none
How to have access to a share outside the domain

    Question

  • Hello,

    I have a domain with several users to whom I would like to grant access to a special folder on a Windows Server 2012 which I can not add to the same domain.

    I also would not like to create new accounts to the users on the Windows server where the folder exists.

    Is it possible? How can I do that?

    Thank you very much.

    Best regards.

    Jayme Jeffman Filho

    Friday, January 20, 2017 7:11 PM

Answers

  • Jeff,

    If you want to access external domain resources, then you will have to set up a trust relation ship between your and the third party domain. You can set up a one way or a two way transitive trust depending upon your set requirements

    This is called trust between two different SMTP forests

    Two way trust:-

    - https://social.technet.microsoft.com/wiki/contents/articles/13906.how-to-create-two-way-transitive-trust-windows-server-2008-r2.aspx

    Understanding trust relationship:-

    - https://technet.microsoft.com/en-us/library/cc816810(v=ws.10).asp

    Hope this helps

    • Edited by Akabe Friday, January 20, 2017 7:29 PM
    • Proposed as answer by Akabe Friday, January 20, 2017 7:29 PM
    • Marked as answer by JJeffman Monday, January 30, 2017 7:06 PM
    Friday, January 20, 2017 7:28 PM
  • I am not an expert on Windows Server install and administration. What do you mean by rebuild the server ? How can I repair the Windows Server ?

    If those operations can avoid the reboot of the Windows Server, probably I could add it to  the main domain and grant user the proper right to have access to the folder they need to write to.

    Thank you very much.

    A repair install is accomplished by running setup.exe from the installation media within windows. A rebuild means starting over or at least standing up a new one in parallel and migrate roles or applications over. If by "rebooting" you meant BSOD you can check the system event log for error details. Also I'd flash the firmware (ROM bios) to manufacturer latest and download / install the latest chipset and drivers from server manufacturer.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, January 23, 2017 7:47 PM
  • Conclusion:- After considering several thoughts and questions in my head:)

    To set up a trust between your DC and a windows server and on top of it having your domain users access it, you will have to join the windows server to the domain and then grant permissions to access things 

    This is what i think. otherwise it wouldnt work 


    • Edited by Akabe Friday, January 20, 2017 8:22 PM
    • Marked as answer by JJeffman Monday, January 30, 2017 7:05 PM
    Friday, January 20, 2017 8:21 PM

All replies

  • If you meant outside as in internet then probably setup an FTP site, or if inter-domain then you can setup a one way or two way trust.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, January 20, 2017 7:20 PM
  • No, outside means just outside the domain but on the same network
    Friday, January 20, 2017 7:22 PM
  • Jeff,

    If you want to access external domain resources, then you will have to set up a trust relation ship between your and the third party domain. You can set up a one way or a two way transitive trust depending upon your set requirements

    This is called trust between two different SMTP forests

    Two way trust:-

    - https://social.technet.microsoft.com/wiki/contents/articles/13906.how-to-create-two-way-transitive-trust-windows-server-2008-r2.aspx

    Understanding trust relationship:-

    - https://technet.microsoft.com/en-us/library/cc816810(v=ws.10).asp

    Hope this helps

    • Edited by Akabe Friday, January 20, 2017 7:29 PM
    • Proposed as answer by Akabe Friday, January 20, 2017 7:29 PM
    • Marked as answer by JJeffman Monday, January 30, 2017 7:06 PM
    Friday, January 20, 2017 7:28 PM
  • Thank you very much for answering me.

    The first link set a trust relationship between two domains. It is not the case there is just one domain. The Windows server do not belong to any domain, I can not add it on the same domain, though.

    The second link has lead me to a not found page error.

    Thank you very much.

    Friday, January 20, 2017 7:39 PM
  • Then I'd probably do the latter, one-way or two-way trust.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, January 20, 2017 7:43 PM
  • If in a single forest you have multiple tress, then there is automatically a trust created and this wiLl be a two way transitive trust.

    You will have to add the windows server to the domain. Then it wil integrate with you DC (On which your will have AD role installed) and you wil be able to access the resources within the same domain.

    How many DC's do you have? Can you share info on your environment...

    Are you just trying to map shared drives to AD users? File share server with a designated drive > Create multiple folders > Share the folder > It will have a shared path > and assign permission to those set of users/Security group. 

