I've been searching for an answer to this but I'm not sure what keywords to use. I'm not a particularly experienced AD person.
I have three Server 2012 machines configured as a primary DC and two child DCs.
The primary DC has:
User: testone & testtwo
Global group: G
G contains: testone
The child DC has:
User: testthree
Local group: G
Local group G contains: global group G (contains user testone)
On the child DC, I can use 'AD Users & Computers' and drill down through Users, local groups & global groups to eventually see testone
From a Win 7 member of the child domain, I can log in using
testone@primary DC
testthree@child DC
Each child DC has special user account that has had its kerberos shared secret key exported via ktpass to a Linux machine.
On the Linux machine, I authenticate:
kinit testthree@CHILD DC
everything works
kinit testone@CHILD DC
does not work (testone is defined on parent, not child)
If I authenticate using the parent realm
kinit testone@PARENT DC
kinit works but subsequent attempts to use the resource defined on the child DC fail
(In other words, I get tickes but they are wrong/broken)
I want to delete the user account on the child (testthree) and use only accounts on the primary.
I want to make the accounts on the parent appear as if they are on the child:
kinit testone@CHILD DC
Is there any way to do this?
I have "child DC has group G which contains group G from parent which contains testone" but that doesn't work.
Regards,
Mickey.
