Network shares on separate domains

[dawks]

We have our own domain here with our own accounts. A few of our users need to access shares on a server in another domain. They have accounts for that domain as well.

What I have been doing is mapping a network drive for this single share, and choosing the "use other credentials". That gets the drive mapped and it works for a few days. Then it just stops working and the only thing I can do is remove the network drive, and recreate it. This is obviously a PITA when I have to do it 1-2 times a week on multiple computers.

Is there any other way? I've tried making a bat file that a user could just double click, but that doesnt seem to work either. (local network drives on our domain work just fine).

Thanks

 

[Chunkee]

child domains or trust rule?

 

[MustISO]

set up a trust.

 

[dawks]

Trusts are not an option. Two separate organizations.

I have created a bat file that looks like it will help, but im still curious why the connection keeps dropping every few days.

 

[TheKub]

Originally posted by: dawks
Trusts are not an option. Two separate organizations.

I have created a bat file that looks like it will help, but im still curious why the connection keeps dropping every few days.

Likely the issue is a time out, maybe the kerberos ticket exceded the maximum renewal lifetime.

We have the same situation. I work for a county government but we have a state agency that uses our network resources. When we had Novell there was no issue, they authenticated to eDirectory and the states domain. About a year ago I migrated the entire county off of the Novell boxes to MS servers and had to come up with a fix.

I created a 2 bat file process. The first bat file just executes a second bat file on the server that does the actual mapping. I did this because if there were ever changes needed I didnt have to touch each PC (either manually or via script) to update it.

I dont know what troubles you had with the bat files. Basicly they contain:

net use H: \\10.XXX.XXX.XXX\%username% /USER:YYYY\%username%
Where YYYY is our domain

When they were being migrated new accounts were created for all the state users (using their naming not ours). If the password on our domain matched up with the password in the states domain this process just worked. If the passwords were out of sync (no auto update when state password change is done) it would just say the password is wrong and they were prompted to try again. They type the password and it continues to work.

The only hitch I ever had with this is when I was first deployed it used host name rather than IP which was fine becasue we manually added choice lines to the hosts file but the state periodically reimages and breaks things so to save the headache I moved to just IP address.

I have not heard of any "timeout" like issues with this implementation.

 

[RebateMonger]

You could set up a server on a third domain and do one-way trusts to the third server from each of the organizations.

 

[dawks]

The batch file I ended up creating unmaps any possible current connections, maps the drive, prompts the user for a password, then xcopies the files over to the users desktop, unmaps the drive, and pops up the folder on the users desktop.

All they need to do is double click the bat file, type their password, and all the files they need are magically there. This should work fine.

I like the idea of have the two batch files though, just incase I'd need to make changes, I'd only have to modify the one.

Thanks!

 

[dawks]

Originally posted by: RebateMonger
You could set up a server on a third domain and do one-way trusts to the third server from each of the organizations.

Seems like a lot of work for network drives that just keep dropping occasionally.

 

[Nothinman]

Seems like a lot of work for network drives that just keep dropping occasionally.

All of the mentioned solutions are.

Did you try saving the password in that one control panel?

 

[dfnkt]

Originally posted by: TheKub

Originally posted by: dawks
Trusts are not an option. Two separate organizations.

I have created a bat file that looks like it will help, but im still curious why the connection keeps dropping every few days.

Likely the issue is a time out, maybe the kerberos ticket exceded the maximum renewal lifetime.

We have the same situation. I work for a county government but we have a state agency that uses our network resources. When we had Novell there was no issue, they authenticated to eDirectory and the states domain. About a year ago I migrated the entire county off of the Novell boxes to MS servers and had to come up with a fix.

I created a 2 bat file process. The first bat file just executes a second bat file on the server that does the actual mapping. I did this because if there were ever changes needed I didnt have to touch each PC (either manually or via script) to update it.

I dont know what troubles you had with the bat files. Basicly they contain:

net use H: \\10.XXX.XXX.XXX\%username% /USER:YYYY\%username%
Where YYYY is our domain

When they were being migrated new accounts were created for all the state users (using their naming not ours). If the password on our domain matched up with the password in the states domain this process just worked. If the passwords were out of sync (no auto update when state password change is done) it would just say the password is wrong and they were prompted to try again. They type the password and it continues to work.

The only hitch I ever had with this is when I was first deployed it used host name rather than IP which was fine becasue we manually added choice lines to the hosts file but the state periodically reimages and breaks things so to save the headache I moved to just IP address.

I have not heard of any "timeout" like issues with this implementation.

The batch should work except it should say "net use H: \\10.xxx.xxx.xxx\%username% insertpassword /USER:domain\%username%" -- If you want them to not have to enter a password.

also another way would be replace the IP address with the name of the server/computer with the FQDN such as "net use H: \\machine123.fabrikom.com\%username% insertpassword /USER:domain\%username%"

EDIT: This will expose the users password to anyone who edits the bat/cmd file. We had to use this to solve an issue with an executive who needed his drives on his home PC.

 

[TheKub]

Originally posted by: dfnkt
The batch should work except it should say "net use H: \\10.xxx.xxx.xxx\%username% insertpassword /USER:domain\%username%" -- If you want them to not have to enter a password.

Im aware that the password could be embedded but that would be WAY too much work, and a very poor idea.

1. The password is in cleartext and on a common network location where everyone has read access.

2. I would then either have to make a script for each person, or set everyones password to be the same. Which in our case would be a horrible idea.

Originally posted by: dfnkt
also another way would be replace the IP address with the name of the server/computer with the FQDN such as "net use H: \\machine123.fabrikom.com\%username% insertpassword /USER:domain\%username%"

That still would not work, the users DO NOT use our DNS servers, and the state had no interest in adding static values or hosting a zone for our servers.

However, for the OP these suggestions may be acceptable, but they most certainly would not work for us.

 

[dfnkt]

Originally posted by: TheKub

Originally posted by: dfnkt
The batch should work except it should say "net use H: \\10.xxx.xxx.xxx\%username% insertpassword /USER:domain\%username%" -- If you want them to not have to enter a password.

Im aware that the password could be embedded but that would be WAY too much work, and a very poor idea.

1. The password is in cleartext and on a common network location where everyone has read access.

2. I would then either have to make a script for each person, or set everyones password to be the same. Which in our case would be a horrible idea.

Originally posted by: dfnkt
also another way would be replace the IP address with the name of the server/computer with the FQDN such as "net use H: \\machine123.fabrikom.com\%username% insertpassword /USER:domain\%username%"

That still would not work, the users DO NOT use our DNS servers, and the state had no interest in adding static values or hosting a zone for our servers.

However, for the OP these suggestions may be acceptable, but they most certainly would not work for us.

Thanks for the clarification, definitely sounds like an issue in need of some extra thought outside of an off the cuff solution.

 

[redbeard1]

Do the passwords and usernames match on both domains?