none
I cannot access the sharefolder in W2008R2 in sub-domain.

    Question

  • We cannot access the network shareholder in W2008R2 DC of the sub-domain.

    Our scenario is as follows:

    The main-domain(AAA.com) has two DCs (W2008R2+W2003R2).

    The sub-domain(BBB.AAA.com) has two DCs(W2008R2+W2003R2).

    There is trust relation between AAA.com and BBB.AAA.com.

    There are network sharefolders in both W2008R2 and W2003R2 of domain BBB.AAA.com.

    Those sharefolders gave access rights to the users in domain AAA.com.

    The domain users in AAA.com can access W2003R2 of BBB.AAA.com but cannot access W2008R2 with the error message “no access right”.

    The domain users in BBB.AAA.com can access both DCs in BBB.AAA.com.

    Presumably there is something wrong with W2008R2 of BBB.AAA.com.

    Please guide to manage this issue.

    Thanks a lot in advance!

    Wednesday, August 20, 2014 5:29 PM

Answers

  • How was DNS designed to support your parent-child AD?

    Is there a delegation for bbb under aaa.com configured with the child DNS addresses and the child DNS set with a forwarder from the child DNS to the parent DNS, or is the aaa.com zone set to replicate forest wide?

    I'm just trying to rule out resolution issues that can contribute or cause this. More info:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    *

    If DNS is configured correctly, maybe it's the way the share permissions are configured? Check the following for pointers - take a look at the example at the bottom of the blog.

    Using Group Nesting Strategy - AD Best Practices for Group Strategy
    Published by acefekay on Jan 6, 2012 at 10:34 PM
    http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, August 21, 2014 2:58 AM
  • Have you checked the NTFS permissions on the Files and Folders.  A user needs to be able to get access to the share (Which it sounds like they can) but then they need to have permissions to access the files within the share itself which is NTFS.

    So go to properties and then the security tab on the folder of the share and verify that the users have access rights.


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, August 21, 2014 11:58 AM

All replies

  • How was DNS designed to support your parent-child AD?

    Is there a delegation for bbb under aaa.com configured with the child DNS addresses and the child DNS set with a forwarder from the child DNS to the parent DNS, or is the aaa.com zone set to replicate forest wide?

    I'm just trying to rule out resolution issues that can contribute or cause this. More info:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    *

    If DNS is configured correctly, maybe it's the way the share permissions are configured? Check the following for pointers - take a look at the example at the bottom of the blog.

    Using Group Nesting Strategy - AD Best Practices for Group Strategy
    Published by acefekay on Jan 6, 2012 at 10:34 PM
    http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, August 21, 2014 2:58 AM
  • Have you checked the NTFS permissions on the Files and Folders.  A user needs to be able to get access to the share (Which it sounds like they can) but then they need to have permissions to access the files within the share itself which is NTFS.

    So go to properties and then the security tab on the folder of the share and verify that the users have access rights.


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, August 21, 2014 11:58 AM
  • Thanks for your advices.

    I will test DNS and inform you.

    Sorry I could not take action because so far I was engaged in emergency issue in another place.

    Wednesday, August 27, 2014 8:38 AM
  • Thanks for your advice.

    This was completely configured so.

    Wednesday, August 27, 2014 8:41 AM
  • Configuration of share permissions look like OK.

    But my colleague informed me another phenomena.

    The two DCs in AAA.com cannot access the share folders in W2008R2 DC in BBB.AAA.com

    But the member server in AAA.com can access them.

    User is domain administrator in AAA.com and others as well.

    I will check DNS setting.

    Wednesday, August 27, 2014 9:42 AM
  • I have checked DNS design in the forest.

    It is quite simple centralized design.DC in parent domain contains DNS.It seems to be no problem in DNS.

    Does broken AD file cause the issue?

    I would like ask to navigate further.

    Thanks a lot in advance.

    Friday, August 29, 2014 3:16 PM
  • Configuration of share permissions look like OK.

    But my colleague informed me another phenomena.

    The two DCs in AAA.com cannot access the share folders in W2008R2 DC in BBB.AAA.com

    But the member server in AAA.com can access them.

    User is domain administrator in AAA.com and others as well.

    I will check DNS setting.

    Can you post screenshots of the ACL of the folder, and the user account that's attempting to access it and what specific groups they are in, please?

    Do the member servers and the DCs have a Search Suffix (in ipconfig /all) for BBB.AAA.com, or just the member servers?

    Thank you.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, August 29, 2014 6:32 PM
  • Thanks for your reply.

    *Access rights*

    I have made the screen copy.

    How can I post it?

    I am not allowed to use our Webserver.

    I try to describe the screens.

    Sharing:

    Administrator      Read/Write

    Administrator      Read/Write

    Administrators     Owner

    Group A              Read/Write

    Group B              Read/Write.

    Security:

    Group B (AAA\GroupB)               FullControl

    Group A (AAA\GroupA)               FullControl

    Administrator                               FullControl

    Administrator                               FullControl

    Administrators (BBB\Administrators)   FullControl.

    Two administrators are on the list.

    One is Administrator of domain AAA.com

    The other one is administrator of domain BBB.AAA.com

    .

    *Search suffix*

    DCs and the member server have the search suffix AAA.com. .

    Thanks for your help in advance.

    Best regards




    • Edited by LAN Cabling Monday, September 01, 2014 4:46 PM
    Monday, September 01, 2014 4:41 PM