+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Wireless Networks Thread, Replicate usernames and password only between Win2k domains in Technical; I have started implementing LDAP access for some of our websites so that the staff can use their network usernames ...
  1. #1

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39

    Replicate usernames and password only between Win2k domains

    I have started implementing LDAP access for some of our websites so that the staff can use their network usernames and password (rather than having to remember another one).

    The problem I am facing is that we have 2 domains (curriculum and admin - yeah I know I could setup as one with better permissions ) and the LDAP authenticates against the main curriculum domain where most of the staff have accounts.

    Both domains are windows 2000.

    Is there any way to somehow replicate the staff accounts from the admin domain to the curriculum domain so they can use their usernames and passwords but that dont have any other rights to actually log onto the curriculum domain?

  2. #2

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    Trusts.

    Understanding domain trusts

    These seem to be coming up a lot lately.

    It'll allow the users to be authenticated in the trusted domain (assuming you set up a one-way trust) and you can just remove their right to log on interactively to any computers in that domain via GPO, or simply not provide them any permissions other than to authenticate.

  3. #3

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39
    I have a vague feeling that trusts are already setup between the 2 domains.

    We have it so users can be given permissions on shares between the 2 domains easily.

    I'm feeling a little noobish but could you possibly point me in the direction of how I have their accounts trusted for auth only?

  4. #4

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    I should point out that I don't use Windows 2k, so can't be completely sure that this would be the right route.

    Basically though you should be able to create a group with membership assigned to all of the users from the admin domain, then allow it Network Authentication permission, but deny Interactive Logon to all machines. This'll allow them to authenticate, but not actually log on to any computers.

    The permission you need is under Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Deny log on locally. Add the group you've created to hold the users and apply it at the appropriate point for any machines in the network where you want them unable to log on. You can lock down various other permissions as well.

    Active Directory Users, Computers, and Groups - goes into a bit more detail on interactive logon and network authentication.

  5. #5

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39
    I have just checked the domains and there is a 2 way trust between them.

    I am at a complete loss now as to how I can allow the ldap process on Request Tracker and MRBS to ask for authentication through the curriculum server that they point to - to the other trusted domain.


  6. #6

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    If the users from the admin domain are visible in the curriculum domain, and can authenticate there, then it should be automatic from that point on.

    The sites will go to the curriculum DC to authenticate credentials, the curriculum DC will recognise that its not credentials for accounts in its own domain and fire the requests off to the trusted admin DC, that'll come back saying that the users do exist and are valid, and that should be it.

    I think so anyway.

  7. #7

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39
    The users from the admin domain arent visible in the curriculum domain.

    Thats the step I think I am lost at.

  8. #8

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    Right, we're getting somewhere then.

    Create a domain local group and go to add members to it, you should find that you're able to add members from the foreign domain.

    Failing that, on the foreign domain create a universal security group and you should be able to surface that in the curriculum domain.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    I'm not so sure that a domain trust would have any impact. Users still authenticate against their own server, but for example, can access shares held on another domain, hence the need for a trust.

    I presume both servers are Global Catalog servers, as this holds information on objects in its own domain and any other domain associated with it. In saying that, I can imagine this is going to get very difficult to achieve. Longterm properly merging the domains would give you the true single sign on you want to achieve.

  10. #10

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    Quote Originally Posted by Michael View Post
    I'm not so sure that a domain trust would have any impact. Users still authenticate against their own server, but for example, can access shares held on another domain, hence the need for a trust.

    I presume both servers are Global Catalog servers, as this holds information on objects in its own domain and any other domain associated with it. In saying that, I can imagine this is going to get very difficult to achieve. Longterm properly merging the domains would give you the true single sign on you want to achieve.
    True, but the computers will be sending a request to their own DC for authentication - if that DC doesn't have permissions for those users to authenticate in its domain then it won't forward the authentication request.

  11. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    True, but the computers will be sending a request to their own DC for authentication - if that DC doesn't have permissions for those users to authenticate in its domain then it won't forward the authentication request.
    Yes I agree with you there. Unless LDAP can be modified to look at two domains (possible in theory), maybe the only other way would be to create a secondary logon page for these users which authenticate against the second server.
    Longterm, a single manageable domain would make things easier longterm. Having two domains would require two instances of AV and WSUS for example.

  12. #12

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39
    Still playing about with the Local groups on the curriculum domain.

    With the AV and WSUS it works fine via both domains

  13. #13

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    Thinking about it, there's no need to modify LDAP to look at two domains. Why are the users not simply using their full domain\username, or username@domain to log on?

    With DNS set up, and the permissions configured, that should sort it.

  14. #14

    Join Date
    Dec 2005
    Posts
    524
    Thank Post
    34
    Thanked 87 Times in 77 Posts
    Rep Power
    39
    I tried with the usernames in the format you mentioned and it doesnt seem to work.

    Do I need to have transitory trust between the 2 domains? From what I read about it I dont think I should - but thought I would ask.

    I also tried creating the local domain group on the curriculum domain and adding the admin users to it. This does not seem to have worked either. Does it require a server restart or anything?

    PS. I have a feeling that becuase the ldap requires a specific base domain to read from it wont just switch between the curriculum and admin domains with the user@curriculum.domain or user@admin.domain usernames.

  15. #15
    binky's Avatar
    Join Date
    Sep 2006
    Posts
    290
    Thank Post
    1
    Thanked 19 Times in 16 Posts
    Rep Power
    0
    Have you tried using Identity Integration Server to sync the users?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. DFS to loadbalance / replicate homedrives
    By k-strider in forum Windows
    Replies: 6
    Last Post: 19th December 2008, 10:35 AM
  2. Changed password slow to replicate
    By ZeroHour in forum Windows
    Replies: 2
    Last Post: 24th October 2008, 10:05 AM
  3. Win2k and SQL2000 double upgrade
    By bossman in forum MIS Systems
    Replies: 3
    Last Post: 12th October 2007, 07:40 AM
  4. Win2K booting from Compact Flash
    By pete in forum Windows
    Replies: 9
    Last Post: 26th June 2006, 04:14 PM
  5. Win2k Microsoft Update
    By _Bat_ in forum Windows
    Replies: 2
    Last Post: 28th May 2006, 02:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •