Trust relationship question

[AndyE45]

We have a production domain (2003 native mode)and a domain in the DMZ (2008 native mode) that is working fine though we have to iron out a few port issues on the FW. The trust is one-way, DMZ trusts Production. We watched the FW logs and saw that when a Prod user was logging onto a DMZ server it was trying to authenticate the user against the Prod DCs. For the sake of cutting down on the access list rules and keeping things simpler it would be nice if the DMZ domain DC could proxy the authentication request on behalf of the DMZ server.

Is this possible?

 

[Stevehewitt]

I guess your running under a single forest? Is the DMZ domain on the same tree as Production?

I'm going from memory here so bare with me; but if the domains are in the same forest you could look at having the DMZ DC setup as a GC. Maybe advisable to look at using sites as well to further push through a split between the two.

Although I'd wait for one of the other chaps to verify this or research the above before implementing!

Cheers,


Steve.

"They have the internet on computers now!" - Homer Simpson

 

[AndyE45]

Steve,

The DMZ DC's are both GCs, unfortunately that doesn't help.

Thanks for the input just the same.

 

[itsp1965]

The question is.. where is the user logging from? If the user is not in the DMZ network then they will authenticate to the closest DC to them (as setup in AD Sites and Services). This is the only way I know in which you can "force" a user to logon to a particular DC.

 

[theravager]

I really have to ask why you would want to do this, it breaks so many basic security rules that im intrigued.

 

[AndyE45]

itsp1965: logging in from a server in the dmz using an account on the production (trusted) domain. I was hoping to have the DMZ DC somehow proxy the request to the prod domain on behalf of the DMZ member server but if that's not possible, C'est la vie.

theravager: the idea is have one account capable of logging onto any server in either domain.