Just spitballing here, but would federation help that? Or put an RODC for
company.corp on location at custproj.corp
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Eric Wittersheim
Sent: Thursday, December 8, 2016 11:36 AM
To: [email protected]
Subject: [NTSysADM] External trust issue
I have a interesting project that I'm working on and I believe I have hit a
snag that is going to throw a big monkey wrench in the deal.
Here is what I have to work with.
2 domains in separate forests.
Company.corp
CustProj.corp
I have created a one way trust that allows users from Company.corp to
authenticate to users in CustProj.corp. Inside of CustProj.corp there are a
number of servers that users can authenticate using Company.corp credentials.
The rub is when a user is logging into server1.CustProj.corp using Company.corp
credentials the authentication request goes to a DC in Company.corp. This I
believe is by design from Microsoft but requirements for this project dictate
that there cannot be authentication requests from [servers].CustProj.corp to
any DCs at Company.corp. The hope was to have the DC at CustProj.corp relay the
auth requests on behalf of the client. Is there anyway to force this? Am I
missing something that I can set this? Any ideas or third party products that
might help?
Eric
