Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

2003 Inter-Domain access


  • Please log in to reply

#1
sherborne

sherborne

    New Member

  • Member
  • Pip
  • 2 posts
I haven't been able to find a report about this in the forum so far.

We have two domains in a school, Admin and Curriculum, in Windows Server 2003. We are trying to set it up such that users in Admin can access Curriculum but not vice-versa. They are both tree roots in the same forest, so there are tree-root trusts between them, which seem OK.

Active Directory seems to be working in both. If a workstation is a member of one domain (e.g Admin, i.e. via computer name properties in Windows XP), it can log on to either domain. However, the user can only access resources (e.g. see computers) in the domain in which they are a member. Presumably there is something else required to grant access to computers that are members of the other trusted domain. I have tried giving file and share permissions to users in the other domain.

Each domain controller runs DNS for its own domain, and have both themselves and the other DC in the DNS list, while workstations that should access both domains have both DNS servers in the DNS list.

I can grant permissions to users on the other domain in Active Directory OK.

Thanks in advance
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Is there any particular reason you set up two domains? Why not one domain with multiple organizational units....it seems you've over complicated things...just asking while the problem runs around in my head for a while....
  • 0

#3
sherborne

sherborne

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Yes I did think about additional OU's , but reading textbooks up and asking around there seems to be more separation and security via separate domains that have trusts. As we're migrating the second domain from an existing NT domain, I guess we could change it (or start again, as we haven't done a great deal with it as yet, and it's not live yet), and make the second DC a member DC of the first domain and use OUs for the security side. If this is a strong recommendation we'll go down that route.

One other piece of info - the separate areas have different IP address rnages, and the first domain controller has an address from both ranges. Workstations with dual access would have IP addresses from both ranges.
  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Meant to get back to this yesterday....didn't right away now took me 15 minutes to find this (man, there are a lot of people with computer needs here).

Been thinking about the best way to do this and was at first wasting my time with some group policy ideas since I probably would have gone the OU route, then I re-read your original post...given the current setup, is there any reason why you just don't set up a one way trust?

In windows 2003 server, trusts are by default transitive two way trusts....pre-windows 2003, that was not the case.

I don't have windows 2003 network I can fiddle with, but Active Directory Domains and Trusts management console will allow you to view the trusts. I can't recall if it will allow you to change the trust...seems to me it does not.

But you can create a new one-way trust, then delete the old two-way trust.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP