Active Directory By the Numbers: Windows Server 2003
Tutorial: Accessing Resources Across Domains
In this tutorial, we create a new shared folder on the domain controller for the denver.guinea.pig domain. We wish to share this folder with the marketing group in the guinea.pig domain.
-
On the denver domain controller, create a new folder named shares . Give it NTFS permissions of Full Control for the Administrators group only.
-
Inside the shares folder, create a new folder named guinea_shares . This folder inherits the NTFS file permissions of its parent folder.
-
Share the guinea_shares folder using network share permissions of Full Control for Administrators and Modify (read and write access) permissions for the Everyone group.
-
Open Active Directory Users and Computers and create an OU named Cross Domain Objects .
-
Create a new group inside the Cross Domain Objects OU. Name it guinea.pig Marketing Group . Under Group scope, select Domain Local and ensure that Security is selected for Group type. Click OK when finished.
-
Right-click this new group and select Properties . Click the Members tab.
-
Click Add . In order to add the Marketing group from the guinea.pig domain, we must tell our new domain controller where to find it. We can use either of these two syntaxes:
object name@domain name
or
domain name\object name
For our example here, we can type:
marketing@guinea.pig
or
guinea.pig\marketing
Enter either one of these examples and click Check Names . Windows replaces what you have typed with the name of the group you are adding. In this case, the word Marketing now appears:
-
Click OK twice to dismiss the dialog boxes.
We have added our first domain local group to the denver.guinea.pig domain. We have also nested a global group from the guinea.pig domain inside this new domain local group.
-
Close Active Directory Users and Computers . Navigate back to the local path of the guinea_share folder (for example, C:\shares\guinea_shares) and give the new guinea.pig Marketing Group Modify NTFS file permissions, shown here:
-
Boot up one of our test Windows client computers and log on to the guinea.pig domain as a member of the Marketing group.
-
Navigate to the shared folder on the denver domain controller at \\denver.guinea.pig\guinea_share and create a new folder inside the share. As a member of the domain local group inside the denver domain, you have the permissions to create and delete files and folders inside this share.
-
Log out and log back in as a member of the art department and navigate to the share located on denver's domain controller. Notice that you are denied access, as the art group was never added to the domain local group on the denver domain controller.
Категории