[dnandoo]

Is it possible to see computers that are part of a child domain from root domain other than DC's through Active Directory site and services?
Basically I have a root domain configured with one child domain, however I have to keep switching between each server to see computers listed in each.

Thanks in advanced.

[chuckhole]

Where are you looking? In Active Directory Computers and Users?

Right click on the domain in ADCU and select Connect to Domain. If the account you are logged in as has admin privilages to the other domain, you may connect to that domain and administer it.

Without having to logout, you may also create a shortcut to MMC.EXE and the right click on the shortcut and select Run As. Then suppply the credentials to the other domain. Then add the Snap-In for ADCU and voilà, you can connect to that domain without having to logout or go to another computer.

[dnandoo]

I'm logged in on the child domain server which is Win2008.
I have a remote users group crreated in AD, and I want to add the IT group which is located on the DC and root directory.
If I choose connect to another domain, in 2008 its only change domain and then I can see my IT group but can't add to remote users group.

Ideally I want my IT group in the root domain with access to everything.

[chuckhole]

In the other domains, you can right-click on the Domain Name and select Delegate Control. This can be done at the OU level or at the Domain level. You can select what rights you want to be delegated out and to whom.

For example, by default, users do not have the right to change the Computer Description. I delegated control to allow this so that they could write their department and user display name to the computer description field during logon.

[chuckhole]

I have responded to your PM regarding the use of Universal Groups. I have copied my reply here as well for reference:

Universal groups are for precisely that purpose. You can make members of other domains members of Universal Groups.

The use and behavior of Universal Groups is dependent on the Domain and Forest functional levels. In ADUC, right click on the domain and select Properties. The functional levels need to be at the highest permissible level. This depends on the Domain Controller OS versions installed. ALL DC's in the domain must be at the same level or higher before you can raise the functional level. And all DC's in the Forest must also be at the same level or higher to raise the functional level of the Forest.

If you have slow or limited connections between domains then you will want to limit the usage of Universal groups. They will increase the replication traffic between the domains.

Also, to help speed up the authentication process for users who are members of Universal Groups, you will want to make sure that at least one Domain Controller in each domain is acting as a Global Catalog Server. You will find this in the NTDS settings for the DC's in AD Sites and Services.