none
RDP Authenication with Forest Trust to "Child Tree" domain

    Question

  • I have 2 forests, with Forest B trusts Forest A = 1 way with transit. Then I created a child "tree Domain" in forest B as I wanted a separate namespace. of course this is now a 2 way transitive. I have created the necessary groups in tree domain in forest B to allow the admins to have access from Forest A. So when I RDP into the tree domain with credentials from Forest B domain it works. And when I try to do so from Forest A to Forest B Domain it works. But when I try to go to the "child tree" domain of forest B it starts to work in the sense that I get an error message saying I need to be a part of the remote desktop group. It seems like the nesting of the groups is not working from the Forest Trust or am I missing something? or does it need to be within the same namespace?

    This is all server 2012 r2.

    Monday, May 1, 2017 3:39 PM

Answers

  • Hi,
    Based on my research on a similar thread as below, it seems to be by design to add account into RDP group.
    And please check if the account you are using for RDP is located in a global group of forest A, if yea, you could add the user into a domain local group of forest B to see if it helps.
    You could see details from: https://www.experts-exchange.com/questions/26302190/Cant-use-remote-desktop-across-trust.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by dprefa Tuesday, May 2, 2017 4:40 PM
    Tuesday, May 2, 2017 7:27 AM
    Moderator
  • Hi Wendy,

    Thank you for replying and yes I too saw this article but I am glad you referenced it again as it got me to take a 2nd, 3rd and 4th look ;) . But I think this is what it was, while I did use the AGUDLP formula, I think the issue was even though I created and nest the groups it  does not necessarily like using any of the built in or canned group already present. Basically I created new groups that duplicated the users I wanted for like "Domain Admins" and "administrators" and named them something like TRUST Domain account (global, Universal, local) groups and added the same users and not the groups already that come with Server and it worked. ugh! what a pain.

    Thank you for referencing that article again! :)

    Dan


    • Edited by dprefa Tuesday, May 2, 2017 4:40 PM clarity
    • Marked as answer by dprefa Tuesday, May 2, 2017 4:40 PM
    Tuesday, May 2, 2017 4:39 PM

All replies

  • Hi,
    Based on my research on a similar thread as below, it seems to be by design to add account into RDP group.
    And please check if the account you are using for RDP is located in a global group of forest A, if yea, you could add the user into a domain local group of forest B to see if it helps.
    You could see details from: https://www.experts-exchange.com/questions/26302190/Cant-use-remote-desktop-across-trust.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by dprefa Tuesday, May 2, 2017 4:40 PM
    Tuesday, May 2, 2017 7:27 AM
    Moderator
  • Hi Wendy,

    Thank you for replying and yes I too saw this article but I am glad you referenced it again as it got me to take a 2nd, 3rd and 4th look ;) . But I think this is what it was, while I did use the AGUDLP formula, I think the issue was even though I created and nest the groups it  does not necessarily like using any of the built in or canned group already present. Basically I created new groups that duplicated the users I wanted for like "Domain Admins" and "administrators" and named them something like TRUST Domain account (global, Universal, local) groups and added the same users and not the groups already that come with Server and it worked. ugh! what a pain.

    Thank you for referencing that article again! :)

    Dan


    • Edited by dprefa Tuesday, May 2, 2017 4:40 PM clarity
    • Marked as answer by dprefa Tuesday, May 2, 2017 4:40 PM
    Tuesday, May 2, 2017 4:39 PM