Mike, as others have mentioned, users and groups from
externally trusted domains can only be added to domain local groups (DLG) in
another forest. This is by design for any type of trust that you
establish.
If all you're trying to do is to manage the member servers
in your DMZ with the same admin accounts that you have in your production
forest, you could still leverage a GPO in your DMZ forest/domain that
either adds a DLG to the adminsitrators group of all your DMZ servers using the
restrictive groups feature. If you combine this approach with enabling Selective
Authentication for the trust between the two forests and use this feature to
restrict authentication to the servers to members of the same group, you'll have
a reasonable integration of the two forests to allow managment of the DMZ
servers using your production admin accounts.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guest, Mike Sent: Donnerstag, 15. Juni 2006 19:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest issue Hi, New member here, with an issue
L We have implemented 2 forests with a
cross forest trust such that forest B trusts forest A
one-way. The intention is that all admins in
forest A will be able to manage both forests, and that accounts in forest B
cannot be authenticated in forest A Whilst I can add the admins from
forest A into a domain local group in forest B, allowing me to grant
“administrators” rights, I cannot add any security principal from forest A to a
universal (or global) group in forest B. This precludes me from granting domain,
enterprise or schema admin rights to the forest A administrators – and thus
defeats the objective of having the admins in a single
forest. (FYI, creating a DL, adding a remote
user, then trying to change that group to a universal group gives the message
“Foreign security principals cannot be members of universal
groups”) Forest B is in a DMZ, and is solely
being used to give the benefits of centralised management to the servers in the
DMZ. Consequently, we want to avoid having many user accounts in that forest.
Company policy states that every admin must log on using their own
account Hope you can
help. ______________________________________________________ Join the
Collaborative Business Experience
|
- RE: [ActiveDir] Cross forest issue joe
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike