Resolution
Goal
Why is an override account required in order to enumerate users in a trusted domain?
Do I need an overrride account to manage a trusted domain?
Fact
Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x
Fix
In order for Directory and Resource Administrator (DRA) to enumerate users from trusted domains, the server must have access to it using a known account.
Definitions:
- DRA Server: Stores and maintains information in memory for performance purposes, particularly in validating requests.
- DRA Server Service Account: The account under which the DRA Server runs.
- DRA Accounts cache: Contains information from the Windows NT account database (SAM) for user accounts and groups in NT4 domains, and information from the account database Active Directory (AD) for Windows 2000 domains. The cache also contains user accounts and groups in the trusted domains. The DRA server maintains this cache for all account administration performed through DRA.
- Known NT/2000 account: An account that NT, or 2000, is able to resolve down to its Security Identifier (SID). ***Note*** This is an NT Enterprise requirement for domain trusts to function properly. Example: Any NTaccount (in a trusting domain) that is a Known NT account to a trusted domain can open an NT native tool like User Manager and view (enumerate) accounts in the trusted domain.
The DRA Server obtains SAM and AD information from its trusted domains. The DRA Server does this by doing a Domain Accounts cache refresh on the managed domain, and all of its trusted domains. In order for the DRA Server (in the trusting domain) to perform an accounts cache refresh on all of its trusted domains the DRA Server Service Account (in the trusting domain) must be a Known NT account to all trusted domains. In other words, the trusted domains must be able to resolve the SID of the DRA Server Service Account (in the trusting domain). If the trusted domains can resolve the DRA Server Service Account (in the trusting domain), then the DRA Server (in the trusting domain) has permission to enumerate the trusted domain in order to build the DOM (Domain accounts) file. The DOM file contains a list of Users and Global Groups from the trusted domain, which ultimately become a part of the account cache refresh.
There are two common methods of setting up the service account. One option would be to use an account from the trusted domain, adding that account to the Administrators Local Group in the trusting domain that hosts the DRA Server. Another option would be to use an account from the managed domain as the Service Account and have a shadow account , with the exact same name and password, in each of the trusted domains.