Trusted domains, user authentication issue

Have two forests trusted on a two way trust. My issue is when users try to authenticate to the server in the remote forest they get a message that they don't have authentication permission.
I have used ADUC and added the domain users group of the remote forest to the server and enabled the authentication permission. Afterwards, users can connect to the remote server for a short time. Within a few hours the problem repeats. Then if I check the server permissions, the remote forest group is no longer listed.

Why is it disappearing? How do I stop this from disappearing?

Also the remote server is running Windows Server 2012 R2. The local network is running Windows 2008 R2 as the servers architecture.
David BarmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are adding users to a Security Group and then they are disappearing usually around 1 hour this is most likely casued by the AdminSDHolder which runs every hour by default.

See the blelow
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Will.
0
David BarmanAuthor Commented:
Ok.  So how do I prevent it from resetting the permissions?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Sorry I get hundreds of notifications and this one must have got missed. Typically how to get around this is do not add domain admins to other protected groups.

You would have 2 accounts for admins. Example.
Admin-wills and wills. Wills is the regular account and used on a daily basis. This is the account you would use. If you use admin-wills then AdminSDholder will remove it if it's in another protected group.

Will.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

David BarmanAuthor Commented:
What I am doing now is adding the domain users group to the security permissions on the domain controller's properties. Once the group is added, I enable the authentication property. However, the group keeps getting removed.

What should I do differently?
0
Will SzymkowskiSenior Solution ArchitectCommented:
You will need to do this differently. Domain controllers are part of the protected groups. See below link.
https://technet.microsoft.com/en-ca/magazine/2009.09.sdadminholder.aspx

This is why when you add Domain Users it gets removed.

Will.
0
David BarmanAuthor Commented:
Ok.  So what is the recommended process with two trusted forests.  How do you give the other forest authentication permissions on the domain controller?
0
Will SzymkowskiSenior Solution ArchitectCommented:
You want Domain Users to be able to login to your Domain Controllers? Or you just want them to be able to login to machines using their credentials from the other Forest?

If you simply want domain users from domain B to login to domain A using their normal credentials than all that is requires if a Forest Trust.

If you want some users from Domain B to be able to login to Domain A domain controllers then you will need to provide those individual accounts appropriate access.

Will.
0
David BarmanAuthor Commented:
I already have a forest trust.  However, they are unable to access any of the shares on the domain controller in the remote forest.  However, if I add the "domain users" group to the domain controller and enable the "authentication" security property.  Then the remote users can browse to the shares on the server and access those shares.  However, after a short time (1-2 hours), the the group is no longer listed in the permissions on the domain controller.   This is my issue.  How do give the remote users authentication permissions to the domain controller so they can get access to its shares.
0
Will SzymkowskiSenior Solution ArchitectCommented:
The simple answer to your question is move the Share off of the domain controller. DC's have extra security and adding Domain Users is a bad idea. This is also why AdminSDHolder is removing the permissions after an hour.

This is my issue.  How do give the remote users authentication permissions to the domain controller so they can get access to its shares.

Do not have Shares on your DC. This is the main issue. If you move them to any other server other than a DC you will be fine.

Will.
0
David BarmanAuthor Commented:
unfortunately it's a one server forest so the shares have to be on that server.  So I guess I need the non-simple answer to get this to work.  Can you help?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Rather than adding domain users to the Share on the DC create a new group and add required users from Domain B into this new group that you create. Because domain users is everyone in the forest could be the issue. Give that a shot.

Will.
0
David BarmanAuthor Commented:
So create the group in the forest that is local to the users or create the group in the forest that has the DC that we are trying to connect to?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Create a group in the Forest (where your DC/Share is located), then add users from Domain B to this group.

Will.
0
David BarmanAuthor Commented:
Ok. Is there a way to force an update to see if the server is going to remove the changes rather than wait a few hours to see what happened?
0
David BarmanAuthor Commented:
It's odd.  When I create the group and try to add members to it, it only shows the local forest. However, adding permissions to the DC or the shared folder did show the remote forest.  Are you sure you can add remote forest users to a local AD group?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Yes you can. In my first post reference my link. In the link look at the section "Forcing SDPROP to Run"

Will.
0
Will SzymkowskiSenior Solution ArchitectCommented:
It has to be a Domain Local Group in order for you to add members of another forest. You would then add this group to the Share.

Will.
0
David BarmanAuthor Commented:
Ok.  I was able to create the group.  Now I added the group to the DC permissions and enable "authentication".  Now just waiting to see if the permission disappears.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Ok sounds good. Like i said you can reference the original link in my first post to speed up the process.

Will.
0
David BarmanAuthor Commented:
Ok.  It appears that the group is still in the permission list, however the authentication permission on the group is now gone.
Ideas?
0
David BarmanAuthor Commented:
I just reapplied the authentication permission to see if it disappears again.
0
David BarmanAuthor Commented:
Correction.  I read it wrong.  The group was NOT there.  So it was removed like before.  There has to be a way to stop this.
What should we try?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Reference the below link which outlines how to remove Groups from the AdminSDHolder.
http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

Will.
0
David BarmanAuthor Commented:
I am trying another idea right now.  I have just changed the forest trust relationship.  Originally I had set it up as a "selective" authentication on the trust.  I have changed it to "Forest Wide" authentication instead.  With that change, I have removed all added permissions from the domain controller.  So far, the remote users can authenticate and access the shared folders.  Now I want to give it "time" and see if the connection continues to work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David BarmanAuthor Commented:
Ok.  Changing the forest trust to a "Forest  Wide" mode instead of "selective" mode fixed the issue.  Now the shared folder is accessible and stays accessible.
0
David BarmanAuthor Commented:
My solution resolved the issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.