In order to grant users in an accounts domain Remote Access Service (RAS)
dial-in permissions to a server in a resource domain, it is not necessary
to add these users (individually or as a group) to the accounts database
of the resource domain. It is also not necessary to have a RAS Server
running in the Accounts Domain as long as the Resource Domain is
configured to trust the Accounts Domain. The accounts domain does not have
to trust the resource domain for this configuration to work.
Take the following steps to grant dial-in permissions to users in the
trusted accounts domain for the RAS server in the resource domain:
- Either the administrator's account from the resource domain has to be
part of accounts domain Administrators group (as per a trust), or while
logged on to the Resource Domain, the administrator must
NET USE \\Accounts_PDC\netlogon /u:Accounts\administrator
(Where Accounts_PDC is the Primary Domain Controller (PDC) for the
accounts domain) and enter the password for this account in the
Accounts Domain when prompted.
- After making the above connection, perform the following steps:
- Start up RASADMIN on the server in the Resource Domain.
- From the Servers menu, choose Select Domain Or Server.
- In the Domain field, enter the domain name of the trusted
Accounts Domain and press ENTER.
- If there is no RAS server in the Accounts Domain, the first line
of the RASADMIN program display area below the menu displays:
"No Remote Access Servers were found in the selected domain."
Otherwise, it displays the server name of a server that is
currently running RAS.
- From the Users menu, choose Permissions.
All users from the Accounts Domain should now appear in the Users box, and
it is possible to choose Grant Dial-in Permission to User per user from
the Accounts Domain to dial-in to the Resource Domain's RAS Server.