I will explain what I am trying to acheive first. I have a proxy server on one domain (a) that filters internet, I want to put the users in the other domain (b) thru it so they are filtered too. The proxy software (getbusi) works on active directory - so it has to have a group in active directory that it uploads at night so those users are incorporated into the getbusi software. I have a two way trust set up between the domains, it is working. Therefore my problem is that I want to create a group in domain A that has members in it from domain B. I can create a group (I presume it must be a global security group) but when I try to put members into is and try to choose 'location' so I can choose domain b, the domain b is not listed, does not show there. How do I get it to show so I can choose users from it? I must be missing something here.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
2 Seperate Domains need users from one in the other
- Thread starter Frank666
- Start date
-Make domain local groups in both domains add users from that domain
-Make a global group make domain local groups member of the global group.
Regard Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
-Make a global group make domain local groups member of the global group.
Regard Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
- Thread starter
- #3
Lars
Let me see if I understand you (I am new to this). I have created a local group under the OU in domain a, called getbusi. I then went to domain b and created a global group called getbusi, when I try to add the group from domain a I still cannot 'see' in location the domain a. Domain b users are not a problem they are all getting loaded into getbusi overnight in their correct groups as the getbusi server is in domain a. BUT I need to get the users from domain b to be 'seen' by domain a. There is a trust that is working, have I missed doing something else?
Thanks for you help
Let me see if I understand you (I am new to this). I have created a local group under the OU in domain a, called getbusi. I then went to domain b and created a global group called getbusi, when I try to add the group from domain a I still cannot 'see' in location the domain a. Domain b users are not a problem they are all getting loaded into getbusi overnight in their correct groups as the getbusi server is in domain a. BUT I need to get the users from domain b to be 'seen' by domain a. There is a trust that is working, have I missed doing something else?
Thanks for you help
domain a ----------> local group getbusi.
domain b ----------> local group getbusi2.
domain a ----------> global group allgetbusi-users.
Add getbusi and getbusi2 to allgetbusi-users this way you can give the group PERMISSIONS in both domains.
"I will explain what I am trying to acheive first. I have a proxy server on one domain (a) that filters internet, I want to put the users in the other domain (b) thru it so they are filtered too. The proxy software (getbusi) works on active directory - so it has to have a group in active directory that it uploads at night so those users are incorporated into the getbusi software."
"that it uploads at night"
Dont see what you mean here you wanna deploi software to the group?
Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
domain b ----------> local group getbusi2.
domain a ----------> global group allgetbusi-users.
Add getbusi and getbusi2 to allgetbusi-users this way you can give the group PERMISSIONS in both domains.
"I will explain what I am trying to acheive first. I have a proxy server on one domain (a) that filters internet, I want to put the users in the other domain (b) thru it so they are filtered too. The proxy software (getbusi) works on active directory - so it has to have a group in active directory that it uploads at night so those users are incorporated into the getbusi software."
"that it uploads at night"
Dont see what you mean here you wanna deploi software to the group?
Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
- Thread starter
- #5
Lars
The getbusi software uploads AD users at night, so if users are created in the daytime they will get uploaded at night and then be a user on Getbusi, as such they are allowed access to the internet (albeit filtered). I don't think I can do what you have told me to do as I cannot 'see' the domain b in locations.
Regards
The getbusi software uploads AD users at night, so if users are created in the daytime they will get uploaded at night and then be a user on Getbusi, as such they are allowed access to the internet (albeit filtered). I don't think I can do what you have told me to do as I cannot 'see' the domain b in locations.
Regards
- Thread starter
- #6
So you have 2 forest's and a trust (a.com <--> b.com) ?
And you are uploading users at night (!?)
Or is your active directory replicating at night ?>
What are the operating systems of the servers?
Sorry i tried myself and you need to add users from both domains to a domain local group and then make the global group member of the domain local group.
You now can see the global group in the other domain, and this group wil have all the users from both domains.
Lars.
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
And you are uploading users at night (!?)
Or is your active directory replicating at night ?>
What are the operating systems of the servers?
Sorry i tried myself and you need to add users from both domains to a domain local group and then make the global group member of the domain local group.
You now can see the global group in the other domain, and this group wil have all the users from both domains.
