Trust relationship - adding users from DomainA to groups on DomainB

Please help, little confused...

I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested

I can create a "domain local" type group on domainA and add users from DomainB = Test1

I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA

Am I missing something blindingly obvious??

Kind regards,
Steven
OllecoTechyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
What's the error you're getting?
OllecoTechyAuthor Commented:
No error - I cannot see DomainB in the list when I try to add the users to a non "domain local" group

And the "domain local" group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.

Thanks,
Steven
MaheshArchitectCommented:
By design:

You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain

With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain

what about universal groups, have you tested ?
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?

Let us know results of above
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

OllecoTechyAuthor Commented:
YEs tested universal - does not show the DomainB when I go to add the users like it does for Domain.local

I remember this being a lot easier (it has been a few years since I have done this).

Thanks,
Steven
MaheshArchitectCommented:
what is your trust authentication level?

I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
OllecoTechyAuthor Commented:
Sorry, just checked (from both sides/both servers) and both are domain wide authentication.

Thanks,
Steven
MaheshArchitectCommented:
How you are trying to users to groups ?

Don't do it from user properties
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?
Note that distribution group type may not be listed
OllecoTechyAuthor Commented:
I have created three test groups:
- Test_Domain local
- Test_Global
- Test_universal

I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.

Same on both sides (both domains).

Steven
Ibrahim BennaTechnology LeadCommented:
What type of group is Test1? based on your statement
- Add "Test1" group to any other group on DomainA
, i assume test1 is a global group and if so, then yes you cannot add it to any group on DomainA except if it is a domain local group.

Universal groups can contain global groups from any domain in the same forest.

Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml)

(for your reference - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
OllecoTechyAuthor Commented:
Hi Ibrahim,

I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.

Sorry forgot to mention - both domains are not in the same forest - completely separate.

I just don't get how I am support to reuse any of my old groups.  Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups).  Doesn't feel right.

Thanks,
Steven
Ibrahim BennaTechnology LeadCommented:
I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.
What type of group is this other "existing group"? Remember that domain local groups can only be members of other domain local groups in the same domain, not forest.

Maybe lets take a step back and see exactly what it is you are trying to accomplish with this nesting conundrum :). What is your goal? is there a resource that you are trying to assign users permission to?
MaheshArchitectCommented:
If you could explain what type of groups you already have, we can sort it out..
OllecoTechyAuthor Commented:
We are rebuilding our domain (from scratch) as n years ago our company name changed, we have also now purchased datacentre licenses for 2016 so want to rebuild our estate up from 2012.  We have so far created the first new domain controller "DomainB" and we want to slowly rebuild our estate into DomainB.  We will be adding all new users to DomainB and migrating old (over months) from DomainA.  This means that we need to allow users into resources on DomainA e.g. remote desktop farm/file server/printing etc.

In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).

Hope this manes sense.

Steven
Ibrahim BennaTechnology LeadCommented:
Thank you for the clarity - now i think we have an understanding of what you are trying to accomplish. Simply put, if the groups in DomainA are not domain local groups, then you will not be able to add users directly into them from DomainB - you will need to create universal groups in domainB and then add it into the DLG in DomainA.

For example, if you want to give DomainB\Steven access to a printer in DomainA and you already have a domain local group called DomainA\PrinterUsers, then you should have no issues. If the DomainA\PrinterUsers group happens to be a universal group, then unfortunately you will not be able to add users directly into it from DomainB. You will have to create a DomainB\UniversalPrinterUsers group, add DomainB\Steven to it and then add DomainB\UniversalPrinterUsers group into DomainA\PrinterUsers group.

If DomainA\PrinterUsers is a global group, it complicates it a bit. You may have to consider changing it to a universal group (but there are restrictions to this - "Can be converted to Universal scope if the group is not a member of any other global group").
MaheshArchitectCommented:
make sure your domain A groups are either domain local or universal and then create global groups in domain B and add these global groups to groups in domain A (universal or domain local)

U may convert global group scope from global to universal and from universal to domain local in domain A to simplify situation, group conversion will not affect group members and you will be able to add another domain global or universal groups

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Trust Relationships

From novice to tech pro — start learning today.