wide trust to be Forest.

Maybe, theproblem is on my 2K3 server. The trust type is External on incoming and outgoing trust. The Authentication is Domain-Wide authentication for both. The Forest functional level is Windows 2000.

Both servers/domains are using my primary domains DNS server (yes there is a 3rd domain), and then they both point to the 2K8 server for secondary DNS.

I haven't setup a trust since NT 3.5 and that was in a classroom at Sequent. So, all this is really new to me.
0
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Okay, so, part of the problem is that your domains are using a server that is external to their domains for primary DNS. In most situations, you want all of the Domain Controllers in each forest to point to themselves as their Primary DNS server (127.0.0.1). There are a lot of reasons for this. The biggest is because each forest controls the SRV records for their own DNS zone. Those SRV records won't show up in any other forest. SRV Records are used to tell client systems where the AD servers are located. Any DNS servers external to the Domain/Forest should be set up as Forwarders or Stub zones. They shouldn't be configured on the NIC. So check your Primary DNS server. I'm guessing it is not properly configured to manage the DNS of the two other domains. I would highly recommend changing the configuration on your servers so they point to themselves for DNS in the NIC configuration. Once that's done, create a Stub zone for each forest and point it to the DNS server for each forest.
0
 
jhiebAuthor Commented:
OK, thanks. I think you have narrowed it down for me. For now, I will have to leave DNS the way it is because I need other resources. Thank you for your help, and this is the help I needed.

I created a fake trust. My goal is to give myself full permissions to both Exchange mailbox databases, and so I just mapped a drive with an account from the 2k3 domain. Exchange is happy on both ends with this.

These two servers are vmware servers so it this is a test environment.
0
 
jhiebAuthor Commented:
Outstanding!
0
All Courses

From novice to tech pro — start learning today.