Thanks Chris, I tried what you grepping the firewall logs I'm seeing TCP port 88 (kerberos) traffic from server1.CustProj.corp to DC.Company.corp. For my test I did what you said. I then assigned that domain local group created in CustProj.corp to the Remote Desktop Users group. When I RDP that is when I see the traffic hitting my Company.corp DC.
Eric On Thu, Dec 8, 2016 at 4:26 PM, Christopher Bodnar < [email protected]> wrote: > You should be able to limit the traffic to only domain controllers talking > back and forth. My guess is that you have the Corpcompany.corp users being > directly added to the ACLs on the resources in server1. > > > > Try this: > > > > Create a Corpcompany.corp global group and add users to it > > Create a CustProj.corp domain local group and add the a Corpcompany.corp > global group to it > > Assign the CustProj.corp domain local group to the resources on server1. > > > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Eric Wittersheim > *Sent:* Thursday, December 08, 2016 11:36 AM > *To:* [email protected] > *Subject:* [NTSysADM] External trust issue > > > > I have a interesting project that I'm working on and I believe I have hit > a snag that is going to throw a big monkey wrench in the deal. > > > > Here is what I have to work with. > > > > 2 domains in separate forests. > > > > Company.corp > > CustProj.corp > > > > I have created a one way trust that allows users from Company.corp to > authenticate to users in CustProj.corp. Inside of CustProj.corp there are > a number of servers that users can authenticate using Company.corp > credentials. The rub is when a user is logging into server1.CustProj.corp > using Company.corp credentials the authentication request goes to a DC in > Company.corp. This I believe is by design from Microsoft but requirements > for this project dictate that there cannot be authentication requests from > [servers].CustProj.corp to any DCs at Company.corp. The hope was to have > the DC at CustProj.corp relay the auth requests on behalf of the client. > Is there anyway to force this? Am I missing something that I can set this? > Any ideas or third party products that might help? > > > > Eric > > > > > > ------------------------------ > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > >
