I was working on one of the company acquiring project where I wanted to add users from another forest root Domain to domain admins, but as Domain admins being global group, group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Also adding any user to domain admins gives exclusive rights entire domain including workstation and server.
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY
I wanted to give administrators rights on domain controllers only and later in future as per requirement by management, wanted to extend the rights and privileges on servers, workstations. Here is the below diagram which I will setup step by step for the achieving the permissions.
To start with I have simulated a test environment, Setup my 2 different active directory domain controllers in there own forest root using my earlier article POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY. Just to note there is no trust between them yet. Here I am simulating 2 different companies, old.com and new.com, new.com has taken over old.com and now new company wants to have access over old Ad infrastructure.
Here I am performing steps on old.com and same steps will perform on new.com. The next step is adding new zone (stub zone) on the DNS server. On the dnsmgmt.msc (DNS Manager), under Forward Lookup Zone, right click and add New Zone.
In the New zone wizard select Stub zone under zone type, keep all the settings default and press next. (Stub zone creates a copy of a zone containing only Name Server (NS), Start of Authority (SOA), and possible glue Host (A) records. A server containing a stub zone is not authoritative for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.)
On the next screen you can select how you want DNS data replicated throughout your network, Keep Active directory Zone Replication Scope to default, to all DNS servers running on domain controllers in this domain, next in the Zone Name select the new comply domain name, The zone name specifies the portion of the DNS namespace for which this server is authoritative The zone name is not the name of the DNS server but AD domain name. My zone name is new.com.
Next here is the crucial step of adding Master DNS servers, specify the DNS servers from which you want to load the zone. A stub zone is loaded by querying the zone's master server for the SOA resource record, the NS resource records at the zone's root, and glue A resource records. and Adding new.com AD/DNS server IP address with green successful icon. In the completion wizard, all looks good to me.
Make sure of the Note: You should now add records to the zone or ensure that records are updated dynamically. you can then verify name resolution using nslookup.
Once adding stub zone completed. I can verify in DNS Manager that zone is successfully, but with red icon showing error Zone not loaded by DNS server, The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed. Correct the problem then either press F5, or on the action menu, click refresh.
After following refresh step, I can view Name server and Host (A) records are visible.
I have perform the same step on New.com domain DNS server. Here I tried nslookup, all looks good to me now to proceed.
Next in the control panel \ system and Security\ Administrative tools select Active Directory Domain and Trusts, in the management console on the domain name right click and go to properties.
In the properties, go to Trusts tab and select new trust. You have to perform these steps only once on any of the one domain and I am performing it on old.com
In the new trust wizard, you can create a trust between domain, Trust is a relationship that enabled users in one domain, forest, or realm to be authenticated in a specified domain forest, or realm. Type the name of the domain, if you type the name of a forest. you must type a DNS name. In the Trust name I am adding name new.com.
In the Trust Type select Forest Trust, this is a transitive trust between two forests that allows in any of the domains in one forest to be authenticated in any of the domains in the other forest. In the Direction of trust, select Two-way, users in this domain can be authenticated in the specified domain, realm, or forest, and users in the specified, realm, or forest can be authenticated in this domain.
Here in Sides of trust, if you have appropriate permissions in both domain, you can create both sides if the trust relationship. To begin using a trust, both sides of the trust relationship must be created. For example, if you create a one-way incoming trust in the local domain, a one-way outgoing trust must also be created in the specified domain before authentication traffic will begin flowing across the trust. I am selecting Both this domain and the specified domain, This option creates trust relationship in both the local and the specified domains. you must have trust creation privileges in the specified domain.
In next wizard screen type the user name and password of an account that has administrative privileges in the specified domain.
Select Outgoing trust authentication level -local forest and specified forest as forest-wide authentication for both - Windows will automatically authenticate users from the specified forest for all resources in the local forest. This option is preferred when both forests belong to the same organization.
This is trust selection and creation configuration complete page, settings are yet to configured, Verify the changes, and click next to proceed.
I need both outgoing and incoming trust, I am selecting both.
This is completing the new trust wizard, finish it to close.
I can see on the Trusts tab there is outgoing and incoming trust created for domain.
This is the time to add users from another domain to builtin\administrators group. Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.
Open dsa.msc, Active directory users and computers. Expand domain, Builtin, then double click Administrators group to open properties. in the Members tab click Add button.
In the location select another domain name, type administrator in the object name and hit Check Names. and click ok button.
I can see that new user added to administrators group members from another domain, Click apply.
Now in the last for testing I can login on to domain controller and try creating a new user, it will be successful.
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here