Announcement

Collapse
No announcement yet.

Domain Admin in multiple Domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admin in multiple Domains

    Hi,

    I am having a nightmare at the moment trying to work this one out. We have two child domains and each domain admin group needs to be domain admin in the other.

    domain1.parent.com
    domain2.parent.com

    So domain admins in domain1.parent.com need to be domain admins in domain2.parent.com and visa versa

    Ive tried many combinations:
    Add domain admins from each domain into the domain administrators
    Add both domain admins into Enterprise admins in parent.com

    Ive spent hours searching google but still i have found no solutions that work.
    Does anyone have any idea's or anyone run such a senario already?

    Thanks in advance

    Simon

  • #2
    Re: Domain Admin in multiple Domains

    since both are in the same forest, trusts exist so there should be no reason you cannot add domain admins from one domain into the domain admins group from the other.

    What errors are you getting when you try to do that?
    What are your domain and forest FLs?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Domain Admin in multiple Domains

      Originally posted by Ossian View Post
      since both are in the same forest, trusts exist so there should be no reason you cannot add domain admins from one domain into the domain admins group from the other.

      What errors are you getting when you try to do that?
      What are your domain and forest FLs?
      Its not possible to do, ive tried
      You dont get any error messages you just dont get the option to choose it.

      Comment


      • #4
        Re: Domain Admin in multiple Domains

        Me plank -- domain admins is a gg so a universal group will need to be involved:
        http://forums.petri.com/showthread.php?t=24936
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Domain Admin in multiple Domains

          OK i see the theory

          "Here's a strategy which I have not tried in the real world but SHOULD work.

          First create a two way Forest Trust between your two forests - this will allow cross-forest authentication and therefore granting of permissions. Let's call them forest A and forest B. Let's call the root domains A1 and B1, and let's assume that you want to allow Domain Admins in A1 access to a resource in B1.

          Create a universal group in B1 called "ug_Admins". Create a Domain Local group in B1 called "lg_Admins". Make "ug_Admins" a member of "lg_Admins". Make "lg_Admins" a member of Domain Admins in B1. There - anyone in ug_Admins is now a Domain Admin of Domain B1.

          Wait for GC Replication - this step is VITALLY important.

          Create a domain local group in A1 called "lg_A Admins". Make "A1\BUILTIN\Administrators" a member of it. Make "lg_A Admins" a member of "ug_Admins" - theoretically any member of a group which is a member of "Administrators" in A1 is now also a Domain Admin in B1.
          "

          So I create A Universal group in parent.com calle UG_Admins
          Add both domain1.parent.com and domain2 domain admin groups into here.
          this is where I get lost, what next, or is it wrong already?

          Comment


          • #6
            Re: Domain Admin in multiple Domains

            Create universal group (doesnt matter which domain its in)
            Add both domain admin groups to it
            Add it to both domain admin groups

            Report back!
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Domain Admin in multiple Domains

              Originally posted by Ossian View Post
              Create universal group (doesnt matter which domain its in)
              Add both domain admin groups to it
              Add it to both domain admin groups

              Report back!
              Thats what I thought, im waiting for replication but I dont think I will be able to add it to domain admins, ive added domain admins to it.

              Comment


              • #8
                Re: Domain Admin in multiple Domains

                Replication has now occured and I cannot add the UG into the Domain admins group but I can add it to the Builtin\administrators group
                Not sure if this will work.

                Comment


                • #9
                  Re: Domain Admin in multiple Domains

                  As far as I know, Universal Groups can not be members of Domain Global groups:

                  http://technet.microsoft.com/en-us/l...92(WS.10).aspx

                  Comment


                  • #10
                    Re: Domain Admin in multiple Domains

                    Arrrgggh, anymore ideas?

                    Comment


                    • #11
                      Re: Domain Admin in multiple Domains

                      Have a look here:

                      http://technet.microsoft.com/en-us/l...92(WS.10).aspx

                      Comment


                      • #12
                        Re: Domain Admin in multiple Domains

                        FIXED:

                        Added both domain admin groups into the other domains builtin\administrators group

                        Then did a bit of GPO magic on both domains
                        In your required GPO:
                        Computer settings>Windows Settings>Security Settings>Restricted Groups
                        Add the other domains domain admin account, right click add group. Browse, change location focus to the other domain, Domain Admins, check name, OK, OK. Configure Membership pops up. “This group is a member of”, Add, Administrators(you must type this in not selct it). OK.

                        Run gpupdate /force on a test member server or workstation in the domain, look in the local administrators group and you will see the other domains domain admin group.

                        Job done.

                        Comment

                        Working...
                        X