RODCs won’t help because RODCs don’t have trust passwords cached locally.
If this is done via Kerb there shouldn’t be any communication from the resource in the “project” forest to a DC in the “corp” forest. The client in the corp forest will need to contact a “project” DC, though. Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Thursday, December 8, 2016 11:27 AM To: [email protected] Subject: Re: [NTSysADM] External trust issue Melvin, I'm not sure about Federation. I'll toss out the idea of a RODC, that might be possible. Thanks, Eric On Thu, Dec 8, 2016 at 11:00 AM, Melvin Backus <[email protected]<mailto:[email protected]>> wrote: Just spitballing here, but would federation help that? Or put an RODC for company.corp on location at custproj.corp -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Eric Wittersheim Sent: Thursday, December 8, 2016 11:36 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] External trust issue I have a interesting project that I'm working on and I believe I have hit a snag that is going to throw a big monkey wrench in the deal. Here is what I have to work with. 2 domains in separate forests. Company.corp CustProj.corp I have created a one way trust that allows users from Company.corp to authenticate to users in CustProj.corp. Inside of CustProj.corp there are a number of servers that users can authenticate using Company.corp credentials. The rub is when a user is logging into server1.CustProj.corp using Company.corp credentials the authentication request goes to a DC in Company.corp. This I believe is by design from Microsoft but requirements for this project dictate that there cannot be authentication requests from [servers].CustProj.corp to any DCs at Company.corp. The hope was to have the DC at CustProj.corp relay the auth requests on behalf of the client. Is there anyway to force this? Am I missing something that I can set this? Any ideas or third party products that might help? Eric
