User / Group Management across forest trust in AD

Hi there,

I have set up a forest trust between 2 forests: A and B (how obvious).
I can see only the domain local groups and would like to see and add users from the cross forest to global and universal groups since our application distribution system can't work with domain local groups. Is this possible?

The trust is between 2 Windows 2008 R2 domain controllers on Windows 2008 domain and forest level, servers are up to date, in the same network en dns connectivity is working.

Can anyone point me in the right direction?

Kind regards,
Ceriel Roland
Netwerkbeheer_AZLAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

alicainCommented:
To confirm, it was a Forest Trust that was created, as opposed to External Trusts?

Are there any firewalls between the domain controllers?

Was the "Forest Wide" or "Selective authentication" option chosen?

Have you "Validated" the trust - does that complete without errors?
http://technet.microsoft.com/en-us/library/cc753821.aspx

What account are you logged on with?  For testing - is it the Administrator account?

Regards,
Alastair.
0
Netwerkbeheer_AZLAuthor Commented:
Hi Alastair,

It was indeed a Forest Trust with Forest Wide authentication selected.
There are no Firewalls enabled or between the domain controllers.

I did validate the trust and users are visable, domain local groups are working correctly.

I open a group in forest A and want to add a user from Forest B but I can't select the forest after pressing the add button in the group. If I open a domain local group I can add the user without problems.

The user I logged in with and opened the MMC is a Enterprise, Schema and Domain admin in the A domain.

Regards,
Ceriel
0
alicainCommented:
So this sounds like a question of Group Scope, the rules for what objects a group can contain are docuemtned here: http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

I suspect you are attempting to add users from the other forest to a Global Group, which is not possible.

Regards,
Alastair.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Netwerkbeheer_AZLAuthor Commented:
Hi Alastair,

True, but it must be possible to add user to a Universal group?

KR,
Ceriel
0
Sushil SonawaneCommented:
you have to create the domain local security group and make this group member of global or universal security group then add the domain users.
0
alicainCommented:
The scope for a Universal Group is :
 - Accounts from any domain within the forest in which this Universal Group resides
 - Global groups from any domain within the forest in which this Universal Group resides
 - Universal groups from any domain within the forest in which this Universal Group resides

So no, you cannot put users from the Forest B into a Universal Group in Forest A.  Using a group in Forest A allows the access to be controlled there and reduces replication which is importand due to the fact that universal groups replicate through out the forest.

There is a good white paper "Active Directory Users, Computers, and Groups " , although a little old now : http://technet.microsoft.com/en-us/library/bb727067.aspx

Regards,
Alastair.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Netwerkbeheer_AZLAuthor Commented:
Yeah it looks that way.
Not the answer I wanted to hear... :) Thanks for the help all!

To sum it up for others searchers:
You can only make cross forest users member of domain local groups and not of Global or Universal groups.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.