B
Brandon Baker, MCSE
We're about 6 months away from merging with another company, and management
wants us to get all the IT people on the same Exchange server to facility
centralized calendaring.
So, there are two Windows 2003 domains using a selective authentication
trust to share resources. Now, we're trying to allow users from Domain B to
access mailboxes on Domain A, but we've run into a problem. Users in Domain B
create a new profile in Outlook 2003 and configure it to access mailboxes
hosted on Domain A's exchange server, but they can't use their Domain B
accounts.
There is a PIX 500 series firewall seperating the Domains, however we've
opened it wide for testing, so it's not a factor. We have taken a Domain
Global Group from Domain B and granted it read privs to the OU housing the
Exchange server computer accounts. I added the same group to each Exchange
server computer account with the allowed to authenticate priv. We then
granted two Domain B users full control over their new Domain A
accounts/mailboxes, and asked the Domain B users to open Outlook, which
prompted the Domain B users with a login prompt. The Domain B Users entered
their Domain B credentials and could not connect. We then asked them to do it
again, and this time provide the Domain A credentials - that worked. Outlook
opened and they could access their mailboxes.
Now, the question is - am I missing something in the security loop? Do we
need to change the trust type from Selected Authentication to Domain-Wide? I
have a feeling that the root issue is the selective authentication and the
fact that we did not explicitely assign permissions to enough resources.
If I can't figure this out - then we're going to maintain multiple accounts
for each "merged" IT employee and give them OWA 2003.
Any ideas for troubleshooting? Any neato utils I can use? Help!!
--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder
--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder
wants us to get all the IT people on the same Exchange server to facility
centralized calendaring.
So, there are two Windows 2003 domains using a selective authentication
trust to share resources. Now, we're trying to allow users from Domain B to
access mailboxes on Domain A, but we've run into a problem. Users in Domain B
create a new profile in Outlook 2003 and configure it to access mailboxes
hosted on Domain A's exchange server, but they can't use their Domain B
accounts.
There is a PIX 500 series firewall seperating the Domains, however we've
opened it wide for testing, so it's not a factor. We have taken a Domain
Global Group from Domain B and granted it read privs to the OU housing the
Exchange server computer accounts. I added the same group to each Exchange
server computer account with the allowed to authenticate priv. We then
granted two Domain B users full control over their new Domain A
accounts/mailboxes, and asked the Domain B users to open Outlook, which
prompted the Domain B users with a login prompt. The Domain B Users entered
their Domain B credentials and could not connect. We then asked them to do it
again, and this time provide the Domain A credentials - that worked. Outlook
opened and they could access their mailboxes.
Now, the question is - am I missing something in the security loop? Do we
need to change the trust type from Selected Authentication to Domain-Wide? I
have a feeling that the root issue is the selective authentication and the
fact that we did not explicitely assign permissions to enough resources.
If I can't figure this out - then we're going to maintain multiple accounts
for each "merged" IT employee and give them OWA 2003.
Any ideas for troubleshooting? Any neato utils I can use? Help!!
--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder
--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder