6

I am currently managing computers distributed across 2 different AD domains. I shall call the 2 domains MEDIA and DATA. My workstation is a member of the MEDIA (192.168.10/24) domain, along with most of my coworkers.

The DATA 10.0.62.0/24) domain is in a remote data center. I have a valid administrator account in both directories.

There is a VPN in place that gives me free access to the remote domain.

I am using Windows management console (MMC) to manage computers in my local domain (MEDIA - 192.168.10.0/24). My question is this:

How is it possible to use the MMC from my workstation (on the MEDIA domain) to manage computers in the DATA domain?

dlyk1988
  • 1,674
  • 4
  • 24
  • 36
  • 1
    Can you set up an account that has domain admin rights in both domains? If so, that's how. Run MMC under that user's context. – HopelessN00b Nov 21 '14 at 14:36
  • @HopelessN00b Could you possibly elaborate on this? How can I configure that? – dlyk1988 Nov 21 '14 at 14:40
  • What type of "management" are you doing with MMC and would it be easier to just RDP to a machine in the other domain to do the management? I'm not questioning the value of your question but at the end of the day it might be simpler and faster to just RDP to a machine in the other domain to do whatever management you need to do. – joeqwerty Nov 21 '14 at 14:44
  • 1
    @dsljanus [I did a Q&A on creating cross-forest domain admins here](http://serverfault.com/q/575098/118258)... that's how I'd recommend configuring it. :) – HopelessN00b Nov 21 '14 at 14:48
  • @joeqwerty A good question, but even so, I've found several things that are actually quicker/easier to do through having MMC connect to a remote computer than RDP or even WinRM. (Effing disk management and trusted platform modules.) – HopelessN00b Nov 21 '14 at 14:51
  • True and it's a good exercise in learning something for sure, I just wanted to point out that there is a more direct "route" to get where the OP is trying to go. – joeqwerty Nov 21 '14 at 14:54
  • @HopelessN00b If you write up an answer, I will be more than happy to upvote. Goes without saying that I am not going to implement this ever. I do not have the authority to make the decision for the creation of the trust. But thanks again anyway! – dlyk1988 Nov 21 '14 at 15:07
  • 1
    Well, if it's not gonna work for you, I'm not gonna submit it as an answer. Two other options I can think of are opening a connection to the other computer's IPC share, and then firing up MMC (`net use \\computername\ipc$ /user:[domain]\[user with admin rights]`) or doing the old local users with the same credentials trick - though, in this case, it might be easier to change the local admin on your one computer to match the user name and password on all the other computers, assuming it's set to something uniform in the other domain, of course. – HopelessN00b Nov 21 '14 at 15:17

1 Answers1

8

This will open AD Users and Computers as a user on the remote domain.

Requires RSAT be installed.

From elevated CMD:

runas /netonly /user:REMOTEDOMAIN\REMOTEUSER "mmc dsa.msc /server=REMOTEDC"

Shamelessly stolen from: https://blog.ed.gs/2013/09/08/rsat-cross-domain/

Dylan Knoll
  • 480
  • 2
  • 9