Menu

Virtual Geek

Tales from my home lab environment.

Adding user to domain administrators from another cross domain - Part 1

I was working on one of the company acquiring project where I wanted to add users from another forest root domain to domain admins, but as Domain admins being global group, group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Also adding any user to domain admins gives exclusive rights entire domain including workstation and server.

POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY

I wanted to give administrators rights on domain controllers only and later in future as per requirement by management, wanted to extend the rights and privileges on servers, workstations. Here is the below diagram which I will setup step by step for the achieving the permissions. 

Adding user to domain administrators from another cross domain - Part 1
Adding active directory group to computer local administrator Group using Group Policy Object - Part 2

cross active directory domain admin rights privileges  domain controller forest trust dns server stub zone administrators group

To start with I have simulated a test environment, Setup my 2 different active directory domain controllers in there own forest root using my earlier article POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY. Just to note there is no trust between them yet. Here I am simulating 2 different companies, old.com and new.com, new.com has taken over old.com and now new company wants to have access over old Ad infrastructure. 

Here I am performing steps on old.com and same steps will perform on new.com. The next step is adding new zone (stub zone) on the DNS server. On the dnsmgmt.msc (DNS Manager), under Forward Lookup Zone, right click and add New Zone.

Active directory, DNS manager, dns, forward lookup zone, new zone creation, stub zone.png

In the New zone wizard select Stub zone under zone type, keep all the settings default and press next. (Stub zone creates a copy of a zone containing only Name Server (NS), Start of Authority (SOA), and possible glue Host (A) records. A server containing a stub zone is not authoritative for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.)

DNS Manager new zone wizard primary zone, secondary zone, stub zone, store the zone in active directory

On the next screen you can select how you want DNS data replicated throughout your network, Keep Active directory Zone Replication Scope to default, to all DNS servers running on domain controllers in this domain, next in the Zone Name select the new comply domain name, The zone name specifies the portion of the DNS namespace for which this server is authoritative The zone name is not the name of the DNS server but AD domain name. My zone name is new.com.

dns manager new zone wizard active directory zone replication scope, dns servers running on domain controllersj in domain and forest, zone name.png

Next here is the crucial step of adding Master DNS servers, specify the DNS servers from which you want to load the zone. A stub zone is loaded by querying the zone's master server for the SOA resource  record, the NS resource records at the zone's root, and glue A resource records. and Adding new.com AD/DNS server IP address with green successful icon. In the completion wizard, all looks good to me.

Make sure of the Note: You should now add records to the zone or ensure that records are updated dynamically. you can then verify name resolution using nslookup.

dns server master dns servers stub zone, completing the new zone wizard cross domain admins rights

Once adding stub zone completed. I can verify in DNS Manager that zone is successfully, but with red icon showing error Zone not loaded by DNS server, The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed. Correct the problem then either press F5, or on the action menu, click refresh.

After following refresh step, I can view Name server and Host (A) records are visible.

dns manager stub zone refresh pointers zone not loaded by DNS server, cross domain admin rights

I have perform the same step on New.com domain DNS server. Here I tried nslookup, all looks good to me now to proceed.

nslookup results for dns server stub zone, adding stubzone for cross domain admins management and access.png

Next in the control panel \ system and Security\ Administrative tools select Active Directory Domain and Trusts, in the management console on the domain name right click and go to properties.

Active directory domains and trusts, administrative tools, adding trust properties adding cross domain admins in active directory

In the properties, go to Trusts tab and select new trust. You have to perform these steps only once on any of the one domain and I am performing it on old.com

active directory domains and trusts, outgoing trusts, incoming trust, trust type, domain name, transitive, new trust, cross domain admins

In the new trust wizard, you can create a trust between domain, Trust is a relationship that enabled users in one domain, forest, or realm to be authenticated in a specified domain forest, or realm. Type the name of the domain, if you type the name of a forest. you must type a DNS name. In the Trust name I am adding name new.com.

Active Directory new trust wizard, kerberos realm trust, another forest, trust Name netbios or dns name, cross domain admin rights

In the Trust Type select Forest Trust, this is a transitive trust between two forests that allows in any of the domains in one forest to be authenticated in any of the domains in the other forest. In the Direction of trust, select Two-way, users in this domain can be authenticated in the specified domain, realm, or forest, and users in the specified, realm, or forest can be authenticated in this domain.

Active directory, trust type, forest trust root domain, Direction of trust two-way, one-way incoming outgoing, external trust domain qualifier

Here in Sides of trust, if you have appropriate permissions in both domain, you can create both sides if the trust relationship. To begin using a trust, both sides of the trust relationship must be created. For example, if you create a one-way incoming trust in the local domain, a one-way outgoing trust must also be created in the specified domain before authentication traffic will begin flowing across the trust. I am selecting Both this domain and the specified domain, This option creates trust relationship in both the local and the specified domains. you must have trust creation privileges in the specified domain.

In next wizard screen type the user name and password of an account that has administrative privileges in the specified domain.

active directory domain and trusts sides of trust, specified domain, new trust wizard, user name and password cross domain admin rights

Select Outgoing trust authentication level -local forest and specified forest as forest-wide authentication for both - Windows will automatically authenticate users from the specified forest for all resources in the local forest. This option is preferred when both forests belong to the same organization.

active directory domain and trusts new trust wizard outgoing trust, forest-wide authentircation, selective authentication, cross domain active directory domain admins

This is trust selection and creation configuration complete page, settings are yet to configured, Verify the changes, and click next to proceed.

active directory turst selection and creation complete, trust type, forest trust, two-way, outgoing trust authentication cross domain admin privileges

I need both outgoing and incoming trust, I am selecting both.

Active directory domain and trusts new trust wizard outgoing trust cross domain trust domain admin rights

This is completing the new trust wizard, finish it to close.

active directory new trust wizard, route names to specified forest, cross domain forest admin rights.png

I can see on the Trusts tab there is outgoing and incoming trust created for domain.

active directory domain and trusts, new trust domain with outgoing and incoming trust transitive yes trust type forest.png

This is the time to add users from another domain to builtin\administrators group. Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.

Open dsa.msc, Active directory users and computers. Expand domain, Builtin, then double click Administrators group to open properties. in the Members tab click Add button.

active directory users and computers , builtin administrators properties members. add users from cross domain admin rights.png

In the location select another domain name, type administrator in the object name and hit Check Names. and click ok button.

acitve directory users and computers select users computers, service accounts, groups, or other objects choose locations for cross domain admin account

I can see that new user added to administrators group members from another domain, Click apply.

ad users and computer, dsa.msc, Administrators properties, add user from cross domain.png

Now in the last for testing I can login on to domain controller and try creating a new user, it will be successful.

Useful articles
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY 
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file

Go Back

Comment

Blog Search

Page Views

1804668

Follow me on Blogarama