Recently had to setup a one way external trust between 2 separate domains (not in same forest).
To start with I had to establish dns resolution between the 2 environments, now you can either setup forwarding or setup secondary zones. In my case I decided secondary zones was the way I wanted to go. This enabled me to then setup the outgoing and incoming trusts in each of the domains.
Then I wanted to allow a user in the external trusted domain to be a domain admin, however I soon encountered a problem. There are a raft of rules about what security objects can be assigned to what groups, and to summarise the Domain Admins group is a global security group and as such does not allow for external resources to be assigned to it, there is no way round this using universal groups or domain local groups.
I was banging my head against a wall when I discovered this article, which proposes an elegant solution using domain local groups and group policy objects. In essence we are taking the remote users, adding them to groups and then applying a gpo to add these groups to the builtin/administrator groups.
The full article is here.
http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login
Thank you for putting an effort to published this article. You've done a great job! Good bless!
ReplyDeleteCaren
www.gofastek.com
Thank you for putting an effort to published this article. You've done a great job! Good bless!
ReplyDeleteCaren
www.gofastek.com