Shared folders in a different domain

Discussion in 'Windows Server' started by Guest, Apr 16, 2009.

  1. Guest

    Guest Guest

    I have 2 domains joined by a trust. Domain 1 and Domain 2

    I have a new server in Domain 2 that has shares which are accessible from
    all servers within Domain 2.

    I can't access Domain 2 shares from servers located in Domain 1

    I CAN access Domain 1 shares from Domain 2 servers.

    I can hit all servers in all domains by domain name so it appears DNS is
    functioning ???

    any suggestions or pointer would be much appreciated. This issue is
    currently a showstopper for a weekend project scheduled for this weekend.

    Thanks in advance
    Nick
     
    Guest, Apr 16, 2009
    #1
    1. Advertisements

  2. Guest

    Grant Taylor Guest

    Does each domain trust the other, is the trust relationship only one way?
    What happens when you try to access domain 2 shares from domain 1? Do
    you get a "not found" or a "permissions" error?
    This sounds like your trust relationship may be only one way.
    If all servers can ping each other by name then DNS should be functional
    (at least to the extent that you need).
    First make sure that DNS is not your problem. You can also try
    accessing the systems via IP rather than name.



    Grant. . . .
     
    Grant Taylor, Apr 16, 2009
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Thanks Grant.

    the trusts are not transitive (one way on each side) exteranl ?

    A clarification. I can hit Domain 2 shares from Domain 1 IF the Domain 2
    server is a domain controller running DNS.

    I can't hit anything in Domain 2 that is not a DC (currently these are the
    only boxes we have that are running DNS)

    I can ping by IP and DNS name perfectly.

    when I hit the domain 2 share from domain 1 it tells me the server is not
    accessible you may not have permission to use this resource.

    I can't reach the shares by IP either.
     
    Guest, Apr 16, 2009
    #3
  4. You can access any share on any server, regardless of the domain, by fully
    specifying a suitable account name/password combination, e.g. like so:

    net use Q: \\SomeServer\SomeShare /user:Nick SomePassword
     
    Pegasus [MVP], Apr 16, 2009
    #4

  5. After you created the trust, did you also add the Domain Users group of
    Domain1 to Domain2's Domain Local Administrator group and Domain
    Administrators of Domain1 to Domain2's Domain Local Adminstrators group, and
    vice-versa?

    What are the permissions on the Shared Folder permissions and the NTFS
    Security tab permissions allowing? (Please be specific.)

    What account are you using to access the share from Domain1 to Domain2's
    share?

    What Domain and Functional Level is Domain2? If less than Windows 2000 or
    2003, and you've added the Domain Local Groups as outlined above, the Domain
    Local Group will not be available until the levels are raised.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 16, 2009
    #5
  6. Guest

    Guest Guest

    I just added the Domain admin groups from each domain into each others
    Domain local administrators group - what does this get me ?

    The permissions are Everyone Full Control for Share and Security
    I'm using domain1\Administrartor

    Domain levels are Windows 2000 and Windows 2000 mixed on both sides.
     
    Guest, Apr 16, 2009
    #6
  7. If you go to that specific share on that specific machine, and specifically
    add the group from Domain1 to allow access to it, does it work?

    Normally with trusts, and especially with two way trusts, if we add the
    domain admins and domain users to the respective local groups, they become
    part of the local group. If you allow access by default to the Everyone
    group, it will work without adding these groups because Everyone means
    everything in a domain and any trusted domains, not necessarily the world.
    However on a member server, the domain local groups, for example the Domain
    Users group and the Domain Admins group cannot be enumerated in Mixed mode
    because the Domain Local groups are not available in NT4, hence the
    limitation. This is a known limitation when in mixed mode and trying to
    access a member server. Domain controllers are not affected, as you;ve
    experienced. Once you've bumped upu the domain, you should be fine. But my
    guess is that if you specifically added them it would work anyway.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 17, 2009
    #7
  8. Guest

    Grant Taylor Guest

    Normally I would agree. The thing I'm not sure about is what type of
    communications (thus connection) is there between the two DCs to allow
    them to have their trust relationship? I would think that there would
    have to be some sort of active connection and last I looked Windows did
    not like seeing two different users connected to the server from one
    system. (Terminal Services is its own critter and plays differently.)



