Solved

Sharing with a Trusted Connection

Posted on 2011-03-25
11
382 Views
Last Modified: 2012-05-11
Hello,

I just created a two way trust between two domains. I received positive results when going through the wizards. one Domain is Windows Server 2003 and the other domain is Windows Server 2008. Once my trusts were created, I restared the DNS Server and Client Services.

In 2k3, I tried to give the administrator from the 2K8 permission to access a share; however, when it try to resolve the name to the correctly chosen domain I cannot give the other admin rights/permissions to my local share. My goal is to give the 2K8 admin full control and receive-as permissions on the Exchange mailbox database (Information Store).

What did I miss, or what do I need to do so that I can give a member from the other domain permissions to a local share or resource?

Thanks,
John
0
Comment
Question by:jhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 35219232
Generally, the best practice is to avoid assigning cross-forest permissions directly to users. You'll want to do this with groups using the AGUDLP model. http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_3306-Active-Directory-Groups-How-they-Work-and-How-to-Use-Them.html is an article I wrote on managing groups, which has an explanation of the AGUDLP strategy.

If you have only one domain in each forest, you don't need to worry about Universal group Replication, and you can just use global groups in the implementation if you like. But basically here's what you'll want to do:

Create a Global group in the domain that has user accounts that need access across the forest (The account Domain) and add users that need access to it, then create a Domain Local group in the domain that contains the resources the Account Domain needs access to (The Resource Domain). Add the Global group from the Account Domain to the Domain Local group in the Resource Domain. Once that's done, assign permissions to the resources to the Domain Local group in the Resource Domain.

If you have multiple domains in the Account forest, you can use a Universal group that exists in that forest to group Global Groups in all the domains for that forest so you don't have to add numerous groups to the Domain Local group in the resource domain.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219289
Have a domain group in W2k8 called Migration. I created a domain local group called MigrationTrust in W2k3. I went to add the w2k8 group to the 2k3 group. I went to add the Migration domain group from the 2k8 domain and went to add members. I select "from this location" and choose the 2k8 domain. Then, enter the object name of Migration" and the name is not resolved. I receive an error message saying "name not found". This is the same error I was getting when I was setting up a trusted share for an individual user.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 35219296
What is the scope of the group in your W2k8 domain?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jhieb
ID: 35219311
The group is a Global group, and the Group Type is Security.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 35219319
When creating the trust, did you specify Forest-Wide authentication or Selective Authentication?
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219325
Forest Wide authentication
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219430
Check the properties of the Incoming and Outgoing trusts for each forest to ensure that Forest-wide authentication is actually set on all the trust links. I'm running a test in my own environment and running into the same problem. It's partly due to the fact that I didn't have a zone set up to point to the DNS of the Resource domain in the Account domain when I created the trust. Once I made sure there was a Stub zone in DNS that pointed to a Domain controller in each opposing domain (Resource domain has a Stub zone with a DNS server in the Account domain and vice verse), then then deleted and recreated the trust, it worked great, so double check that your DNS settings are working properly. If you are using a Forwarder to provide DNS between forests, I'd recommend changing things so you are using Stub zones instead.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219510
The 2K8 server shows the outgoing and incoming wide trust to be Forest.

Maybe, theproblem is on my 2K3 server. The trust type is External on incoming and outgoing trust. The Authentication is Domain-Wide authentication for both. The Forest functional level is Windows 2000.

Both servers/domains are using my primary domains DNS server (yes there is a 3rd domain), and then they both point to the 2K8 server for secondary DNS.

I haven't setup a trust since NT 3.5 and that was in a classroom at Sequent. So, all this is really new to me.
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 35219544
Okay, so, part of the problem is that your domains are using a server that is external to their domains for primary DNS. In most situations, you want all of the Domain Controllers in each forest to point to themselves as their Primary DNS server (127.0.0.1). There are a lot of reasons for this. The biggest is because each forest controls the SRV records for their own DNS zone. Those SRV records won't show up in any other forest. SRV Records are used to tell client systems where the AD servers are located. Any DNS servers external to the Domain/Forest should be set up as Forwarders or Stub zones. They shouldn't be configured on the NIC. So check your Primary DNS server. I'm guessing it is not properly configured to manage the DNS of the two other domains. I would highly recommend changing the configuration on your servers so they point to themselves for DNS in the NIC configuration. Once that's done, create a Stub zone for each forest and point it to the DNS server for each forest.
0
 
LVL 1

Author Comment

by:jhieb
ID: 35219626
OK, thanks. I think you have narrowed it down for me. For now, I will have to leave DNS the way it is because I need other resources. Thank you for your help, and this is the help I needed.

I created a fake trust. My goal is to give myself full permissions to both Exchange mailbox databases, and so I just mapped a drive with an account from the 2k3 domain. Exchange is happy on both ends with this.

These two servers are vmware servers so it this is a test environment.
0
 
LVL 1

Author Closing Comment

by:jhieb
ID: 35219631
Outstanding!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question