Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cross Forest GPO Processing with RODCs and Firewalls

Status
Not open for further replies.

peterlyttle

Technical User
Nov 6, 2006
139
GB
Hello,

I'm being told that the following is impossible to fix but I dont like to believe anything is impossible and hoping that some clever person here can help out!

I have 3 network zones - LAN/SEMI/DMZ
I have 2 domains - domain1.com and domain2.com

All DCs for domain1.com sit inside the LAN zone.
All Servers for domain1.com sit inside the LAN zone.

2 Writeable DCs for domain2.com sit inside the LAN zone.
2 Read Only DCs for domain2.com sit inside the SEMI zone.
All Servers for domain2.com sit inside the DMZ zone.

There is a 2way non-transitive trust in place between the LAN Zone DCs of domain1.com and domain2.com - Selective Authentication is selected.
Zone DMZ zone must not directly access LAN zone, it must pass through something in the SEMI zone (possibly the RODC)
GPO Loopback processing is set to Replace
Cross Forrest User GPO and Roaming Profiles is is to Not Configured (Disabled)

The problem that I am facing is that if I logon with a user domain1\AdminUser onto domain2\Server it logs in correctly (a little slow) but it doesnt allow the domain2.com user GPO to be applied.

I'm told that this is because in the logon process or gpupdate process the domain2\Server is trying to directly contact the DCs in domain1.com. As this is DMZ -> LAN this is blocked by a FW. However if it went like this domain1\Server -> domain1\RODC -> domain2\DCs that would be ok.

This article helps a little but doesnt mention the GPO aspect.

Anyone any ideas?

Thanks,
Peter
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top