2

I have a problem with Universal groups across a trust - membership of the universal group gives rights from one domain in a forest but not from another domain in the same forest - I've set up a test set of accounts and groups to demonstrate and try and isolate and reduce the problem to the simplest I can.

I know this universal group across the trust can work - as on one of my domains the universal groups membership does work. In addition user membership within the domain and the across the trust also works. I need to isolate why the other domain in the same forest does not work.

I'm after some guidance of what I can look for - feel free to ask questions Thanks

To explain (referring to the diagram )

enter image description here

I have two forests A.COM and Q.A.COM - The A.COM forest has four domains (A.COM, A.A.COM, E.A.COM and S.a.COM) and the Q.A.COM has one domain (Q.A.COM)

Q.A.COM trusts A.A.COM, E.A.COM and S.A.COM - These are one way non-transitive trusts - the only other trusts are the default trusts in the A.COM forest. All of these trusts are known to work and users in each of these domains can be added to groups in their own domain with membership in Q to get access to resources in Q.

I have the following users and groups setup in these domains

Name    Type                Domain      Member/Right 
UA      User                A.A.COM     Member of GS
UE      User                E.A.COM     Member of GS 
GS      Universal Group     S.A.COM     Member of GQ  
GQ      Domainlocal Group   Q.A.COM     Read rights to Folder

The User UA From domain A can access the folder but the User UE from domain E cannot.

If I use groups in domain A or E and add them to the GQ group then that works. This is our current workaround to the problem.

I have logged onto a memberserver of Q.A.COM and run WHOAMI groups for the user UA and it shows all the expected GS and GQ groups

For the user UE however neither the GS or GQ groups are shown. If run on a Q.A.COM member server then it does shown the GS universal group correctly.

So I believe its related to tickets or kerberos - and I have been reading about this and will continue, but I think I'm lost.

Finally other stuff I hav'e checked is as follows. Sites and services has been setup so that DCs from the two forest correctly locate the close DCs in the other forest

There is only a single non-GC server in each subdomain of the A.COM forest - this hosts the Infrastructure master role, so i think this means all DCs have all universal groups even the non-GC as it is the infrastructure master.

All servers in Q.A.COM are GCs - but this does not have the universal groups

We do have firewalls in many locations - but I see no denies on any of them during access.

Ross
  • 133
  • 1
  • 11
  • To clarify, does the problem occur for *any* account from the E domain, or just one particular account? Have you tested the trust between E and Q? – Harry Johnston Jun 06 '19 at 10:25
  • Updated but yes lots of accounts and yes the trusts work – Ross Jun 06 '19 at 10:36
  • I believe there's a way of explicitly testing the trust, if I remember correctly this is provided by the Active Directory Domains and Trusts console. The fact that it seems to work most of the time isn't necessarily conclusive in that respect. – Harry Johnston Jun 06 '19 at 10:44
  • Oh yes , i forgot that I shall check tomorrow – Ross Jun 06 '19 at 10:46
  • *I have logged onto a memberserver of Q.A.COM and run WHOAMI [...] For the user UE however neither the GS or GQ groups are shown. If run on a Q.A.COM member server then it does shown the GS universal group correctly.* I'm confused by this, it seems to contradict itself, or am I misreading it? Can you clarify under which circumstances UE does or does not see its membership in the GS group? – Harry Johnston Jun 06 '19 at 10:48
  • I'll be the guy to check the obvious: UE has logged off and back on since being added to the relevant group(s), correct? Is the user UE just one example from that domain and **all** users from that domain have the same problem, or do things work correctly for other users in that domain? Same question for UA - specific case or same behavior for all users of that domain? – Todd Wilcox Jun 06 '19 at 13:38
  • I’ve created new users to check this. So yes all users and yes logged on again. The problem is months old – Ross Jun 06 '19 at 20:38
  • @Harry Johnston - yes - the trusts are fine - however running NLTEST showed that they are setup differently. The trust to A was done 12 years ago the other trusts were done recently so due to changes in defaults SID filtering is not applied to the A trust and is applied to the E and S trusts - pretty sure this is the problem - but I have to get authorization to change – Ross Jun 06 '19 at 22:13

1 Answers1

0

I found there is a setting in AD on the inbound end on EACH trust called SID filtering, SID Filtering removes SIDs which are not from the trusted domain. we just need to turn it off to see the SIDs of the groups from the other domains.

What confused us is that the defaults when setting up the trust at sometime between Server 2000 to Server 2008 R2.

So that when our initial trusts were setup - filtering was off. The later trusts filtering was on. what confused us is the same person setup all trusts on our end, but it was a different person on the far end so we suspected the far end.

Ross
  • 133
  • 1
  • 11