• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 57
  • Last Modified:

2-Way Copy Between Windows Domains Without Using Trusts

I need to create a 2-way copy for files and folders between two Windows Domains (one 2k8r2 & one 2k12r2). I'd like to avoid setting up a Trust between them in order to keep these two networks isolated from each other (unless I can be convinced otherwise).

What are some options I have to do this?

I should also mention that I'm not implementing this for another week, so I won't be jumping out to try suggestions today - rather I'm focused on the research but will do the surgery by mid-month.

Thanks for your help.
0
Tessando
Asked:
Tessando
  • 2
1 Solution
 
WalkaboutTiggerCommented:
Why not create accounts in both domains with appropriate access to the destinations and have an isolated, workgroup machine acting as a transfer diode node between the two domains?  It would authenticate and map a drive, M: to Domain1 and authenticate and map a drive, P: to Domain2.  It would then run the copy operation through it, but never actually store any of the data on its own storage.

I recommend this over authenticating to Domain2 from a machine in Domain1 or vice versa because then you have complete isolation.

Additionally, the transfer diode node would only have access to the two domains and should specifically be denied access to the Internet except for access to receive OS updates.
0
 
Adam BrownSr Solutions ArchitectCommented:
You can access shares in non-trusted domains very easily by using the IP address of the server in the UNC you use to access the share, then enter in the creds that are valid for that server's domain. For instance,

ServerA is in Domain A with an IP of 192.168.1.1
Server B is in Domain B with an IP of 192.168.2.1

If you want to copy files from serverB to serverA, you would log on to ServerA and navigate to \\192.168.2.1\sharename at which point you'll be prompted for credentials. Enter a username and password that has access to the share in Domain B, and you'll have the files available. The same is possible for the reverse. You can do it all from one server by opening the destination folder on ServerA and copying the file that needs to go there from server B, then opening the source folder for the file that needs to go to serverB and copy the file from there.

As long as the two servers are able to communicate directly over the network, this will work without issues.

A trust is only necessary if you want to be able to access shares in Domain A with user accounts from Domain B.

Edit: You can simplify this a little by creating stub zones or conditional forwarders in each domain's DNS for the opposite domain, which would allow you to use host names. Just note that you would have to type out the full host name (serverA.domaina.com, as opposed to just serverA) in the UNC when navigating shares in the opposite domain.
0
 
TessandoIT AdministratorAuthor Commented:
I found a decent combination between net use and robocopy that, in theory, make sense.

I know it's old school, but this *might* do the trick. If I keep going with this, do you think a batch file like this might work?

net use \\server1\g$ /user:domain1\user1 [password]
net use \\server2\g$ /user:domain2\user2 [password]
robocopy \\server1\G$\testdir\%3 \\server2\g$\uploads

Open in new window


So far, I'm getting "System error 53 occurred" as in "Network Path Not Found" when it comes to Domain2. Hopefully someone has a useful suggestion for that error. Thanks again for your help!
0
 
TessandoIT AdministratorAuthor Commented:
To resolve the permissions, I had to make the User on the second Domain a "Domain Admin", otherwise that script that uses Net Use to pass authentication and robocopy do the trick.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now