• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 460
  • Last Modified:

Trusted domains, user authentication issue

Have two forests trusted on a two way trust. My issue is when users try to authenticate to the server in the remote forest they get a message that they don't have authentication permission.
I have used ADUC and added the domain users group of the remote forest to the server and enabled the authentication permission. Afterwards, users can connect to the remote server for a short time. Within a few hours the problem repeats. Then if I check the server permissions, the remote forest group is no longer listed.

Why is it disappearing? How do I stop this from disappearing?

Also the remote server is running Windows Server 2012 R2. The local network is running Windows 2008 R2 as the servers architecture.
0
David Barman
Asked:
David Barman
  • 15
  • 11
2 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you are adding users to a Security Group and then they are disappearing usually around 1 hour this is most likely casued by the AdminSDHolder which runs every hour by default.

See the blelow
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Will.
0
 
David BarmanAuthor Commented:
Ok.  So how do I prevent it from resetting the permissions?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Sorry I get hundreds of notifications and this one must have got missed. Typically how to get around this is do not add domain admins to other protected groups.

You would have 2 accounts for admins. Example.
Admin-wills and wills. Wills is the regular account and used on a daily basis. This is the account you would use. If you use admin-wills then AdminSDholder will remove it if it's in another protected group.

Will.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
David BarmanAuthor Commented:
What I am doing now is adding the domain users group to the security permissions on the domain controller's properties. Once the group is added, I enable the authentication property. However, the group keeps getting removed.

What should I do differently?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You will need to do this differently. Domain controllers are part of the protected groups. See below link.
https://technet.microsoft.com/en-ca/magazine/2009.09.sdadminholder.aspx

This is why when you add Domain Users it gets removed.

Will.
0
 
David BarmanAuthor Commented:
Ok.  So what is the recommended process with two trusted forests.  How do you give the other forest authentication permissions on the domain controller?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You want Domain Users to be able to login to your Domain Controllers? Or you just want them to be able to login to machines using their credentials from the other Forest?

If you simply want domain users from domain B to login to domain A using their normal credentials than all that is requires if a Forest Trust.

If you want some users from Domain B to be able to login to Domain A domain controllers then you will need to provide those individual accounts appropriate access.

Will.
0
 
David BarmanAuthor Commented:
I already have a forest trust.  However, they are unable to access any of the shares on the domain controller in the remote forest.  However, if I add the "domain users" group to the domain controller and enable the "authentication" security property.  Then the remote users can browse to the shares on the server and access those shares.  However, after a short time (1-2 hours), the the group is no longer listed in the permissions on the domain controller.   This is my issue.  How do give the remote users authentication permissions to the domain controller so they can get access to its shares.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The simple answer to your question is move the Share off of the domain controller. DC's have extra security and adding Domain Users is a bad idea. This is also why AdminSDHolder is removing the permissions after an hour.

This is my issue.  How do give the remote users authentication permissions to the domain controller so they can get access to its shares.

Do not have Shares on your DC. This is the main issue. If you move them to any other server other than a DC you will be fine.

Will.
0
 
David BarmanAuthor Commented:
unfortunately it's a one server forest so the shares have to be on that server.  So I guess I need the non-simple answer to get this to work.  Can you help?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Rather than adding domain users to the Share on the DC create a new group and add required users from Domain B into this new group that you create. Because domain users is everyone in the forest could be the issue. Give that a shot.

Will.
0
 
David BarmanAuthor Commented:
So create the group in the forest that is local to the users or create the group in the forest that has the DC that we are trying to connect to?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Create a group in the Forest (where your DC/Share is located), then add users from Domain B to this group.

Will.
0
 
David BarmanAuthor Commented:
Ok. Is there a way to force an update to see if the server is going to remove the changes rather than wait a few hours to see what happened?
0
 
David BarmanAuthor Commented:
It's odd.  When I create the group and try to add members to it, it only shows the local forest. However, adding permissions to the DC or the shared folder did show the remote forest.  Are you sure you can add remote forest users to a local AD group?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Yes you can. In my first post reference my link. In the link look at the section "Forcing SDPROP to Run"

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
It has to be a Domain Local Group in order for you to add members of another forest. You would then add this group to the Share.

Will.
0
 
David BarmanAuthor Commented:
Ok.  I was able to create the group.  Now I added the group to the DC permissions and enable "authentication".  Now just waiting to see if the permission disappears.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Ok sounds good. Like i said you can reference the original link in my first post to speed up the process.

Will.
0
 
David BarmanAuthor Commented:
Ok.  It appears that the group is still in the permission list, however the authentication permission on the group is now gone.
Ideas?
0
 
David BarmanAuthor Commented:
I just reapplied the authentication permission to see if it disappears again.
0
 
David BarmanAuthor Commented:
Correction.  I read it wrong.  The group was NOT there.  So it was removed like before.  There has to be a way to stop this.
What should we try?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Reference the below link which outlines how to remove Groups from the AdminSDHolder.
http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

Will.
0
 
David BarmanAuthor Commented:
I am trying another idea right now.  I have just changed the forest trust relationship.  Originally I had set it up as a "selective" authentication on the trust.  I have changed it to "Forest Wide" authentication instead.  With that change, I have removed all added permissions from the domain controller.  So far, the remote users can authenticate and access the shared folders.  Now I want to give it "time" and see if the connection continues to work.
0
 
David BarmanAuthor Commented:
Ok.  Changing the forest trust to a "Forest  Wide" mode instead of "selective" mode fixed the issue.  Now the shared folder is accessible and stays accessible.
0
 
David BarmanAuthor Commented:
My solution resolved the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 15
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now