    I think you wil be interested in Realm Truest? see below article

    Second article:-

    - https://technet.microsoft.com/en-us/library/cc731404(v=ws.11).aspx


    • Edited by Akabe Friday, January 20, 2017 7:50 PM
    Friday, January 20, 2017 7:49 PM
  • May I set up a two-way trusted relationship between the server itself and the domain ?
    Friday, January 20, 2017 7:49 PM
  • Conclusion:- After considering several thoughts and questions in my head:)

    To set up a trust between your DC and a windows server and on top of it having your domain users access it, you will have to join the windows server to the domain and then grant permissions to access things 

    This is what i think. otherwise it wouldnt work 


    • Edited by Akabe Friday, January 20, 2017 8:22 PM
    • Marked as answer by JJeffman Monday, January 30, 2017 7:05 PM
    Friday, January 20, 2017 8:21 PM
  • Thank you very much.

    I know the way you have suggested is the most proper according WIndows rules.

    I can not add the Windows server to any domain because, although I am using a valid and official Windows Server 2012 license it assumes an unwanted behaviour when added to a Windows Domain, rebooting from time to time.

    This behaviour provoke damages in the process which is running on the server.

    I will wait for other ideas on this matter.

    Best regards.

    Jayme Jeffman Filho


    • Edited by JJeffman Monday, January 23, 2017 1:14 PM correct typo
    • Marked as answer by JJeffman Monday, January 30, 2017 7:04 PM
    • Unmarked as answer by JJeffman Monday, January 30, 2017 7:04 PM
    Monday, January 23, 2017 1:11 PM
  • You welcome Jeff,

    I hope you get the best answer. 

    I am excited to know the answer:)

    Monday, January 23, 2017 1:48 PM
  • Thank you very much.

    I know the way you have suggested is the most proper according WIndows rules.

    I can not add the Windows server to any domain because, although I am using a valid and official Windows Server 2012 license it assumes an unwanted behaviour when added to a Windows Domain, rebooting from time to time.

    This behaviour provoke damages in the process which is running on the server.

    I will wait for other ideas on this matter.

    Best regards.

    Jayme Jeffman Filho


    Better option is to repair or rebuild the server.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, January 23, 2017 1:59 PM
  • I had a thought (I am not sure though)

    What if we create an SRV record for the windows server (Non domain joined server) in local DNS (DC). Will that help set privileges to domain users? I think so

    If the SRV record exists, then probably DNS would know about this server (non domain joined server) and users can access the resources using Kerberos authentication

    Just a thought :)




    • Edited by Akabe Monday, January 23, 2017 5:13 PM
    • Proposed as answer by Akabe Monday, January 23, 2017 5:17 PM
    • Unproposed as answer by Akabe Monday, January 23, 2017 7:49 PM
    Monday, January 23, 2017 2:12 PM
  • > If the SRV record exists, then probably DNS would know about this server and users can access the resources using Kerberos authentication
     
    "ktpass Keytab SPN" is your search phrase.
     
    Monday, January 23, 2017 4:09 PM
  • Better option is to repair or rebuild the server.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    I am not an expert on Windows Server install and administration. What do you mean by rebuild the server ? How can I repair the Windows Server ?

    If those operations can avoid the reboot of the Windows Server, probably I could add it to  the main domain and grant user the proper right to have access to the folder they need to write to.

    Thank you very much.

    Monday, January 23, 2017 7:26 PM
  • I am not an expert on Windows Server install and administration. What do you mean by rebuild the server ? How can I repair the Windows Server ?

    If those operations can avoid the reboot of the Windows Server, probably I could add it to  the main domain and grant user the proper right to have access to the folder they need to write to.

    Thank you very much.

    A repair install is accomplished by running setup.exe from the installation media within windows. A rebuild means starting over or at least standing up a new one in parallel and migrate roles or applications over. If by "rebooting" you meant BSOD you can check the system event log for error details. Also I'd flash the firmware (ROM bios) to manufacturer latest and download / install the latest chipset and drivers from server manufacturer.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, January 23, 2017 7:47 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 8:11 AM
    Moderator
  • Dave,

    I have marked your reply as answer, I do not know if the procedures you have suggested could solve the problem because I am not the server owner nor its administrator, so I can not implement your solution.

    Best regards.

    Jayme Jeffman Filho

    Monday, January 30, 2017 6:54 PM
  • Thank you to all of you who have contributed with your ideas and knowledge to this matter.

    The solution we are about to implement is to create a single user on the server to use in a network drive mapping and create or modify the login script of the main domain to create that network drive when the user make his login on the domain, without adding the server to the main domain.

    Best regards.

    Jayme Jeffman Filho

    • Proposed as answer by Akabe Monday, January 30, 2017 7:11 PM
    Monday, January 30, 2017 7:02 PM
  • Wonderful. Thank you JJeffman for sharing the solution. This was a difficult and interesting one 

    Have a good one:)

    Monday, January 30, 2017 7:08 PM