You should be able to limit the traffic to only domain controllers talking back and forth. My guess is that you have the Corpcompany.corp users being directly added to the ACLs on the resources in server1.
Try this: Create a Corpcompany.corp global group and add users to it Create a CustProj.corp domain local group and add the a Corpcompany.corp global group to it Assign the CustProj.corp domain local group to the resources on server1. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Eric Wittersheim Sent: Thursday, December 08, 2016 11:36 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] External trust issue I have a interesting project that I'm working on and I believe I have hit a snag that is going to throw a big monkey wrench in the deal. Here is what I have to work with. 2 domains in separate forests. Company.corp CustProj.corp I have created a one way trust that allows users from Company.corp to authenticate to users in CustProj.corp. Inside of CustProj.corp there are a number of servers that users can authenticate using Company.corp credentials. The rub is when a user is logging into server1.CustProj.corp using Company.corp credentials the authentication request goes to a DC in Company.corp. This I believe is by design from Microsoft but requirements for this project dictate that there cannot be authentication requests from [servers].CustProj.corp to any DCs at Company.corp. The hope was to have the DC at CustProj.corp relay the auth requests on behalf of the client. Is there anyway to force this? Am I missing something that I can set this? Any ideas or third party products that might help? Eric ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
