I think I have the correct forum.....We recently setup a domain trust between two Win2k3 domains, domain-a.net (existing domain for 5+ years) and domain-b.net (just setup late last year). The trust is a one-way trust (external, no transitive) with domain-a.net trusted by domain-b.net. My issue/question is, we would like domain admin accounts from domain-a.net to be able to manage resources in domain-b.net – ie. manage share access and directory security permissions.
I followed the instructions in this link to setup the permissions using nested groups: http://jasonduffett.net/post/5448151233/administering-cross-forest-domains-with-a-single-login Everything worked as planned to add domain-a.net\remote_domain_admins (global group) to the domain-b.net\Local_Domain_Admins (domain local group). I tested access rights for a domain-a.net\domain_admin_user_account on a resource server in domain-b.net and that worked just fine too. However, after a period of time (right not I’m not sure what that is just yet), the domain-a.net\remote_domain_admins is removed and is missing from the domain-b.net\local_domain_admins group. I checked all the DC event logs and nothing appears to be out of the ordinary. I run a DCDiag and netdom query daily to monitor the health of the domains and all looks ok with that as well. I also did nslookup _ldap._tcp.dc._msdcs.domainname.net for both domains on DC’s from each domain and all DC’s were found for both domains. Lastly, I ran the command to validate the trust and that was successful.
Here are a couple of other notes that may or may not be helpful:
- Both domains are running at the highest possible functional level – Win2k3
- I installed the Client Side Extensions only on the DC’s in domain-b.net since that was the domain that would be using the Group Policy Preferences settings.
- Both domains exist on the same subnet in our home office. We have a remote DR site that has one DC for each of the domains and communications with the remote DC’s is not an issue.
This is a complete mystery to me. I’m not sure why a group would mysteriously disappear. Does anyone have experience with this setup? I’m thinking the disappearance may be related to replication timing but I am not sure. Does it matter that CSE’s are not installed on domain-a.net DC’s? Does it matter that there is only a one-way trust?
Any thoughts or suggestions would be appreciated. If I need to provide additional information please let me know. Thanks in advance!