Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to add domain admin user of different domains to domain admin groups between two different trusted domains

Posted on 2015-01-09
8
Medium Priority
?
5,059 Views
Last Modified: 2015-01-10
Hello everyone,

I am trying to add a domain admin of domain 1 to a domain admins group of domain 2. I delegated control of Active directory of domain 1 and 2 to eachother's administrator users but when I try to add domain admin to admin admin groups of domain 2 I am unable to find the domain 2 listed under Locations.
domain-admins.jpg
0
Comment
Question by:Mohammed Hamada
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:Bahloul
ID: 40540176
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 1000 total points
ID: 40540244
You cannot add users from another domain to Domain Admins because it is a domain local group and you cannot change it to a Universal group.

What you may be able to do is create a new universal security group, and delegate Domain Admin rights to that group with the delegation wizard.

OR

To allow admins to manage both domains, you usually have to add them to the Enterprise Admins group.

Enterprise Admins allow cross-forest and cross-domain management.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1000 total points
ID: 40540377
What have been said is correct. You cannot add directly to the domain admins group in another domain due to be Domain Local Group. You can however like Joshua already state is add the users from the first domain into a group in the second domain. The difference here is I would not create a Universal Group because this will then be replicated forest wide using Global Catalog which will increase replication.

I personally would use a Global Group because it is more controlled as well because you can only add users and not groups. Having Universal is nice but can be dangerous if you added an entire group to a Domain Admin enabled security group.

Will.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 40540881
Would that allow me to  add both DCs to failover cluster ? I have FTP server setup on both DCs and I created a forest trust between them both and validated trust.

When I try to add both server to the cluster it doesn't work and says I don't have administrative rights for the second DC.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40540900
if you use an account that is in the enterprise admins group, you should have access to both DC's.

Domain Admins only have administrative rights to their specific domain.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540904
Forest trust allow you to access resources and manage other domains. You cannot use clustering across different forests. Also I would NOT be installing an FTP server on your DC big security risk. Another thing is a DC has more restrictive security anyways which will also cause issues with your FTP server is setup to share specific directories.

Will.
0
 
LVL 3

Expert Comment

by:Bahloul
ID: 40540931
FTP by default is not secure otherwise you may use ftps / ssl that will increase the security also don't use it on the default port and make it on another server not DC.
0
 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 40541889
This is just a lab, it's not going to go further than local lan! Thank you all for your comments.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question