Solved

2-Way Copy Between Windows Domains Without Using Trusts

Posted on 2016-09-07
4
16 Views
Last Modified: 2016-09-18
I need to create a 2-way copy for files and folders between two Windows Domains (one 2k8r2 & one 2k12r2). I'd like to avoid setting up a Trust between them in order to keep these two networks isolated from each other (unless I can be convinced otherwise).

What are some options I have to do this?

I should also mention that I'm not implementing this for another week, so I won't be jumping out to try suggestions today - rather I'm focused on the research but will do the surgery by mid-month.

Thanks for your help.
0
Comment
Question by:Tessando
  • 2
4 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41788144
Why not create accounts in both domains with appropriate access to the destinations and have an isolated, workgroup machine acting as a transfer diode node between the two domains?  It would authenticate and map a drive, M: to Domain1 and authenticate and map a drive, P: to Domain2.  It would then run the copy operation through it, but never actually store any of the data on its own storage.

I recommend this over authenticating to Domain2 from a machine in Domain1 or vice versa because then you have complete isolation.

Additionally, the transfer diode node would only have access to the two domains and should specifically be denied access to the Internet except for access to receive OS updates.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41789116
You can access shares in non-trusted domains very easily by using the IP address of the server in the UNC you use to access the share, then enter in the creds that are valid for that server's domain. For instance,

ServerA is in Domain A with an IP of 192.168.1.1
Server B is in Domain B with an IP of 192.168.2.1

If you want to copy files from serverB to serverA, you would log on to ServerA and navigate to \\192.168.2.1\sharename at which point you'll be prompted for credentials. Enter a username and password that has access to the share in Domain B, and you'll have the files available. The same is possible for the reverse. You can do it all from one server by opening the destination folder on ServerA and copying the file that needs to go there from server B, then opening the source folder for the file that needs to go to serverB and copy the file from there.

As long as the two servers are able to communicate directly over the network, this will work without issues.

A trust is only necessary if you want to be able to access shares in Domain A with user accounts from Domain B.

Edit: You can simplify this a little by creating stub zones or conditional forwarders in each domain's DNS for the opposite domain, which would allow you to use host names. Just note that you would have to type out the full host name (serverA.domaina.com, as opposed to just serverA) in the UNC when navigating shares in the opposite domain.
0
 

Accepted Solution

by:
Tessando earned 0 total points
ID: 41794785
I found a decent combination between net use and robocopy that, in theory, make sense.

I know it's old school, but this *might* do the trick. If I keep going with this, do you think a batch file like this might work?

net use \\server1\g$ /user:domain1\user1 [password]
net use \\server2\g$ /user:domain2\user2 [password]
robocopy \\server1\G$\testdir\%3 \\server2\g$\uploads

Open in new window


So far, I'm getting "System error 53 occurred" as in "Network Path Not Found" when it comes to Domain2. Hopefully someone has a useful suggestion for that error. Thanks again for your help!
0
 

Author Closing Comment

by:Tessando
ID: 41803591
To resolve the permissions, I had to make the User on the second Domain a "Domain Admin", otherwise that script that uses Net Use to pass authentication and robocopy do the trick.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now