Announcement

Collapse
No announcement yet.

Cannot add global group in another domain to universal group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot add global group in another domain to universal group

    Hi all,

    I am currently working on a new Active Directory, and I have established a two-way forest trust between the new AD (let's call it A) and the existing AD (call it B). The purpose of this is to add global groups in the existing AD to a universal group in my AD, so I can better manage the resources in my domain.

    The problem is that when I try to add a Member to a universal group in A, I cannot see the domain B in Locations. When I try it the other way around (i.e. going to a global group in B and selecting Member Of, I can only see the domain local groups in A). According to an article in Microsoft, I should be able to do this. (http://www.microsoft.com/technet/pro...56fabb85e.mspx)

    Both A and B are windows 2003 native-node in terms of domain and forest functional levels.

    Any help is greatly appreciated.

  • #2
    Re: Cannot add global group in another domain to universal group

    There are couple "features" having to do with UI of AD object picker, when dealing with cross forest trusts.

    Try using explicit Kerberos principal of the global group, when adding it to Universal group (and do not use the Locations). Just type in something like: [email protected] (the Location will be ignored when explicitly stating Kerberos principal)
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Cannot add global group in another domain to universal group

      When I try to do that, it gives me a pop up saying Name Not Found. I tried entering [email protected] and DomainName/GroupName but they both give me the same message. Now I tried adding the same global group to the Domain Local group (using [email protected]STNAME) and it succeeded.

      It seems as if it cannot recognize ths global group when I try adding to a universal group. Why is this?!?!

      Comment


      • #4
        Re: Cannot add global group in another domain to universal group

        Is the trust working ?
        Do you have the name resolution setup correctly ?
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Cannot add global group in another domain to universal group

          > The problem is that when I try to add a Member to a universal group in A, I cannot see the domain B in Locations.

          Sounds like a one-way trust then.

          > When I try it the other way around (i.e. going to a global group in B and selecting Member Of, I can only see the domain local groups in A).

          Weird stuff. Domain Local groups are invisible outside their own domain, so this is not possible Also, a global group cannot contain ANY group from another domain. Another impossibility

          Comment

          Working...
          X