Solved

How to add domain admin user of different domains to domain admin groups between two different trusted domains

Posted on 2015-01-09
8
3,738 Views
Last Modified: 2015-01-10
Hello everyone,

I am trying to add a domain admin of domain 1 to a domain admins group of domain 2. I delegated control of Active directory of domain 1 and 2 to eachother's administrator users but when I try to add domain admin to admin admin groups of domain 2 I am unable to find the domain 2 listed under Locations.
domain-admins.jpg
0
Comment
Question by:Mohammed Hamada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:Bahloul
ID: 40540176
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 250 total points
ID: 40540244
You cannot add users from another domain to Domain Admins because it is a domain local group and you cannot change it to a Universal group.

What you may be able to do is create a new universal security group, and delegate Domain Admin rights to that group with the delegation wizard.

OR

To allow admins to manage both domains, you usually have to add them to the Enterprise Admins group.

Enterprise Admins allow cross-forest and cross-domain management.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 40540377
What have been said is correct. You cannot add directly to the domain admins group in another domain due to be Domain Local Group. You can however like Joshua already state is add the users from the first domain into a group in the second domain. The difference here is I would not create a Universal Group because this will then be replicated forest wide using Global Catalog which will increase replication.

I personally would use a Global Group because it is more controlled as well because you can only add users and not groups. Having Universal is nice but can be dangerous if you added an entire group to a Domain Admin enabled security group.

Will.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 40540881
Would that allow me to  add both DCs to failover cluster ? I have FTP server setup on both DCs and I created a forest trust between them both and validated trust.

When I try to add both server to the cluster it doesn't work and says I don't have administrative rights for the second DC.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40540900
if you use an account that is in the enterprise admins group, you should have access to both DC's.

Domain Admins only have administrative rights to their specific domain.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540904
Forest trust allow you to access resources and manage other domains. You cannot use clustering across different forests. Also I would NOT be installing an FTP server on your DC big security risk. Another thing is a DC has more restrictive security anyways which will also cause issues with your FTP server is setup to share specific directories.

Will.
0
 
LVL 3

Expert Comment

by:Bahloul
ID: 40540931
FTP by default is not secure otherwise you may use ftps / ssl that will increase the security also don't use it on the default port and make it on another server not DC.
0
 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 40541889
This is just a lab, it's not going to go further than local lan! Thank you all for your comments.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question