Cannot add global group in another domain to universal group

Discussion in 'Active Directory' started by Dominic, Nov 1, 2005.

  1. Dominic

    Dominic Guest

    Hi all,

    I am currently working on a new Active Directory, and I have established a
    two-way forest trust between the new AD (let's call it A) and the existing AD
    (call it B). The purpose of this is to add global groups in the existing AD
    to a universal group in my AD, so I can better manage the resources in my
    domain.

    The problem is that when I try to add a Member to a universal group in A, I
    cannot see the domain B in Locations. When I try it the other way around
    (i.e. going to a global group in B and selecting Member Of, I can only see
    the domain local groups in A). According to an article in Microsoft, I should
    be able to do this.
    (http://www.microsoft.com/technet/pr...elp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx)

    Both A and B are windows 2003 native-node in terms of domain and forest
    functional levels.

    Any help is greatly appreciated.

    Dominic
     
    Dominic, Nov 1, 2005
    #1
    1. Advertisements

  2. Dominic

    Todd J Heron Guest

    For multiple forest in which a trust has been created, you get into issues
    such as trust-level authentication. This can impact the ability to see
    objects in the domains between forests. Per that article, if ForestA has an
    incoming forest trust from ForestB and forest-wide authentication is used,
    users from ForestB would be able to access any resource in ForestA (assuming
    they have the required permissions). What type of trust is in place
    between these two forests, selective or forest-wide? And are these trusts
    setup in both directions?

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT; CCA
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights

    Hi all,

    I am currently working on a new Active Directory, and I have established a
    two-way forest trust between the new AD (let's call it A) and the existing
    AD
    (call it B). The purpose of this is to add global groups in the existing AD
    to a universal group in my AD, so I can better manage the resources in my
    domain.

    The problem is that when I try to add a Member to a universal group in A, I
    cannot see the domain B in Locations. When I try it the other way around
    (i.e. going to a global group in B and selecting Member Of, I can only see
    the domain local groups in A). According to an article in Microsoft, I
    should
    be able to do this.
    (http://www.microsoft.com/technet/pr...elp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx)

    Both A and B are windows 2003 native-node in terms of domain and forest
    functional levels.

    Any help is greatly appreciated.

    Dominic
     
    Todd J Heron, Nov 1, 2005
    #2
    1. Advertisements

  3. Dominic

    Dominic Guest

    Thanks for your reply, Mr. Heron. The trust that is set up between ForestA
    and ForestB is two way, and it uses forest-wide authentication. I would
    assume that since the trust is two way and forest-wide, any user from ForestA
    can access any resource in ForestB, and vice versa.
     
    Dominic, Nov 1, 2005
    #3
  4. Dominic

    Todd J Heron Guest

    Use nslookup to see if the machine can resolve the other forest domain name.
    So from a machine in "B":

    nslookup A.local
     
    Todd J Heron, Nov 1, 2005
    #4
  5. Dominic

    Dominic Guest

    When I go on a machine in B and did nslookup on "A", it gave me a list of the
    machines that were in forest A. When I did nslookup on "A.local", it
    returned "can't find A.local: non-existent domain". However nslookup from B
    can resolve the names of any machine in A.

    May be I should clarify the symptom of the problem: I can only add global
    and universal groups in B to domain local groups in A (if i start from B and
    use the Member Of function). By "only" I mean that the global and universal
    groups in A will not be returned if I search for all the groups in A through
    the Advanced option. On the other hand, forest B would not be listed when I
    try to add a member to universal groups in A, but will show for domain local
    groups.

    I searched the newsgroup and I found a post with similar issue but there was
    no solution. If anyone know how to fix this problem, please help me out.
    Thanks.
     
    Dominic, Nov 2, 2005
    #5
  6. How is DNS configured in each domain? You need a conditional forwarder to
    the opposite domain configured on each side, and require the DNS Suffix
    search list to include both DNS suffixes.

    So, clients in domain A would have a DNS Suffix Search order like so:

    a.local
    b.local


    Clients in domain B would have a DNS Suffix Search list like:

    b.local
    a.local


    Conditional forwarding is cleaner and more efficient than having a secondary
    zone (the 2000 way).
     
    Paul Williams [MVP], Nov 3, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.