Seemless logon to Two domains

[randle]

I have a webserver that is dual NIC'd and connected to both my CC3 network and vanilla admin network. This hosts the intranet and helpdesk of which i have Windows Integrated Authentication selected on the whole helpdesk and certain areas of the intranet allowing me to control access to certain groups. As far as i'm aware you can only join one domain at a time so opted to join the domain with the highest usage which works fine but on the other domain where authentication is required, the user is presented with a login box and have to use the domain\username format to login successfully which is obviously due to not being able to add the required user groups from this domain to the webserver which is part of another domain.........Have i confused you yet?

Anyway what i want to know is whether there's a way to add both domain groups so that it's a seemless login throughout!?

[joe90bass]

Have you setup a trust relationship between the two domains?

[randle]

Sorry i forgot to mention that these Two networks are on completely different physical infrastructures and only come together at this server so am unable to see one domain from the other

[Gatt]

are they in 2 seperate forests? If so then a trust relation will work.
I have 2 forests hear and created a trust relationship between them - both domains appear in XP Login
Also, theres an option in Group Policy to allow cross forest policies
(Default Domain Policy/Computer config/Administrative Templates/System/group policy/Allow Cross-Forest User Policy and Roaming Profiles (ENABLED))

[ajbritton]

Anyway what i want to know is whether there's a way to add both domain groups so that it's a seemless login throughout!?

I'm asking to be shot down, but I would say that it will not be possible. These two domains are obviously not linked (as you say) and there is therefore no trust between them. You will not be able to add groups from domains that are not part of the domain to which the machine belongs or that are trusted by it either directly or transitively.

You have opted for total isolation and this is the downside.

EDIT: You could join the networks and add routing between the IP schemes (if necessary) and then create a trust but I suspect you have them on seperate networks for a reason!

[randle]

Unfortunately having Two complete separate networks was not my choice to make at the time and not something the PTB will allow currently.

I thought it may be the case but wanted to check just in case i was missing something.

[Lee_K_81]

As another solution, could you virtualise the server? i.e. make 2 webservers, have one on each domain (thus removing the issue with the domain/username) then sort out replication between the two.

[randle]

This is an interesting idea but the server really doesn't have the power to host Two virtual sessions simultaneously unfortunately but i like the idea

[Lee_K_81]

what spec is the server?

[randle]

Windows 2k server, 2x P3 processors @ 1GHz, 1.5GB RAM, 4GB Primary partiton

[Lee_K_81]

Ah, yes you're probably right!