Re: issue with Child and Parent Domains
- From: "Altria" <urbantec92@xxxxxxx>
- Date: Mon, 18 Apr 2005 10:52:23 -0400
Hello Paul.
Thanks for the Response,
Yes I am having some difficulty understanding this issue. So basically you
are telling me that objets are not replicated from parent to child just
connections and domain memebership info? Should the child be GC also? This
is within the same forest.
Also, I am not sure I am being clear about the resources of a parent. In
this scenario, the lab wants users, who are part of the AD of parent domain
to logon (as the sole purpose of the child domain) thru the child domain,
but essentially authentication should occur on the parent because these
users do not exist on the child. Now, I am telling them that I do not think
this is possible without creating the Domain local group (on child domain,
not sure?) and assigning those users from parent to that domain local group.
If this can work, how do objects that are created or modified in parent get
updated into child? Does this have to be done manually, for example if a new
user is created in parent that user must added to the domain local group of
child everytime?
I preferred to have an additional DC and delegate the OU to the groups
(which would have essentially been the Child domain administrator). Is it
possible to give only read permissions of accounts to this group (CD admins)
and allow thier client machines to logon to thier DC?
TIA,
I really appreciate your help.
Altria
"ptwilliams" <ptw2001@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FD29887C-F61C-40C8-85B5-1EA0C5BB7EBD@xxxxxxxxxxxxxxxx
>> Is this because only Enterprise Admins accounts are capable of this?
>
> No, this is by design. Anyone can logon to the parent domain if they have
> a
> valid account in that domain. You cannot logon to a domain in which you
> don't have an account. You can access resources if you have permissions,
> but
> you must have an account in that domain to logon to it.
>
>
>> Also, Does AD replication occur between PD and CD. If so, under AD user
>> and computer I am not receiving updated objects from PD. Although PD does
>> appear under AD Users and Computers, I am unable to create a group on the
>> CD and add user accts from PD, although some not all accounts are seen.
>> The PD admin insures me that he has delegated control of the OU. What
>> exact permissions should be used. It is obvious that The CD Admin has
>> read rights to the OU objects.
>
> Replication of Schema and Configurations naming contexts replicates
> between
> DCs in different domains in the SAME forest. The domain partition (users,
> computers, etc.) is specific to DCs in THAT domain and is not replicated
> elsewhere -except in the case of the GC which is a read only replica with
> a
> partial attribute set.
>
>
>> Moreover, Is the CD capable of authenticating users that are part of the
>> PD?
>
> No, see my first comments. You have misunderstood the concept of trusts,
> and what you can and cannot logon to.
>
>
>> Or does a Domain local group need to be created on the CD, with the user
>> accounts of PD added?
>
> In order for a user object in the child to access resources in the parent
> (or vice-versa) permissions need to be assigned to that resource. This is
> done through a domain local group on the object itself (permissions
> applied
> to this group) and then users and/ or global groups from the other domain
> being members of the other domains domain local group.
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
.
- Follow-Ups:
- Re: issue with Child and Parent Domains
- From: ptwilliams
- Re: issue with Child and Parent Domains
- References:
- issue with Child and Parent Domains
- From: Altria
- RE: issue with Child and Parent Domains
- From: ptwilliams
- issue with Child and Parent Domains
- Prev by Date: Re: Accessing Local Security Policy remotely
- Next by Date: Re: New user accounts disabled
- Previous by thread: RE: issue with Child and Parent Domains
- Next by thread: Re: issue with Child and Parent Domains
- Index(es):
Relevant Pages
|
