Cross Domain Authentication

Tutorials Win: Microsoft Windows Forum

I am currently trying to fix an issue with my companies AD structure.
I have had this issue but I cannot find my answer on the internet yet
so I will post here with hope that the community can help me out.

Currently I have AD structure similar to the drawing below.

<rootdomain.int>
|
|
<domain.int>

rootdomain.int has only a few DC's and 4 real users, just a empty root
domain
domain.int is where all the servers, groups, users and etc are.

When on a member server from the "domain.int" domain I cannot access
the rootdomain.int domain. I get access denied no matter what I do. I
know the user accounts I am using (from both domains) have access as I
can login to the DC's at the rootdomain.int with them. Plus they are
Domain Administrators or something comparable.

Anyone have any ideas? I seem to remember something about
authentication and a GPO but I cannot put my finger on it yet.

Peter
Top

Re: Cross Domain Authentication by Ace

Ace
Tue Aug 12 21:00:20 PDT 2008


"PeterCS" <pcsukus@gmail.com> wrote in message
news:d7991c83-4117-45a9-8dda-65311eebb24f@2g2000hsn.googlegroups.com...
>I am currently trying to fix an issue with my companies AD structure.
> I have had this issue but I cannot find my answer on the internet yet
> so I will post here with hope that the community can help me out.
>
> Currently I have AD structure similar to the drawing below.
>
> <rootdomain.int>
> |
> |
> <domain.int>
>
> rootdomain.int has only a few DC's and 4 real users, just a empty root
> domain
> domain.int is where all the servers, groups, users and etc are.
>
> When on a member server from the "domain.int" domain I cannot access
> the rootdomain.int domain. I get access denied no matter what I do. I
> know the user accounts I am using (from both domains) have access as I
> can login to the DC's at the rootdomain.int with them. Plus they are
> Domain Administrators or something comparable.
>
> Anyone have any ideas? I seem to remember something about
> authentication and a GPO but I cannot put my finger on it yet.
>
> Peter

Is domain.int a child domain? If so, it should be in the form of
domain.rootdomain.int.

If not a child, is it another tree in the forest?

If a true parent-child, this issue maybe a DNS resolution issue. How is DNS
setup? Is it a delegation? Can you post an unedited "ipconfig /all" from a
DC in rootdomain.int and from domain.int please? This is important to help
us to understand your infrastructure, name resolution, and DNS setup to
better assist you.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations



Top

Re: Cross Domain Authentication by Meinolf

Meinolf
Wed Aug 13 01:30:49 PDT 2008

Hello PeterCS,

Does rootdomain.int and domain.int are different forests? Or is domain.int
originally domain.rootdomain.int? Did you create a trust between them? How
is DNS setup?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I am currently trying to fix an issue with my companies AD structure.
> I have had this issue but I cannot find my answer on the internet yet
> so I will post here with hope that the community can help me out.
>
> Currently I have AD structure similar to the drawing below.
>
> <rootdomain.int>
> |
> |
> <domain.int>
> rootdomain.int has only a few DC's and 4 real users, just a empty root
> domain
> domain.int is where all the servers, groups, users and etc are.
> When on a member server from the "domain.int" domain I cannot access
> the rootdomain.int domain. I get access denied no matter what I do. I
> know the user accounts I am using (from both domains) have access as I
> can login to the DC's at the rootdomain.int with them. Plus they are
> Domain Administrators or something comparable.
>
> Anyone have any ideas? I seem to remember something about
> authentication and a GPO but I cannot put my finger on it yet.
>
> Peter
>


Top

Re: Cross Domain Authentication by PeterCS

PeterCS
Wed Aug 13 18:51:34 PDT 2008

On Aug 12, 11:00=A0pm, "Ace Fekay [MVP Direcrtory Services]"
<firstnamelastn...@hotmail.com> wrote:
> "PeterCS" <pcsu...@gmail.com> wrote in message
>
> news:d7991c83-4117-45a9-8dda-65311eebb24f@2g2000hsn.googlegroups.com...
>
>
>
> >I am currently trying to fix an issue with my companies AD structure.
> > I have had this issue but I cannot find my answer on the internet yet
> > so I will post here with hope that the community can help me out.
>
> > Currently I have AD structure similar to the drawing below.
>
> > <rootdomain.int>
> > =A0 =A0 =A0 =A0 =A0 |
> > =A0 =A0 =A0 =A0 =A0 |
> > =A0<domain.int>
>
> > rootdomain.int has only a few DC's and 4 real users, just a empty root
> > domain
> > domain.int is where all the servers, groups, users and etc are.
>
> > When on a member server from the "domain.int" domain I cannot access
> > the rootdomain.int domain. I get access denied no matter what I do. I
> > know the user accounts I am using (from both domains) have access as I
> > can login to the DC's at the rootdomain.int with them. Plus they are
> > Domain Administrators or something comparable.
>
> > Anyone have any ideas? I seem to remember something about
> > authentication and a GPO but I cannot put my finger on it yet.
>
> > Peter
>
> Is domain.int a child domain? If so, it should be in the form of
> domain.rootdomain.int.
>
> If not a child, is it another tree in the forest?
>
> If a true parent-child, this issue maybe a DNS resolution issue. How is D=
NS
> setup? Is it a delegation? Can you post an unedited "ipconfig /all" from =
a
> DC in rootdomain.int and from domain.int please? This is important to hel=
p
> us to understand your infrastructure, name resolution, and DNS setup to
> better assist you.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations

No they are in the same forest as a child / parent. As a side note I
did figure it out. It looks like it was a group policy applying to the
server / OU. After I changed OU's I had no more issues.
Top

Re: Cross Domain Authentication by Ace

Ace
Wed Aug 13 19:43:07 PDT 2008


"PeterCS" <pcsukus@gmail.com> wrote in message
news:a21d4061-580e-499c-98c2-f36e2195a202@z72g2000hsb.googlegroups.com...
On Aug 12, 11:00 pm, "Ace Fekay [MVP Direcrtory Services]"

No they are in the same forest as a child / parent. As a side note I
did figure it out. It looks like it was a group policy applying to the
server / OU. After I changed OU's I had no more issues.

Ok, great! Glad you figured it out!

Cheers!

Ace

Top