Forum Discussion

MBICIO's avatar
MBICIO
Copper Contributor
Jan 09, 2023

GPO Drive mappings over two-way trust is inconsistent

I have an old AD domain (with non-routable domain name) and am moving all users/resources to a new "routable" AD domain on a new network segment.   The new domain controllers/resources are setup including DNS (secondary zones in both domain pointing to the other) along with a two-way trust between domains.    Everything seems to be working well.   I've setup global security groups (with new domain users) in the new domain and assigned appropriate permissions to network shares on servers in the old domain (that all seems to be working well).   I then created a GPO with drive mappings to those shares in the old domain and that too seemed to be working OK.

I signed onto a DC in the new domain and all of the drive mappings to the shares in the old domain mapped perfectly and are accessible.   I then signed onto another DC and a member server in the new domain but did not get drive mappings as expected.   I did a bunch of troubleshooting but can't find anything wrong.    While signed onto the DC (and member server for that fact) they did not map as expected, I tried to access those same shares in the old domain via UNC/FQDN and I get promoted for credentials.   The dialogue box is pointing to/trying to authenticate to the new domain.   If I put in credentials for a new domain account if fails (as if it is trying to authenticate the credentials from the AD user account (instead of the security group) in the new domain against the share in the old domain).   If I instead input credentials from the old domain, I am able to get there but that is not the intent.    It should be using the signed on account (from the new domain) and it's membership in the proper security group (again from the new domain) to authenticate to the share in the old domain but that's not working on the second DC or member server.    It does however work just fine on the first DC.    I have triple checked DNS (which all seems fine) as well as confirmed Defender/FW is turned off and even removed AV/malware software from problematic server to make sure that isn't causing problem.   I even signed onto all 3 servers with a different account from the new domain (with membership in proper security group) and have exact same experience (1st DC maps all drive as expected without any problem but 2nd DC and member server do not map any drives from old domain (across the trust)) however there is also no errors encountered when signing on (saying drive mapping failed) they just don't map.    Same GPO mentioned above does map drives within native/new domain (not traversing the trust) without problem and "home directory works in all circumstances.

 

Created another GPO as well as new security group, emulating same basic conditions (but to different share in old domain) but same experience.   1st DC maps/allows access perfectly but other new AD servers don't map drives.

Any suggestions are greatly appreciated. 

No RepliesBe the first to reply

Resources