Trust relationship - adding users from DomainA to groups on DomainB
Please help, little confused...
I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested
I can create a "domain local" type group on domainA and add users from DomainB = Test1
I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA
Am I missing something blindingly obvious??
Kind regards,
Steven
I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested
I can create a "domain local" type group on domainA and add users from DomainB = Test1
I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA
Am I missing something blindingly obvious??
Kind regards,
Steven
Alex
What's the error you're getting?
ASKER
No error - I cannot see DomainB in the list when I try to add the users to a non "domain local" group
And the "domain local" group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.
Thanks,
Steven
And the "domain local" group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.
Thanks,
Steven
By design:
You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain
With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain
what about universal groups, have you tested ?
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?
Let us know results of above
You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain
With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain
what about universal groups, have you tested ?
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?
Let us know results of above
ASKER
YEs tested universal - does not show the DomainB when I go to add the users like it does for Domain.local
I remember this being a lot easier (it has been a few years since I have done this).
Thanks,
Steven
I remember this being a lot easier (it has been a few years since I have done this).
Thanks,
Steven
what is your trust authentication level?
I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
ASKER
Sorry, just checked (from both sides/both servers) and both are domain wide authentication.
Thanks,
Steven
Thanks,
Steven
How you are trying to users to groups ?
Don't do it from user properties
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?
Note that distribution group type may not be listed
Don't do it from user properties
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?
Note that distribution group type may not be listed
ASKER
I have created three test groups:
- Test_Domain local
- Test_Global
- Test_universal
I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.
Same on both sides (both domains).
Steven
- Test_Domain local
- Test_Global
- Test_universal
I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.
Same on both sides (both domains).
Steven
What type of group is Test1? based on your statement
Universal groups can contain global groups from any domain in the same forest.
Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml)
(for your reference - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
- Add "Test1" group to any other group on DomainA, i assume test1 is a global group and if so, then yes you cannot add it to any group on DomainA except if it is a domain local group.
Universal groups can contain global groups from any domain in the same forest.
Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml)
(for your reference - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
ASKER
Hi Ibrahim,
I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group. This will allow me to add users from DomainB but I cannot add this group to another existing group.
Sorry forgot to mention - both domains are not in the same forest - completely separate.
I just don't get how I am support to reuse any of my old groups. Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups). Doesn't feel right.
Thanks,
Steven
I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group. This will allow me to add users from DomainB but I cannot add this group to another existing group.
Sorry forgot to mention - both domains are not in the same forest - completely separate.
I just don't get how I am support to reuse any of my old groups. Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups). Doesn't feel right.
Thanks,
Steven
I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group. This will allow me to add users from DomainB but I cannot add this group to another existing group.What type of group is this other "existing group"? Remember that domain local groups can only be members of other domain local groups in the same domain, not forest.
Maybe lets take a step back and see exactly what it is you are trying to accomplish with this nesting conundrum :). What is your goal? is there a resource that you are trying to assign users permission to?
If you could explain what type of groups you already have, we can sort it out..
ASKER
We are rebuilding our domain (from scratch) as n years ago our company name changed, we have also now purchased datacentre licenses for 2016 so want to rebuild our estate up from 2012. We have so far created the first new domain controller "DomainB" and we want to slowly rebuild our estate into DomainB. We will be adding all new users to DomainB and migrating old (over months) from DomainA. This means that we need to allow users into resources on DomainA e.g. remote desktop farm/file server/printing etc.
In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).
Hope this manes sense.
Steven
In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).
Hope this manes sense.
Steven
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.