Lars.
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
- Thread starter
- #8
Lars the OS on the 2 domains is server2003, the OS on the proxy box is a version of Linux. The proxy box uploads the AD from domain a at night so they are then users on the Proxy software (Getbusi). I am trying to be able to get the users from domain b 'seen' in domain a so I can upload them too. Yes there is a 2 way trust between a and b. When on domain a I cannot add a group or user from domain b as I do not have domain.a as a domain to choose from.
Hope this helps
Hope this helps
When you browse my network places are you be able to see the other domain ?
If not install a winsserver on your network just the standard config browsing the domains on your network is handled by wins this may be the isseu..
Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
If not install a winsserver on your network just the standard config browsing the domains on your network is handled by wins this may be the isseu..
Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
- Thread starter
- #10
I didn't thing that WINS was needed on 2003?? But no I don't see the other domain when I browse my network places.
Excuse my ignorance but isn't WINS an earlier version of DNS? Could this be to do with reverse lookups or something like that?
Regards
Excuse my ignorance but isn't WINS an earlier version of DNS? Could this be to do with reverse lookups or something like that?
Regards
Teknoratti
Technical User
You must remember the age old rule about groups.
GG-->UG-->DLG
The group scope shouldn't matter because you are not setting permissions on an object. If that was the case Group Scope would come into play. There's no reason why you shouldn't be able to see users on Domain B from Domain A. You do have a trust relationship am I right?
getting back to the group thing. You might want to create a universal group, granted your domain functional level would allow this. That way you can add all users from both domains. But the problem is you can see anyone from the other domain.
A simple test would be for you to take a user account from Domain A and try to logon to Domain B. If it holds the global catolog you should be able to logon.
GG-->UG-->DLG
The group scope shouldn't matter because you are not setting permissions on an object. If that was the case Group Scope would come into play. There's no reason why you shouldn't be able to see users on Domain B from Domain A. You do have a trust relationship am I right?
getting back to the group thing. You might want to create a universal group, granted your domain functional level would allow this. That way you can add all users from both domains. But the problem is you can see anyone from the other domain.
A simple test would be for you to take a user account from Domain A and try to logon to Domain B. If it holds the global catolog you should be able to logon.
I didn't thing that WINS was needed on 2003?? But no I don't see the other domain when I browse my network places.
Excuse my ignorance but isn't WINS an earlier version of DNS? Could this be to do with reverse lookups or something like that?"
Browsing my network places is always handled by wins not DNS.
Regards Lars.
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
Excuse my ignorance but isn't WINS an earlier version of DNS? Could this be to do with reverse lookups or something like that?"
Browsing my network places is always handled by wins not DNS.
Regards Lars.
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
For the Computers to all "see" each other in Network Neighbourhood, otherwise known as "My Network Places", ensure file & printer sharing is active on this card and Enable Netbios over TCP under the WINs tab.
Regards Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
Regards Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
The basic way browsing works is that one computer in the network takes on the role of the master browser (also called local master browser, browse master, or browse server) and keeps a list of all the computers on the local subnet that are acting as SMB servers. The list of computers is called the browse list and includes all Windows NT/2000/XP systems, and any Windows 95/98/Me systems that have the "File and printer sharing for Microsoft Networks" networking component installed. The browse list also contains the names of all workgroups and domains. At this level, browsing is limited to the local subnet because the browsing protocol depends on broadcast packets, which are typically not forwarded to other subnets by routers.
Regards Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
Regards Lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
- Thread starter
- #16
Actually, WINS isn't really needed. Having a Secondary DNS zone of domain A in domain B's DNS server and having a Secondary DNS zone of domain B in domain A's DNS server will help.
The issue is active directory must see the other domain and the only place it will is via the service records in DNS. If your DNS server can't provide the service records of the other domain.... well there ya go; you can't see it in active directory. WINS does nothing for active directory.
A+/MCP/MCSE/MCDBA
The issue is active directory must see the other domain and the only place it will is via the service records in DNS. If your DNS server can't provide the service records of the other domain.... well there ya go; you can't see it in active directory. WINS does nothing for active directory.
A+/MCP/MCSE/MCDBA
- Status
Similar threads
- Locked
- Question
- Locked
- Question