How do i delegate domain admin to cross forest account.

Question

Hi,

I currently have a setup involving two domains. In Domain 1, there is a Domain Controller (DC) and a Gateway (GW) configured for Windows Admin Center. A two-way forest-wide trust has been established between these two domains. My objective is to manage the Active Directory (AD) of Domain 2 using my account from Domain 1 within Windows Admin Center.

To achieve this, I have attempted to add myself to the "builtin\administrators" group in Domain 2, but unfortunately, I am unable to access the AD from the Admin Center. Surprisingly, when I use a Domain 2 admin account to log in from the Admin Center, it works perfectly. Additionally, I tried granting myself the "Enterprise Admin" role, but that did not yield the desired results either.

I'm encountering an issue where I cannot add my Domain 1 account to the Domain 2 "domain admins" group because Domain 1 does not appear in the available locations when I attempt to perform this action. I know that i cant add cross domain users to a global group. Can anyone provide insight into the specific rights or permissions that I may be missing to resolve this situation?

Your assistance and expertise would be greatly appreciated.

Answer 1

Hello Kevin,

Thank you for posting in Q&A forum.

Please validate the forest trust on both domain and check if you can validate the forest trust successfully.

Properties\Validate\type the credential and check the result. The information below is validated successfully.

If you cannot validate the trust successfully, you can try to recreate the two-way forest forest.

Hope the information above is helpful.

Best Regards,
Daisy Zhou