Domain admins across a forest trust

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
I've got two domains in separate forests. I've created a two way transitive trust between the forests. Everything appears to be working in relation to the trust. What I'm having issues with is getting my account from Domain A into the Domain Admin (or even better, the Enterprise Admin) global group (universal in the case of Enterprise Admins) of Domain B. The only thing I can add, well, anything from Domain A to in B is a Domain Local group. Which doesn't do me much good. Can anyone show me a clever trick to getting users from one domain/forest into a Global or Universal group from another domain/forest across a forest to forest trust?
 
EDITED: I don't know what I'm talking about yet.. Re-reading about groups in my 70-290 book..
 
What functional level is your domain at?

EDIT: Quoting my 70-290 book in reference to global groups:

- Can be granted permission in any domain (including trusted domains in other forests and pre-Windows 2003 domains)

- Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)

That's for global groups. Here's a quick quote on Universal groups:

In Windows 2000 native or Windows Server 2003 domain functional level, universal groups can be granted permissions in any domain, including domains in other forests with which a trust extists

EDIT 2: That might be the issue that I'm actually having with mine (similar situation, two domains, separate forests, two way trust). If I remember tomorrow, I'll check it out and see what my functional levels are and if I can get it to cooperate. I think they should be Windows Server 2003 now..
 
Double check to make sure that you're adding the user to the root domain of forest B as an Enterprise Admin.
 
Double check to make sure that you're adding the user to the root domain of forest B as an Enterprise Admin.

There are no sub-domains. Two forests, one domain each. Nothing fancy. This seems to be a common AD design problem, but its been 7 years since my classes, and even then they were Win 2K, not Win 2K3.
 
iirc global groups are only for their particular domain, but universal groups should have membership and resource access privileges to other domains. Enterprise admins should be a universal group and should work for you in this regard.

Perhaps try some group nesting trickery?

What kind of error message is it giving you? From the sounds of it, it should work just fine if everything is set up right.

Edit: Maybe I'm misunderstanding the question, I was not aware that you could necessarily add users from another forest to a group. I was under the impression you could use those groups to assign permission to resources in other forests and authenticate across the forests, however.
 
Well, thing is, its not working. When I go to ADUC on the second domain, I try to add my user account into the Enterprise Admins. I don't even show up. Even when I type in the whole name such as [email protected]l. And Yes, I do have the "Entire Directory" selected. I know the trust works because when I log into my workstation, I get both domains as a possibility to log into.
 
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work
 
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work

That is correct. Don't add users to the "Member" tab. Add the group to the "Member Of" tab.
 
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work

Domain local groups cannot be added to universal groups. Try it yourself. The nesting order goes (-> meaning "goes into") Users->Global Groups->Universal Groups->Domain Local Groups.
 
Edit:

Before I suggest anything, you aren't able to add groups to the Universal and Global groups, right?

Second edit: Also, what about the built in groups?
 
Nope. The only place I can put something from another forest into is a Domain Local group. Created one and put the global group Domain Admins of which I'm a member of into it. The Domain Local group is the highest of the totem pole. It cannot be "put into" anything else. And since the Domain Admins and Enterprise Admins are Global and Universal groups respectively, I cannot put a Domain Local group into them.
 
Edit:

Before I suggest anything, you aren't able to add groups to the Universal and Global groups, right?

Only ones that are local to the domain/forest. In site A, I can put anything into anything (restriction on Domain Local groups aside) from site A. The second I move over to site B, the only place I can put objects, any object, from site A is into a Domain Local group.
 
I can add to built in groups, but those don't get me anywhere. They are all Domain Local groups. But there are no rights assigned directly to them. Only the Domain Admins and Enterprise Admins (Global and Universal)
 
I take it the ultimate goal here to have one user account and be able to have admin powers across both forests?
 
I've done some more reading, I don't think it's possible. The only way it looks like its possible is if it's the same forest, not just a trust.
 
I'm slowly coming to the same conclusion. I can do a lot of what I want with the delegation wizard and putting myself on the ACLs of the resources I want to access. Just not quite everything I want.
 
Same here. Although, I found it easier for me to just create my own account in the other domain (or use the Administrator account) rather than going through all that.

One of these days I'll at least get them all in the same forrest, although I'd love to get 'em on the same tree. That's a ways away yet though.
 
Back
Top