How to add domain admin user of different domains to domain admin groups between two different trusted domains

Hello everyone,

I am trying to add a domain admin of domain 1 to a domain admins group of domain 2. I delegated control of Active directory of domain 1 and 2 to eachother's administrator users but when I try to add domain admin to admin admin groups of domain 2 I am unable to find the domain 2 listed under Locations.
LVL 24
Mohammed HamadaSenior IT ConsultantAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Joshua GrantomConnect With a Mentor Senior Systems AdministratorCommented:
You cannot add users from another domain to Domain Admins because it is a domain local group and you cannot change it to a Universal group.

What you may be able to do is create a new universal security group, and delegate Domain Admin rights to that group with the delegation wizard.


To allow admins to manage both domains, you usually have to add them to the Enterprise Admins group.

Enterprise Admins allow cross-forest and cross-domain management.
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
What have been said is correct. You cannot add directly to the domain admins group in another domain due to be Domain Local Group. You can however like Joshua already state is add the users from the first domain into a group in the second domain. The difference here is I would not create a Universal Group because this will then be replicated forest wide using Global Catalog which will increase replication.

I personally would use a Global Group because it is more controlled as well because you can only add users and not groups. Having Universal is nice but can be dangerous if you added an entire group to a Domain Admin enabled security group.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Mohammed HamadaSenior IT ConsultantAuthor Commented:
Would that allow me to  add both DCs to failover cluster ? I have FTP server setup on both DCs and I created a forest trust between them both and validated trust.

When I try to add both server to the cluster it doesn't work and says I don't have administrative rights for the second DC.
Joshua GrantomSenior Systems AdministratorCommented:
if you use an account that is in the enterprise admins group, you should have access to both DC's.

Domain Admins only have administrative rights to their specific domain.
Will SzymkowskiSenior Solution ArchitectCommented:
Forest trust allow you to access resources and manage other domains. You cannot use clustering across different forests. Also I would NOT be installing an FTP server on your DC big security risk. Another thing is a DC has more restrictive security anyways which will also cause issues with your FTP server is setup to share specific directories.

FTP by default is not secure otherwise you may use ftps / ssl that will increase the security also don't use it on the default port and make it on another server not DC.
Mohammed HamadaSenior IT ConsultantAuthor Commented:
This is just a lab, it's not going to go further than local lan! Thank you all for your comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.