Hi all,
I'm looking for an explanation … this is a bit of a complicated scenario but I'll try to be succinct. Whilst I have a fair bit of AD experience, I'm not the AD administrator at my current place of work. The AD administrators are not forthcoming with information, hence my post here.
We have a corporate network with a Windows 2003 forest (mixed-mode) with multiple domains. We also have a DMZ, in which there is a separate Windows 2003 forest with a single domain.
There is an IPSec policy set up between domain controllers in the DMZ domain and domain controllers in one of the domains in the corporate forest (I'll call it the "internal domain").
There is a one-way trust, the DMZ domain trusts the internal domain.
Our aim is to provide access to resources in the DMZ domain, by using accounts in the internal domain.
My role includes managing Member Servers. We built a server in the internal domain, added some groups from that domain into the Administrators group, then physically moved it to the DMZ. Then, the names in the Administrators group would no longer resolve (since it is still a member of the internal domain, but physically disconnected from it). Next, we made the server a member of the DMZ domain, and the names now resolve. So, it seems the Member Server is talking to the DMZ DC which is querying the internal DC to resolve the name.
What we cannot do, is log onto the Member Server in the DMZ and add an account from the internal domain. The reasoning we are given is that the IPSec policy and trust is between DCs only, and not the Member Server. If the DMZ Domain Admin logs onto the DMZ DC, then makes a Computer Management connection to the Member Server, then groups from the internal domain can be added to the Member Server.
Can anyone explain to me why this is so? I don't understand why resolving names is different to adding a user, it seems to me the same authentication path is followed.
Thanks in advance
Sakti
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
