Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cross domain account enumeration

Status
Not open for further replies.
Teknofowb

Teknofowb

Technical User
Jan 25, 2007
9
CA
I have two 2K3 single domain forests. I am migrating user accounts from Domain A to Domain B using ADMT v3.0. Resources such as file print servers are staying put in Domain A for now. Two main file servers share the load for data, ServerA and ServerB. These two servers are identical as far as OS and patches are concerned.

After migration, the user logs into Domain B.
Scripted drive mappings to ServerA in Domain A connect fine and permissions are the same as when the user account was in Domain A. Scripted drive mappings to ServerB in Domain A fail with an error similar to 'There are no logon servers to authenticate your request'.

Adding Domain Admins to the local Administrators group on ServerA works and I can administer the server as a DomainB admin. When I try to add Domain Admins to the local Administrators on ServerB I can browse to the domain and select the group but as soon as I hit apply, the group name becomes an unresolved SID. Afterward I cannot administer that server using a DomainB account.

Any ideas what might be happening?
 
Sort by date Sort by votes
Hi, compare the Local Security settings on the server that doesn't work, to the server that does. See if they differ.

Start>Settings>Control Panel>Administrative Tools>Local Security Policy

Under "Local Policy" compare the settings under "Security Options"

That's not to say that this is the location of your problem, but it's a good place to start. These settings can sometimes be too secure when accessing a server in one domain, while logged into another domain.

let me know how you get on. Good luck
 
Upvote 0 Downvote
Thanks for your suggestion. Problem is resolved. Here is what happened:

It turns out that a DC running DNS in Domain A did not have the secondary zone for Domain B loaded. The file server was not pointing to that DC for DNS but the DC was pointing to itself. That was why I could browse objects in the domain from the file server but authentication would not work. The DC was forwarding DNS requests for that zone to a Cisco NS. Once the zone was added to the DC and forwarding turned off, I could access everything from one domain to the other.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
972
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
331
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
911
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
713
DrB0b
DrB0b
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
757
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top