peterlyttle
Technical User
Hello,
I'm being told that the following is impossible to fix but I dont like to believe anything is impossible and hoping that some clever person here can help out!
I have 3 network zones - LAN/SEMI/DMZ
I have 2 domains - domain1.com and domain2.com
All DCs for domain1.com sit inside the LAN zone.
All Servers for domain1.com sit inside the LAN zone.
2 Writeable DCs for domain2.com sit inside the LAN zone.
2 Read Only DCs for domain2.com sit inside the SEMI zone.
All Servers for domain2.com sit inside the DMZ zone.
There is a 2way non-transitive trust in place between the LAN Zone DCs of domain1.com and domain2.com - Selective Authentication is selected.
Zone DMZ zone must not directly access LAN zone, it must pass through something in the SEMI zone (possibly the RODC)
GPO Loopback processing is set to Replace
Cross Forrest User GPO and Roaming Profiles is is to Not Configured (Disabled)
The problem that I am facing is that if I logon with a user domain1\AdminUser onto domain2\Server it logs in correctly (a little slow) but it doesnt allow the domain2.com user GPO to be applied.
I'm told that this is because in the logon process or gpupdate process the domain2\Server is trying to directly contact the DCs in domain1.com. As this is DMZ -> LAN this is blocked by a FW. However if it went like this domain1\Server -> domain1\RODC -> domain2\DCs that would be ok.
This article helps a little but doesnt mention the GPO aspect.
Anyone any ideas?
Thanks,
Peter
I'm being told that the following is impossible to fix but I dont like to believe anything is impossible and hoping that some clever person here can help out!
I have 3 network zones - LAN/SEMI/DMZ
I have 2 domains - domain1.com and domain2.com
All DCs for domain1.com sit inside the LAN zone.
All Servers for domain1.com sit inside the LAN zone.
2 Writeable DCs for domain2.com sit inside the LAN zone.
2 Read Only DCs for domain2.com sit inside the SEMI zone.
All Servers for domain2.com sit inside the DMZ zone.
There is a 2way non-transitive trust in place between the LAN Zone DCs of domain1.com and domain2.com - Selective Authentication is selected.
Zone DMZ zone must not directly access LAN zone, it must pass through something in the SEMI zone (possibly the RODC)
GPO Loopback processing is set to Replace
Cross Forrest User GPO and Roaming Profiles is is to Not Configured (Disabled)
The problem that I am facing is that if I logon with a user domain1\AdminUser onto domain2\Server it logs in correctly (a little slow) but it doesnt allow the domain2.com user GPO to be applied.
I'm told that this is because in the logon process or gpupdate process the domain2\Server is trying to directly contact the DCs in domain1.com. As this is DMZ -> LAN this is blocked by a FW. However if it went like this domain1\Server -> domain1\RODC -> domain2\DCs that would be ok.
This article helps a little but doesnt mention the GPO aspect.
Anyone any ideas?
Thanks,
Peter