So, you want to create a Two Way External Domain Selective Trust between two separate forests you say? You must have ALOT of time on your hands. Here is why... Microsoft only tells you about 75% of what you need to do to get this working. Basically enough to get it working if you were going to use domain wide authentication, which is NOT what you were looking for. They tend to leave that last 25% out of the picture, probably hoping you would quit, conform, and tick the Domain Wide box...
There is help for you my friend, help in the form of someone else who has gone down this path, slayed various cave trolls, created powerful enchantments and deciphered enough of the Ithildin Moon-Letters to reveal the answer...
Purpose
This document records the settings that were required to establish the Selective Active Directory trust between Contoso.com and Fabrikam.com External Domains.
Create the Trust in Active Directory Domains and Trusts
The trust must be created on both sides, Fabrikam and Contoso. Be sure to use fully qualified domain names for both organizations in the trust. Credentials will need to be entered by an administrator of the other organization when “yes, validate the incoming trust” is selected.
Note: An administrator from Fabrikam and Contoso must enter credentials to validate the incoming direction of trust.
Give Right to Authenticate to Kerberos account on each domain
Contoso Configuration
- Add Fabrikam Security Group to Kerberos Key Distribution Service Account
- An Fabrikam security group was added to the Contoso Kerberos Key Distribution Service Account with Allowed to authenticate permissions.
Fabrikam Security Group: Contoso_KDSA
Members - Admins of the Contoso domain.
Fabrikam Configuration
- Add Contoso Security Group to Kerberos Key Distribution Service Account
- A Contoso security group was added to the Fabrikam Key Distribution Service Account with Allowed to authenticate permissions.
Contoso Security Group: Fabrikam_KDSA
Members - Admins of the Fabrikam domain.
Add security group to AdminSDHolder for each domain
Add Fabrikam Security Group to AdminSDHolder Account at Contoso
An Fabrikam security group was added to the Contoso AdminSDHolder container with Allowed to Authenticate permissions.
Contoso Configuration
dsacls "CN=AdminSDHolder,CN=System,DC=Contoso,DC=com" /G "Fabrikam\Contoso_KDSA:CA;Allowed to Authenticate"
Add Contoso Security Group to AdminSDHolder Account at Fabrikam
A Contoso security group was added to the AmeriHealth Caritas AdminSDHolder container with Allowed to Authenticate permissions.
Fabrikam Configuration
dsacls "CN=AdminSDHolder,CN=System,DC=Fabrikam,DC=com" /G "Contoso\Fabrikam_KDSA:CA;Allowed to Authenticate"
Add the Security Group to All Computer Accounts That Need Access
This must be a Domain Local Security group that contains the Fabrikam user accounts that are allowed to access resources in Contoso. A security group on the Contoso domain containing Fabrikam user accounts that need to access resources on the Contoso domain needs to be added to the computer account for all the domain controllers, file servers and any other computer for which access is required. Grant Allowed to authenticate permission to that group.
NOTE: Granting Allowed to Authenticate permission does not inherently grant or allow access. It simply allows for access to be attempted.
Contoso Configuration
Contoso Security Group: Fabrikam_DC_Trust
Members: Users of the Fabrikam domain
Fabrikam Configuration
This must be a Domain Local Security group that contains the Contoso user accounts that are allowed to access resources in Fabrikam. A security group on the Fabrikam domain containing Contoso user accounts that need to access resources on the Fabrikam domain needs to be added to the computer account for all the domain controllers, file servers and any other computer for which access is required. Grant Allowed to authenticate permission to that group.
Fabrikam Security Group: Contoso_DC_Trust
Members: Users of the Contoso domain.
Additional Notes
PowerShell Script to List All Computer Objects with the Allowed to Authenticate Security Group
The following PowerShell script will list all computer objects in the Contoso domain with the Fabrikam_DC_Trust security group granting Allowed to Authenticate permission.
ListACLWithFabrikam.ps1
Write "List Computer ACL that contains Contoso\Fabrikam_DC_Trust"
$lastname = ""
$secgrp = "Contoso\Fabrikam_DC_Trust"
$computers = get-adcomputer -filter * -SearchBase "DC=Contoso,DC=com"
foreach ($computer in $computers)
{$acls = (Get-ACL "AD:$((Get-Adcomputer $computer).distinguishedname)").access
foreach ($acl in $acls) {if ( $acl.IdentityReference -contains "$secgrp" )
{if ($computer.Name -ne $lastname) {write $computer.Name; $lastname = $computer.Name}
}}
}
Special Thanks - Also would like to thank Tom Howard of Anexinet for his help and support through this configuration.
@tomhoward17
Labels: Active Directory, Active Directory Trusts