Trusted domains, user authentication issue
Have two forests trusted on a two way trust. My issue is when users try to authenticate to the server in the remote forest they get a message that they don't have authentication permission.
I have used ADUC and added the domain users group of the remote forest to the server and enabled the authentication permission. Afterwards, users can connect to the remote server for a short time. Within a few hours the problem repeats. Then if I check the server permissions, the remote forest group is no longer listed.
Why is it disappearing? How do I stop this from disappearing?
Also the remote server is running Windows Server 2012 R2. The local network is running Windows 2008 R2 as the servers architecture.
I have used ADUC and added the domain users group of the remote forest to the server and enabled the authentication permission. Afterwards, users can connect to the remote server for a short time. Within a few hours the problem repeats. Then if I check the server permissions, the remote forest group is no longer listed.
Why is it disappearing? How do I stop this from disappearing?
Also the remote server is running Windows Server 2012 R2. The local network is running Windows 2008 R2 as the servers architecture.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry I get hundreds of notifications and this one must have got missed. Typically how to get around this is do not add domain admins to other protected groups.
You would have 2 accounts for admins. Example.
Admin-wills and wills. Wills is the regular account and used on a daily basis. This is the account you would use. If you use admin-wills then AdminSDholder will remove it if it's in another protected group.
Will.
You would have 2 accounts for admins. Example.
Admin-wills and wills. Wills is the regular account and used on a daily basis. This is the account you would use. If you use admin-wills then AdminSDholder will remove it if it's in another protected group.
Will.
ASKER
What I am doing now is adding the domain users group to the security permissions on the domain controller's properties. Once the group is added, I enable the authentication property. However, the group keeps getting removed.
What should I do differently?
What should I do differently?
You will need to do this differently. Domain controllers are part of the protected groups. See below link.
https://technet.microsoft.com/en-ca/magazine/2009.09.sdadminholder.aspx
This is why when you add Domain Users it gets removed.
Will.
https://technet.microsoft.com/en-ca/magazine/2009.09.sdadminholder.aspx
This is why when you add Domain Users it gets removed.
Will.
ASKER
Ok. So what is the recommended process with two trusted forests. How do you give the other forest authentication permissions on the domain controller?
You want Domain Users to be able to login to your Domain Controllers? Or you just want them to be able to login to machines using their credentials from the other Forest?
If you simply want domain users from domain B to login to domain A using their normal credentials than all that is requires if a Forest Trust.
If you want some users from Domain B to be able to login to Domain A domain controllers then you will need to provide those individual accounts appropriate access.
Will.
If you simply want domain users from domain B to login to domain A using their normal credentials than all that is requires if a Forest Trust.
If you want some users from Domain B to be able to login to Domain A domain controllers then you will need to provide those individual accounts appropriate access.
Will.
ASKER
I already have a forest trust. However, they are unable to access any of the shares on the domain controller in the remote forest. However, if I add the "domain users" group to the domain controller and enable the "authentication" security property. Then the remote users can browse to the shares on the server and access those shares. However, after a short time (1-2 hours), the the group is no longer listed in the permissions on the domain controller. This is my issue. How do give the remote users authentication permissions to the domain controller so they can get access to its shares.
The simple answer to your question is move the Share off of the domain controller. DC's have extra security and adding Domain Users is a bad idea. This is also why AdminSDHolder is removing the permissions after an hour.
Do not have Shares on your DC. This is the main issue. If you move them to any other server other than a DC you will be fine.
Will.
This is my issue. How do give the remote users authentication permissions to the domain controller so they can get access to its shares.
Do not have Shares on your DC. This is the main issue. If you move them to any other server other than a DC you will be fine.
Will.
ASKER
unfortunately it's a one server forest so the shares have to be on that server. So I guess I need the non-simple answer to get this to work. Can you help?
Rather than adding domain users to the Share on the DC create a new group and add required users from Domain B into this new group that you create. Because domain users is everyone in the forest could be the issue. Give that a shot.
Will.
Will.
ASKER
So create the group in the forest that is local to the users or create the group in the forest that has the DC that we are trying to connect to?
Create a group in the Forest (where your DC/Share is located), then add users from Domain B to this group.
Will.
Will.
ASKER
Ok. Is there a way to force an update to see if the server is going to remove the changes rather than wait a few hours to see what happened?
ASKER
It's odd. When I create the group and try to add members to it, it only shows the local forest. However, adding permissions to the DC or the shared folder did show the remote forest. Are you sure you can add remote forest users to a local AD group?
Yes you can. In my first post reference my link. In the link look at the section "Forcing SDPROP to Run"
Will.
Will.
It has to be a Domain Local Group in order for you to add members of another forest. You would then add this group to the Share.
Will.
Will.
ASKER
Ok. I was able to create the group. Now I added the group to the DC permissions and enable "authentication". Now just waiting to see if the permission disappears.
Ok sounds good. Like i said you can reference the original link in my first post to speed up the process.
Will.
Will.
ASKER
Ok. It appears that the group is still in the permission list, however the authentication permission on the group is now gone.
Ideas?
Ideas?
ASKER
I just reapplied the authentication permission to see if it disappears again.
ASKER
Correction. I read it wrong. The group was NOT there. So it was removed like before. There has to be a way to stop this.
What should we try?
What should we try?
Reference the below link which outlines how to remove Groups from the AdminSDHolder.
http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Will.
http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Will.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. Changing the forest trust to a "Forest Wide" mode instead of "selective" mode fixed the issue. Now the shared folder is accessible and stays accessible.
ASKER
My solution resolved the issue.
ASKER