Pass-through Authentication Between Trusted Domains Not Working

[SteveO]

I have 2 servers:

SERVER1 running Windows 2000 Adv Server
SERVER2 running Windows 2003 Enterprise

and each is a domain controller and supporting their own domain

DOMAIN1
DOMAIN2

respectively.

I also have a successful/verified 2-way trust setup between the 2
domains.

Both Domains have Administrator accounts with the same account name
and password.

How can I get pass-through authentication to work across the domain?

From SERVER2 while logged in under the Administrator account if I try
to access an administrative share on SERVER1 (Like \\SERVER1\C$), I am
prompted to login.

When I do (with the same username and password) I then get access to
the drive.

Same thing happens if I try to access \\SERVER2\C$ from SERVER1.

SERVER1 has no problem pinging SERVER2 and SERVER2 has no problem
pinging SERVER1. There are no network problems.

How can I get it to work?

 

[Steven L Umbach]

Try adding the administrator account you are using from each domain, or the
domain admins global group, to the built in administrators group of the
other domain in Active Directory Users and Computers to see if that
elps. --- Steve

 

[Steven L Umbach]

Try adding the administrator account you are using from each domain, or
the domain admins global group, to the built in administrators group of
the other domain in Active Directory Users and Computers to see if that
elps. --- Steve

 

[SteveO]

I am unable to add a user from DOMAIN1 to the Administrators Group on
DOMAIN2 (or vis versa). The trusted domain does not show up. This is
because it is a global group?

I can add a new domain local group (like Trusted Domain Admins) and
then add the trusted domain's Domain Users to it, but then I cant add
this new local group to the Administrators Group or add this domain
local group to the security lists for any drives (only global groups
and individual users appear).

STEVE

 

[SteveO]

Try adding the administrator account you are using from each domain, or the
domain admins global group, to the built in administrators group of the
other domain in Active Directory Users and Computers to see if that
elps. --- Steve

I'm sorry Steven. I didnt properly read your posting (as short and to
the point as it was) about adding users to the "BuiltIn"
Administrators Group.

This does seem to work to provide access to the machine to which I
have altered the Built-In group.

Now if I want to access shares on other machines that are part of the
domain (there are 8 others), I would have to add the trusted domain's
"Domain Admin" group to the built-in Administrators group on each of
those machines as well.

I can certainly do that...just seems like a pain to manage going
forward.

In terms of accessing disk resources, doesn't seem like the domains
truely trust eachother.

Is there anyway to add trusted domain users/groups to the GLOBAL
groups on the trusting server which is what I thought you were telling
me originally and would be best for management. I can only ad the
trusted domain users to Domain Local groups which you cant add to a
global group or to the disk rights.

STEVE

 

[Steven L Umbach]

You have a couple of options. If you are using native mode you can create
universal groups and add global groups from any trusted domain to the
universal group and then add universal groups to domain local groups or
local groups on the domain computers. Domain local groups will only work on
domain computers if the domain is in native mode. Global groups can not
contain other global groups unless in native mode and then they can contain
global groups only from the same domain. If you want to add a group from the
trusted domain to the local administrators group on the domain computers in
the trusting domain and are not using native mode you can use Group Policy
"restricted groups" to add the domain admins group from both domains to the
local administrators groups on domain computers under the scope of influence
of the policy. Note that restricted groups will remove current members of
the restricted group if the are not defined as groups/user to be included.
Another way would be to use Group Policy startup script to add the domain
admins group from the trusted domain to the local administrators group with
the net localgroup command. As far as adding permissions to shares, you
should be able to directly add global groups from the trusted domain to
shares in the trusting domain.

Except for trusts between domains in a Windows 2000 or 2003 forest which are
created automatically and are two way and transitive, you have to establish
trusts for both directions if you want two domains to share resources with
each other domain's users. The support tool dcdiag can be run on the pdc
fsmo in each domain to see if there is a problem with the trusts. Often dns
problems can arise an it will help to make sure each domain can resolve dns
names in the other domain assuming these are W2K/W2003 domains. In Windows
2000, you can make your domain controllers have secondary dns zones of the
other trusted domain. The same will work in Windows 2003, though you can
also use stub zone or conditional forwarding to locate the dns servers for
the other domain. --- Steve

 

[SteveO]

Thanks Steven.

So to make a long story short, pass-through authentication is not
supposed to work across trusted domains? The only way to access
resources on another trusted domain is through group
permissions/membership?

Both my WIndows 2000 and 2003 servers are running in MIXED mode (I
guess it was just installed with the default mode setting). Can
switching to NATIVE mode cause any problems? I do not have any
pre-WIndows2000 machines. I know that there is no turning back.

 

[Steven L Umbach]

It should work. You can also use the everyone group to assign permissions to
a share if you want all users in both domains to have access to the share.
Switching to native mode should not cause any problems as long as you have
not NT4.0 BDC's in your domain. You could still use NT4.0 server, clients
however but you don't have that problem anyhow. Native mode will allow the
use of universal groups and the use of domain local groups to assign
permissions to shares on all domain computers. In mixed mode, domain local
groups can only be used to assign permissions to domain controllers. If you
use universal groups to not add individual users to them but instead add
global groups to them and use them in this fashion. Global groups from any
trusted domain go into universal groups which can then be added to domain
local and local groups on domain computers. The membership of universal
groups is stored on the global catalog servers. Make sure you have at least
a couple global catalog servers because if they are unavailable, users will
not be able to logon to the domain - only their local computers. The built
in administrator account for the domain would still be able to logon to
domain computers. --- Steve