|
Quick answer is you can't add users from one
forest to the global/universal groups in another forest. Global groups in
particular are very picky and only allow security principals from the same
domain to be added to their membership.
I am not sure I understand the security benefits you are
shooting for here anyway. You usually use a DMZ forest to separate yourself from
the production internal forest because you want to protect it. If you set up a
trust from A to B, it means that Forest info from A can be sucked down the pipe
to B. That is what a trust is about, so user info in A is available in
B (has to be or else you couldn't say put a SID of user A in a user B group and
get anywhere with it).
When you set up a DMZ forest, it should generally be
standing alone and the access from it and to it from the intranet
should be strictly limited (like no RPC, no LDAP or maybe LDAPS out to DMZ
to push provisioning data if really really really needed, just a couple of small
holes maybe for RDP one way from intranet to DMZ).
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guest, Mike Sent: Thursday, June 15, 2006 1:24 PM To: [email protected] Subject: [ActiveDir] Cross forest issue Hi, New member here, with an issue
L We have implemented 2 forests with a
cross forest trust such that forest B trusts forest A
one-way. The intention is that all admins in
forest A will be able to manage both forests, and that accounts in forest B
cannot be authenticated in forest A Whilst I can add the admins from
forest A into a domain local group in forest B, allowing me to grant
“administrators” rights, I cannot add any security principal from forest A to a
universal (or global) group in forest B. This precludes me from granting domain,
enterprise or schema admin rights to the forest A administrators – and thus
defeats the objective of having the admins in a single
forest. (FYI, creating a DL, adding a remote
user, then trying to change that group to a universal group gives the message
“Foreign security principals cannot be members of universal
groups”) Forest B is in a DMZ, and is solely
being used to give the benefits of centralised management to the servers in the
DMZ. Consequently, we want to avoid having many user accounts in that forest.
Company policy states that every admin must log on using their own
account Hope you can
help. ______________________________________________________ Join the
Collaborative Business Experience
|
- RE: [ActiveDir] Cross forest issue joe
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike
