Domain admins across a forest trust

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
I've got two domains in separate forests. I've created a two way transitive trust between the forests. Everything appears to be working in relation to the trust. What I'm having issues with is getting my account from Domain A into the Domain Admin (or even better, the Enterprise Admin) global group (universal in the case of Enterprise Admins) of Domain B. The only thing I can add, well, anything from Domain A to in B is a Domain Local group. Which doesn't do me much good. Can anyone show me a clever trick to getting users from one domain/forest into a Global or Universal group from another domain/forest across a forest to forest trust?
 

blackedge

Gawd
Joined
Apr 11, 2002
Messages
536
EDITED: I don't know what I'm talking about yet.. Re-reading about groups in my 70-290 book..
 

blackedge

Gawd
Joined
Apr 11, 2002
Messages
536
What functional level is your domain at?

EDIT: Quoting my 70-290 book in reference to global groups:

- Can be granted permission in any domain (including trusted domains in other forests and pre-Windows 2003 domains)

- Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)

That's for global groups. Here's a quick quote on Universal groups:

In Windows 2000 native or Windows Server 2003 domain functional level, universal groups can be granted permissions in any domain, including domains in other forests with which a trust extists

EDIT 2: That might be the issue that I'm actually having with mine (similar situation, two domains, separate forests, two way trust). If I remember tomorrow, I'll check it out and see what my functional levels are and if I can get it to cooperate. I think they should be Windows Server 2003 now..
 

Keiichi

[H]ard|Gawd
Joined
Jun 10, 2004
Messages
1,491
Double check to make sure that you're adding the user to the root domain of forest B as an Enterprise Admin.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
Double check to make sure that you're adding the user to the root domain of forest B as an Enterprise Admin.

There are no sub-domains. Two forests, one domain each. Nothing fancy. This seems to be a common AD design problem, but its been 7 years since my classes, and even then they were Win 2K, not Win 2K3.
 

Volcanon

Limp Gawd
Joined
Mar 27, 2007
Messages
350
iirc global groups are only for their particular domain, but universal groups should have membership and resource access privileges to other domains. Enterprise admins should be a universal group and should work for you in this regard.

Perhaps try some group nesting trickery?

What kind of error message is it giving you? From the sounds of it, it should work just fine if everything is set up right.

Edit: Maybe I'm misunderstanding the question, I was not aware that you could necessarily add users from another forest to a group. I was under the impression you could use those groups to assign permission to resources in other forests and authenticate across the forests, however.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
Well, thing is, its not working. When I go to ADUC on the second domain, I try to add my user account into the Enterprise Admins. I don't even show up. Even when I type in the whole name such as user.name@domain.local. And Yes, I do have the "Entire Directory" selected. I know the trust works because when I log into my workstation, I get both domains as a possibility to log into.
 

Volcanon

Limp Gawd
Joined
Mar 27, 2007
Messages
350
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work
 

fluke420

Gawd
Joined
Jul 9, 2003
Messages
922
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work

That is correct. Don't add users to the "Member" tab. Add the group to the "Member Of" tab.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
I think that if you add your user account to a domain local group, then add that local group to the enterprise admin group, it would work

Domain local groups cannot be added to universal groups. Try it yourself. The nesting order goes (-> meaning "goes into") Users->Global Groups->Universal Groups->Domain Local Groups.
 

Volcanon

Limp Gawd
Joined
Mar 27, 2007
Messages
350
Edit:

Before I suggest anything, you aren't able to add groups to the Universal and Global groups, right?

Second edit: Also, what about the built in groups?
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
Nope. The only place I can put something from another forest into is a Domain Local group. Created one and put the global group Domain Admins of which I'm a member of into it. The Domain Local group is the highest of the totem pole. It cannot be "put into" anything else. And since the Domain Admins and Enterprise Admins are Global and Universal groups respectively, I cannot put a Domain Local group into them.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
Edit:

Before I suggest anything, you aren't able to add groups to the Universal and Global groups, right?

Only ones that are local to the domain/forest. In site A, I can put anything into anything (restriction on Domain Local groups aside) from site A. The second I move over to site B, the only place I can put objects, any object, from site A is into a Domain Local group.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
I can add to built in groups, but those don't get me anywhere. They are all Domain Local groups. But there are no rights assigned directly to them. Only the Domain Admins and Enterprise Admins (Global and Universal)
 

Volcanon

Limp Gawd
Joined
Mar 27, 2007
Messages
350
I take it the ultimate goal here to have one user account and be able to have admin powers across both forests?
 

blackedge

Gawd
Joined
Apr 11, 2002
Messages
536
I've done some more reading, I don't think it's possible. The only way it looks like its possible is if it's the same forest, not just a trust.
 

benutne

[H]ard|Gawd
Joined
Apr 15, 2001
Messages
1,492
I'm slowly coming to the same conclusion. I can do a lot of what I want with the delegation wizard and putting myself on the ACLs of the resources I want to access. Just not quite everything I want.
 

blackedge

Gawd
Joined
Apr 11, 2002
Messages
536
Same here. Although, I found it easier for me to just create my own account in the other domain (or use the Administrator account) rather than going through all that.

One of these days I'll at least get them all in the same forrest, although I'd love to get 'em on the same tree. That's a ways away yet though.
 
Top