    Grant. . . .
     
    Grant Taylor, Apr 17, 2009
    #8
  9. I meant to elaborate on this a litle more.

    This procedure allows domain users from the other domain to access resources
    that are meant for domain users of the other domain, that is if you set
    share and NTFS permissions to eliminate the Everyone group and substitute it
    with Authenticated Users. The main difference between the two is Everyone
    includes all accounts in all trusted domains as well as the internet
    anonymous account and guest account. Authenticated Users are users in the
    domain/forest they were created in. This is a 'best practice' that not all
    follow. Not saying you need to, and that depends on your scenario and
    design, but it is a security best practice to get a better control of the
    scope of accounts allowed into a resource.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 17, 2009
    #9
  10. When you're supplying an account/password then you're not relying on any
    trust relationship. You can test the method easily by connecting a
    stand-alone PC to a domain network: It can access all domain resources when
    supplying acceptable credentials.
     
    Pegasus [MVP], Apr 17, 2009
    #10
  11. Guest

    Guest Guest

    Thanks Ace. Some new developments this morning. I no longer get a
    permission error when trying to access this server. Now I get a login box
    and I can authenticate with an ID from that domain.

    I would think the trust would let me right in.

    When I go into the share permissions I see a SID where the Domain 1 group
    should be. Is this a name resolution problem? I can nslookup all servers
    in both domains without a problem.
     
    Guest, Apr 17, 2009
    #11
  12. Guest

    Grant Taylor Guest

    I completely agree with you. The key being that the "stand-alone PC"
    will not have any type of session with any thing to cause a conflict
    when you try to use a different set of credentials.

    However I'm questioning if a DC establishes a session (as visible with
    the "net sessions" command) with the other DC(s). If there is a session
    established using one set of credentials, I don't think you will be able
    to establish a second session using a different set of credentials.



    Grant. . . .
     
    Grant Taylor, Apr 17, 2009
    #12
  13. Agreed.
     
    Pegasus [MVP], Apr 17, 2009
    #13
  14. Well, it sounds like there is some progress happening. The SID is an
    indication of connectivity issues, but it may not be. The SID can also be an
    indication that a group once existed, but was deleted and still remains in
    the ACL, which the system no longer has a name associated with the SID to
    display.

    Are there any errors in the event logs?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 17, 2009
    #14
  15. Guest

    Guest Guest

    The only error I get is when I try to login from the Domain2 server using
    Domain1\user ID, I get an error "the domain cannot be contacted or does not
    exist" (Event ID 1219).
     
    Guest, Apr 17, 2009
    #15
  16. This sounds like a trust issue.

    Want to try something different? Delete the trusts currently in place. Make
    sure there is a conditional forwarder from D1's to D2 DNS for the D2 zone,
    and vice versa. Then create a Forest trust. I'm willing to bet this will
    work.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 18, 2009
    #16
  17. Hello Ace Fekay [Microsoft Certified Trainer],

    Small remark, forest trust are only work between 2003, in none of the psotings
    i read the OS version, only the functional level which can be 2000 or 2003
    domains.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 18, 2009
    #17
  18. Yea, you're right. I assumed they were Win 2003 in Windows 2000 mode. The
    poster did say they were in Win 2000 mode, but it wasn't clear on the
    operating system version.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 18, 2009
    #18
  19. To add, maybe Nick can give us a step by step on how he created the trust on
    both sides, what he is using for trust communication support, such as
    LMHOSTS files and how he set up the LMHOSTS files, or if using WINS, (since
    DNS does not support the type of trust he is implying), and what operating
    system versions are in use, if there is a firewall and/or VPN between the
    two domains, etc. Thsi may help clear up the basics so we can review if
    there are any issues that need to be addressed at this level.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 18, 2009
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.