Re: External Trust - unable to assign permissions

Hi Mike,
Domain local groups
Our policy and I know it is not text book, is to not use Domain Local
groups. We have been assigning Global Groups to the resources for other
domain trusts and this works. This is our only "External" trust. Technically
it should work to assign the permissions on the resource using a global
group, even tough it is not best practice.

DNS- I may have to configure DNS,but we have an issue with this. The
Domain(B) used a domain name that is registered (by someone else) on the
internet.
Is there any reason why the external trust would not work using Netbios
(WINS) name resolution or does an external trust "require DNS". From what I
have read, it does not, it can use Netbios. This will limit security to ntlm
(no Kerberos)

Please comment,
Regards, Wayne


"Miha Pihler [MVP]" wrote:

Hi,

Some of my comments are in-line...

"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:26FB1715-08AE-4397-9298-3B4964C37EC6@xxxxxxxxxxxxxxxx
I have setup a 2 way external trust to a recently acquired domain(B) from
our
domain(A). Both domains are Windows 2003 Server and in mixed mode. Domain
Controllers are pointed to a common WINS database.
Issue- I am unable to assign permissions on a share to Global groups or
users between Domain(A) and Domain(B).

Proper and recommended way for doing this would be to create a Domain Local
Group in Domain B and assign this group permissions on resources. Then add
Global group from domain A to Domain Local Group in Domain B.

I have relied on Netbios to setup the share as the seperate DNS's are not
talking to each other yet.
I can \\Fileserver\sharename from a fileserver in Domain(A) from Domain(B)
but I am unable to assign NTFS permissions on the share on
Domain(A)\\Fileserver\sharename. I get there error (Name not found)
Question: Is Netbios sufficient to establish the share permissions for an
external domain?

It looks like you will have to fix some resolution problems. My advice is to
use DNS. Since you are running Windows Server 2003 you can use conditional
forwarding to configure DNS server in domains A and B to point to correct
servers for resolution. Personally I would fix name resolution (DNS) issue
first -- and then work on other issues that might remain.

Let me know if you need more help with this.

--
Mike
Microsoft MVP - Windows Security



.

Relevant Pages

  • Re: WMI Path Problem - DIDNT WORK
    ... but rather let it default to the DNS server ... There are a wide variety of DNS management Samples. ... Check the WMI permissions and make sure that the "Local Administrators" ...
    (microsoft.public.dotnet.languages.vb)
  • Re: appears to loose authentication
    ... For the original OP certainly check the permissions on the folder the user ... Active Directory domain make sure that ONLY domain controllers that are DNS ... fact that the wrong DNS server is being used, such as an ISP DNS server that ...
    (microsoft.public.security)
  • RE: Solved: DHCP Client Service cannot start after conficker invaded
    ... These are the only permissions needed to fix this problem. ... Once the server rebooted after changing registry, ... DNS server mostly use secure dynamic updates. ... speicifc details lke what would happen if the DHCP client service ...
    (microsoft.public.windows.server.general)
  • Re: pls Help!! After Trust, cannot access from local to foreign do
    ... Make sure that each DNS server only points to itself under NIC DNS ... authentication, they will use the source domain credentials to login. ... You need to define access by settings permissions on the objects in ...
    (microsoft.public.windows.server.active_directory)
  • Re: pls Help!! After Trust, cannot access from local to foreign do
    ... DCs at each domains. ... DNS server, ... You need to define access by settings permissions on the objects in ...
    (microsoft.public.windows.server.active_directory)