My overall goal for the following was to understand which domain servers (local or primary) actually control authentication for a share or folder.
I'll start by describing my setup:
2 sites, A and B
Site A: The primary domain controller ("Primary"), and my workstation ("Workstation")
Site B: Local domain controller that is also a file server ("Branch"). It has a hard drive S:\ on which shared folders are created.
(All servers are Windows Server 2008 R2. Site A also has a secondary domain controller, however that might affect my question.)
I have a shared folder on Branch\S: ("FolderX") and I've set the Share permissions to Everyone, full control; and Security permissions to Domain Admins and an AD group ("GroupX") which has "Modify". As a domain admin, I can get into the folder from Branch.
I attempt to access the folder from Workstation as my regular user account, and cannot. (\Branch\FolderX) I can go to \Branch, and I see FolderX among the shares.
Prior to replication, from which domain controller should I need to add my regular user account to GroupX in order to access FolderX?
(That was my actual question, which I thought would be easy to determine via experimentation. However... )
If I add my regular user account to GroupX while logged into Branch, I cannot access the folder from Workstation. (i.e. My regular user account does not yet exist in GroupX in AD on Primary.)
I remove my regular user account from GroupX on Branch.
I then add my regular user account to GroupX while logged into Primary. I still cannot access \Branch\FolderX from Workstation.
If I make sure my regular user account exists in GroupX in AD on both Branch and Primary, I still cannot access FolderX.
What am I missing?
