Remote Administration

[Dan]

I have setup a domain trust between two forests and
worked with delegation, but am stumped. I want to be
able to sit at a workstation in my own domain and manage
computers in another domain. I can browse the remote
domain and fun stuff like that. I can even have access
shares assigned to only the domain admins. I want to
access the objects in computer management on workstations
in the other domain, but I'm getting access denied. MS
KB doesn't seem to have anything on this. I've also
noticed that I can only manage user accounts that I
create after establishing delegation formyself in the
other domain, but properties are grey'd out for already
existing accounts. So it seems that 1) even with
complete trust established between forests, complete
administration is not possible, or 2) I'm not smart
enough yet to figure it out. Direction/hints welcomed.

-Dan

 

[Herb Martin]

I have setup a domain trust between two forests and

Terminology correction: Domain trusts are automatic and ALWAYS
within a single forest.

You have setup EXTERNAL trusts between a pair of domains that are
in separate forests.

Forests do NOT have trusts (until you are in Win2003 Forest functional
level).

worked with delegation, but am stumped. I want to be
able to sit at a workstation in my own domain and manage
computers in another domain.

Add you user Account in "home" domain to the Admin (forest admin
etc) of the domain you wish to manage.

Resouce domain ---trusts---> User domain (you are a user)

This is true even if you will manage "other users" because in the sense
of trusts, those being managed are treated as objects (i.e., resources.)

I can browse the remote
domain and fun stuff like that. I can even have access
shares assigned to only the domain admins. I want to
access the objects in computer management on workstations
in the other domain, but I'm getting access denied.

Domain Admins in each domain is added to workstation (and server)
Administrators groups so that is the BEST single place to add a
trusted admin.

MS
KB doesn't seem to have anything on this. I've also
noticed that I can only manage user accounts that I
create after establishing delegation formyself in the
other domain, but properties are grey'd out for already
existing accounts. So it seems that 1) even with
complete trust established between forests, complete
administration is not possible, or 2) I'm not smart
enough yet to figure it out. Direction/hints welcomed.

Sure it is. You only need the trust TOWARDS you user account
domain too. The other direction is irrelevant unless there are users
"over there" who must access resources in YOUR domain.

 

[Herb Martin]

So, the remote forest being Win2k isn't helping then,

right?

No. External trust is pretty much external trust whether the
other domain is Win2000, Win2003, or NT.

Note again: External trusts are NOT between "forests" but only
between a domain in a forest and a DOMAIN from OUTSIDE the
forest. They key word being DOMAIN.

Also, by adding my account to the remote forest admin,
does that inply using the UPN of the home forest? Or

No, such implications -- the way you add the accounts is pretty much
irrelevant. Most people use the GUI and just pick from the list.

does something else become available by upgrading the
remote DC to Server 2003 and using Server2003 functional
level?

"Server 2003" gets you NOTHING new in this. Win2003 FOREST functional
level (both forests) gets you Forest trusts. Note this is the FIRST point
at which a Forest can (effectively) trust another entire forest.

In Win2000 there are 3 kinds of trusts: domain (automatic), shortcut
(internal
to forest for optimization), and external (domains outside the forest -- NT
or
another forest).

In Win2003 Forest functional level you get to add "Forest trusts" to the
original
three.

Forest trusts (Win2003 Forest level only) are "semi-transitive" -- you set
them up
between root domains but they transitively trust throughout each forest.

"Semi-" because Forest A trusting Forest B and Forest B trusting Forest C
provides
NOTHING for A-C.