[sherborne]

I haven't been able to find a report about this in the forum so far.

We have two domains in a school, Admin and Curriculum, in Windows Server 2003. We are trying to set it up such that users in Admin can access Curriculum but not vice-versa. They are both tree roots in the same forest, so there are tree-root trusts between them, which seem OK.

Active Directory seems to be working in both. If a workstation is a member of one domain (e.g Admin, i.e. via computer name properties in Windows XP), it can log on to either domain. However, the user can only access resources (e.g. see computers) in the domain in which they are a member. Presumably there is something else required to grant access to computers that are members of the other trusted domain. I have tried giving file and share permissions to users in the other domain.

Each domain controller runs DNS for its own domain, and have both themselves and the other DC in the DNS list, while workstations that should access both domains have both DNS servers in the DNS list.

I can grant permissions to users on the other domain in Active Directory OK.

Thanks in advance

[Advertisements]

Is there any particular reason you set up two domains? Why not one domain with multiple organizational units....it seems you've over complicated things...just asking while the problem runs around in my head for a while....

[gerryf]

Is there any particular reason you set up two domains? Why not one domain with multiple organizational units....it seems you've over complicated things...just asking while the problem runs around in my head for a while....

[sherborne]

Yes I did think about additional OU's , but reading textbooks up and asking around there seems to be more separation and security via separate domains that have trusts. As we're migrating the second domain from an existing NT domain, I guess we could change it (or start again, as we haven't done a great deal with it as yet, and it's not live yet), and make the second DC a member DC of the first domain and use OUs for the security side. If this is a strong recommendation we'll go down that route.

One other piece of info - the separate areas have different IP address rnages, and the first domain controller has an address from both ranges. Workstations with dual access would have IP addresses from both ranges.

[gerryf]

Meant to get back to this yesterday....didn't right away now took me 15 minutes to find this (man, there are a lot of people with computer needs here).

Been thinking about the best way to do this and was at first wasting my time with some group policy ideas since I probably would have gone the OU route, then I re-read your original post...given the current setup, is there any reason why you just don't set up a one way trust?

In windows 2003 server, trusts are by default transitive two way trusts....pre-windows 2003, that was not the case.

I don't have windows 2003 network I can fiddle with, but Active Directory Domains and Trusts management console will allow you to view the trusts. I can't recall if it will allow you to change the trust...seems to me it does not.

But you can create a new one-way trust, then delete the old two-way trust.