Two Way Trust Issues?

We have a two way trust in place between 2 domains, Domain A and Domain B. I'm trying to grant permissions for users in Domain B to resources in Domain A. Specifically, I'm trying to add users in Domain B to a group in Domain A. When I attempt to do this using ADUC for Domain A, I double click the group, select Members and then Add. Then I click Locations but Domain B isn't listed.

If I browse to the folder in the file system on Domain A, right click and choose properties, go to Security, click Edit, then Add and then Locations, Domain B is listed. I can add the users individually. This is great except I don't want to add the users individually.

Why can't I add users in Domain B to a group in Domain A?
LVL 1
CKabsAsked:
Who is Participating?
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay, I apologize...
You _have_ to use Domain Local groups in this case, because you are attempting to include users/groups from another forest.
Universal groups would be usable if you only had users/groups in another domain.
Global groups can only include users/groups from the same domain.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I'm going to guess that the group in Domain A is a Global group.  
You'd normally want to create a 'domain local group' in Domain A, and grant rights to that group.
In Domain B, create a global group, and put all the users you want from Domain B into that global group.  Back in Domain A, add the global group to the domain local group.

What I see many people do is simply create a Universal group in Domain A, assign all the rights to the Universal Group, and put all the users in that same group.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
CKabsAuthor Commented:
Hi Rich,

Thanks for the info. I'll check out the articles tomorrow. In the meantime, forgive my ignorance but I don't know what a Domain Local Group is. Can I create a Universal Group and add users from the trusted domain to it? That would be easiest. It sounds like I can't add users from the trusted domain to groups in the trusting domain?
0
 
CKabsAuthor Commented:
I just looked in ADUC and see the 3 different group designations, Universal, Global and Domain Local. I've been making all my groups Global. Is this bad practice. Can I change them to Domain Local now?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> I've been making all my groups Global. Is this bad practice.
I've seen a lot of environments where this is the case, because I believe it is the default.  Where you only have a single domain, it essentially makes no difference.  There are a couple recommendations from the design documents, but I've talked to two different Microsoft PFEs over the years, and they've indicated with modern hardware for what I'd consider 'normal sized' implementations... the different groups don't make a lot of difference.  (~100k user objects, thousands of groups.)  
That said, you have to live within the constraints of the groups themselves.  You can't add objects in other domains into your Global groups.  (That is the behaviour your initially noted.)

Can I change them to Domain Local now?
If you look towards the end of the Group Scope article, you can't change global groups directly into domain local groups.  You can can global groups into universal groups, and universal groups into domain local groups... and I've never had problems going from global to universal... I have seen problems going from universal groups to domain local because it's becoming more restrictive at that point...  At this point, what I usually see folks do is change their global group into a universal group and use that (universal group) as a super group which has all the features of the global group and the domain local... which will work.  There is a slight cost in terms of additional space use in the global catalog using universal groups, so I wouldn't convert all your groups to universal... but it will fix your original problem in this case.  (And I'd keep AGDLP in mind in the future, the next time you're setting up something new.. I.e. if you need to create a new group to assign permissions to a share or resource... create a domain local group for that assignment, etc.)
0
 
CKabsAuthor Commented:
Hey Rich,

Sorry for the delayed response. Basically, this isn't working. I've converted my Global Group to a Universal Group and that didn't work. Also, if I create a new Universal group this doesn't work. Could we be having some kind of firewall issues? FYI - this is a two way trust over a site to site VPN. When we set the trust up it worked no problem. We haven't done much with it since however. Any thoughts about this being a network issue, an AD issue or anything else? Thanks............
0
 
CKabsAuthor Commented:
Hey Rich,

Some more info. I just validated the trust. It is in place and active. It is a forest transitive trust.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
First thought is to make the change to the group type, then at least give it a little time for the change to propagate.  If you've already given it half an hour though, I'd think that'd be sufficient.  I'll need to poke around a little more.  Not certain why it would still be giving your trouble.  (I'm assuming you have sufficient accessible global catalogues.)
0
 
CKabsAuthor Commented:
Hey Rich,

So I created a test group yesterday and made sure it was a Universal Security group. Just now I went into ADUC, went to the group and clicked on Members. On that tab I clicked Add and then Locations. In Locations I can only see mydomain.local. I don't see the myotherdomain.local. I'll keep looking around.
0
 
CKabsAuthor Commented:
Rich,

I think the issue is the domains aren’t in the same forest. How do I verify that the domains are in the same forest? Being that both Domains are live can they be added to the same forest?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
The quickest way I can think of to confirm whether the domains are in the same forest would be to run 'netdom query fsmo' on a domain controller in each domain, and see if they are using a common schema master and domain name master.

Try creating a 'domain local' security group, and see if locations don't allow you to see the other domain.  I'm going to have to look again at Universal groups.  It's possible they aren't as friendly as I thought.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.