Re: Cross-Domain question (Parent - Child)

Thanks, Herb.
I think I have simplified the scenario too much. In fact, this is a real
customer (Financial Institute) case where they have multiple branches. Each
branch has its own domain. Since each branch is in different site, I agree
that each site has to have a GCs. For Windows 2000 server environment, my
current program, that is performing the operations as I briefly described in
my original email, works fine.
I just tested the same thing with Windows 2003 server environment, and found
out, even though I enabled GC for a child domain, the two issues that I
raised in my original email are not resolved. I think I may need to set some
access rights or somthing for Windows 2003. Do you know what I am missing?

Regards,
jinjkim

"Herb Martin" wrote:

"jinjkim" <jinjkim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:246B102A-05FF-4484-A193-968F0D580FA3@xxxxxxxxxxxxxxxx
Hello,
I am by no means not an expert on ADS. Can any body help me to answer this
parent-child domain question?
A simplified scenario is:
DomainA: Windows2000 Parent Domain in native mode. This is a global
catalog
server.
DomainB: Windows2000 Child Domain in native mode.
UserB: User object defined in DomainB.

If you only have 2 DCs, or even a few, then why not just
make EVERY DC into a GC? Presumably the number of
users and computers is reasonably small.

[Also what about DNS?]

RoleA: Universal group object defined in DomainA.
Using the ADS Users and Computers admin screen, I made UserB a member of
RoleA.

ISSUE 1: The RolesA property in the ADS Users and Computers admin screen
for
DomainA shows UserB as a member. But,UserB's property screen in the ADS
Users
and Computers admin screen for DomainB does not show RoleA as "MemberOf".

ISSUE 2: Created a C++ progam that connects to UserB with ADsOpenObject()
passing "LDAP//DomainB/CN=UserB,DC=DomainB,DC=DomainA,DC=com", and
attempts
to get the "memberOf" property through GetEx() interface. There was no
"MemberOf" returned for UserB.

Now, I enabled global catalog for DomainB server. After this change, both
ISSUE1 and ISSUE2 are resolved. I can now view RoleA of which UserB is a
member from DomainB.

QUESTION1: According to ADS documentation, in native mode, DomainA and
DomainB get the transitive two way trust.

This has nothing to do with "native mode" (nor any other
mode -- the automatic 2-way transitive trusts is due to
joining the same Forest (technically due to being a child
of an existing domain or tree top since the transitive takes
care of the rest of the forest.)

Also, the univeral group should be
visible from any domain in a forest. So, why do I need to enable the
global
catalog for DomainB to make RoleA visible from DomainB?

Every client must have access to a GC, no matter what
domain that client (or the GC) lives within.

Global Catalog servers are required on a PER SITE basis
(within each forest) and are really not related to "domains"
except that they must run on SOME DC in some domain of
that forest.

GCs can be enabled on EVERY DC if your multi-domain
forest is reasonably small. (And for all single domain
forests too.)

QUESTION2: Without enabling the global catalog for DomainB, is there any
way
I can view RoleB as a MemberOf property for UserB programmatically?

You really need to get your GCs "right" without thinking
of this on a "per domain" basis, instead of trying to do
without necessary GCs.

According
to some document, during the Microsoft Login process, the Local Security
Authority constructs a security token consists of every group that the
user
is a member of. That is exactly what I need to do.

And the Universal Group lists are maintained on the GCs
(which do not have to be from any particular domain but
which must be available.)

Technically you can use "Universal Group Caching" enabled
on a Win2003 (ONLY) DC but I hesitate to suggest that unless
you have a very large domain/forest and a serious WAN
replication problem.

Fix the GCs.

I like to do it
efficiently minimizing the possible searches for every group and then each
member in that group.

What is preventing you from adding GCs?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Thanks in advance.
jinjkim




.

Relevant Pages

  • Re: Cross-Domain question (Parent - Child)
    ... I am by no means not an expert on ADS. ... UserB: ... DomainA shows UserB as a member. ... joining the same Forest (technically due to being a child ...
    (microsoft.public.win2000.active_directory)
  • Re: GPO Management Delegation
    ... Domain and Forest in native 2003 mode. ... explicitly granted the permission to link GPOs in the OU in question. ... group they are a member of has been granted that right. ... Curious, if you delegate the user directly, does it work? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Distribution List Expansion Problems
    ... The crux of the issue is that the categorizer component picks GCs from ... The "Member" attribute does not replicate between ... >> Mark Fugatt ... >> Exchange MVP ...
    (microsoft.public.exchange2000.transport)
  • Re: Find Users Group Membership
    ... have a single domain forest (a fact that you mentioned and I'd ... the 'Member Of' tab on a User's property sheet in Active Directory Users ... >> number of group types each exhibiting a slightly different set of ...
    (microsoft.public.windows.server.active_directory)
  • Thanks ... Re: Domain List Problem
    ... The domains I mentioned are not in the same forest. ... Your machine is a member of ... > Joe Richards Microsoft MVP Windows Server Directory Services ... > Polaris wrote: ...
    (microsoft.public.windowsxp.security_admin)
Loading