How to make give cross-domain "Domain Admins" permissions

Imagine the following scenario:

Domain corp
Domain europe.corp
Domain asia.corp

How can you make a user in domain "Europe" a "Domain Admin" of domain "Asia"
??.

Since "Domain Admins" is a Global Security Group it won't admit members
outside its domain...

I've read the "Active Directory delegation best practices" but couldn't find
an answer for it...

Tks
Diego

 

Some additional information.
I've already added EUROPE\User1 to the "Administrators" group in the "ASIA"
domain but I still need "Domain Admins" privileges and not just
"Administrators"..

 

If you add that group to the administrators group on a DC, you have domain
admin permissions over the domain itself, and all the DCs. To get the
Domain Admin permissions across all members of the domain you need to add
yourself to a group that is either a direct or nested member of the
administrators groups on all workstations and member servers in the domain.
Have a look at this for some examples:
-- http://www.msresource.net/content/view/45/47/


I'd add a domain local group to the administrators group in each domain and
add a global to that group and my users into that group, e.g. nest
EUROPE\Domain Admins into ASIA\Asia Admins.

 

But the domain local "Administrators" group does not have some privileges
that "Domain Admins" do.
I don't want to have admin privileges over all member servers/workstations,
instead I'm just trying to give a single group "EUROPE\Directory Service
Group" domain admins rights over all the domains in the forest.

These rights should allow them to modify AD Topology/replication,
view/create/modify existing GPOs, among others..

 

You are quite correct, a domain's Administrators group is not
empowered over AD objects as is its DA group; and that use
of the DA is problematic except for users of its own domain.
You need to either look at using delegations to this Euro\DSgroup,
or at using Enterprise Admin for some things (control AD topology).
EA has direct grants in places, but may in fact be way too much for
what you are after. Other things you mention are simply deligated.
The final alternative is not using accounts from foreign domains
for DA tasks.

 

But the domain local "Administrators" group does not have some privileges

Domain Admins don't have any special permissions, the group is simply a
member of administrators on every domain member and the
builtin\administrators group of the domain. If you've added a group to the
Administrators group of the EUROPE domain it has the same level of
permissions over the DCs and AD as the EUROPE\Domain Admins group.

Then you need to add that group into the Administrators group (of the
domain) in each domain.

Yes, this will grant them all that.

There are security implications here. It should be noted that there should
be very few people with total control over the forest, so be very careful
with who's a member of this group. Monitor the membership and use
restricted groups to enforce the membership of this, and the administrators
groups.