We help IT Professionals succeed at work.

Trust relationship - adding users from DomainA to groups on DomainB

61 Views
Last Modified: 2019-01-03
Please help, little confused...

I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested

I can create a "domain local" type group on domainA and add users from DomainB = Test1

I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA

Am I missing something blindingly obvious??

Kind regards,
Steven
Comment
Watch Question

AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
What's the error you're getting?
OllecoTechy

Author

Commented:
No error - I cannot see DomainB in the list when I try to add the users to a non "domain local" group

And the "domain local" group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.

Thanks,
Steven
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
By design:

You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain

With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain

what about universal groups, have you tested ?
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?

Let us know results of above
OllecoTechy

Author

Commented:
YEs tested universal - does not show the DomainB when I go to add the users like it does for Domain.local

I remember this being a lot easier (it has been a few years since I have done this).

Thanks,
Steven
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
what is your trust authentication level?

I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
OllecoTechy

Author

Commented:
Sorry, just checked (from both sides/both servers) and both are domain wide authentication.

Thanks,
Steven
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
How you are trying to users to groups ?

Don't do it from user properties
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?
Note that distribution group type may not be listed
OllecoTechy

Author

Commented:
I have created three test groups:
- Test_Domain local
- Test_Global
- Test_universal

I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.

Same on both sides (both domains).

Steven
Ibrahim BennaTechnology Lead
CERTIFIED EXPERT

Commented:
What type of group is Test1? based on your statement
- Add "Test1" group to any other group on DomainA
, i assume test1 is a global group and if so, then yes you cannot add it to any group on DomainA except if it is a domain local group.

Universal groups can contain global groups from any domain in the same forest.

Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml)

(for your reference - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
OllecoTechy

Author

Commented:
Hi Ibrahim,

I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.

Sorry forgot to mention - both domains are not in the same forest - completely separate.

I just don't get how I am support to reuse any of my old groups.  Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups).  Doesn't feel right.

Thanks,
Steven
Ibrahim BennaTechnology Lead
CERTIFIED EXPERT

Commented:
I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.
What type of group is this other "existing group"? Remember that domain local groups can only be members of other domain local groups in the same domain, not forest.

Maybe lets take a step back and see exactly what it is you are trying to accomplish with this nesting conundrum :). What is your goal? is there a resource that you are trying to assign users permission to?
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
If you could explain what type of groups you already have, we can sort it out..
OllecoTechy

Author

Commented:
We are rebuilding our domain (from scratch) as n years ago our company name changed, we have also now purchased datacentre licenses for 2016 so want to rebuild our estate up from 2012.  We have so far created the first new domain controller "DomainB" and we want to slowly rebuild our estate into DomainB.  We will be adding all new users to DomainB and migrating old (over months) from DomainA.  This means that we need to allow users into resources on DomainA e.g. remote desktop farm/file server/printing etc.

In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).

Hope this manes sense.

Steven
Ibrahim BennaTechnology Lead
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.