?
Solved

2-Way Copy Between Windows Domains Without Using Trusts

Posted on 2016-09-07
4
Medium Priority
?
49 Views
Last Modified: 2016-09-18
I need to create a 2-way copy for files and folders between two Windows Domains (one 2k8r2 & one 2k12r2). I'd like to avoid setting up a Trust between them in order to keep these two networks isolated from each other (unless I can be convinced otherwise).

What are some options I have to do this?

I should also mention that I'm not implementing this for another week, so I won't be jumping out to try suggestions today - rather I'm focused on the research but will do the surgery by mid-month.

Thanks for your help.
0
Comment
Question by:Tessando
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41788144
Why not create accounts in both domains with appropriate access to the destinations and have an isolated, workgroup machine acting as a transfer diode node between the two domains?  It would authenticate and map a drive, M: to Domain1 and authenticate and map a drive, P: to Domain2.  It would then run the copy operation through it, but never actually store any of the data on its own storage.

I recommend this over authenticating to Domain2 from a machine in Domain1 or vice versa because then you have complete isolation.

Additionally, the transfer diode node would only have access to the two domains and should specifically be denied access to the Internet except for access to receive OS updates.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 41789116
You can access shares in non-trusted domains very easily by using the IP address of the server in the UNC you use to access the share, then enter in the creds that are valid for that server's domain. For instance,

ServerA is in Domain A with an IP of 192.168.1.1
Server B is in Domain B with an IP of 192.168.2.1

If you want to copy files from serverB to serverA, you would log on to ServerA and navigate to \\192.168.2.1\sharename at which point you'll be prompted for credentials. Enter a username and password that has access to the share in Domain B, and you'll have the files available. The same is possible for the reverse. You can do it all from one server by opening the destination folder on ServerA and copying the file that needs to go there from server B, then opening the source folder for the file that needs to go to serverB and copy the file from there.

As long as the two servers are able to communicate directly over the network, this will work without issues.

A trust is only necessary if you want to be able to access shares in Domain A with user accounts from Domain B.

Edit: You can simplify this a little by creating stub zones or conditional forwarders in each domain's DNS for the opposite domain, which would allow you to use host names. Just note that you would have to type out the full host name (serverA.domaina.com, as opposed to just serverA) in the UNC when navigating shares in the opposite domain.
0
 

Accepted Solution

by:
Tessando earned 0 total points
ID: 41794785
I found a decent combination between net use and robocopy that, in theory, make sense.

I know it's old school, but this *might* do the trick. If I keep going with this, do you think a batch file like this might work?

net use \\server1\g$ /user:domain1\user1 [password]
net use \\server2\g$ /user:domain2\user2 [password]
robocopy \\server1\G$\testdir\%3 \\server2\g$\uploads

Open in new window


So far, I'm getting "System error 53 occurred" as in "Network Path Not Found" when it comes to Domain2. Hopefully someone has a useful suggestion for that error. Thanks again for your help!
0
 

Author Closing Comment

by:Tessando
ID: 41803591
To resolve the permissions, I had to make the User on the second Domain a "Domain Admin", otherwise that script that uses Net Use to pass authentication and robocopy do the trick.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
An article on effective troubleshooting
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question