Chris and Brian, I believe that I'm in business. Like I said yesterday I created those group like Chris suggested but still saw traffic, so today I created some firewall rules that blocked all communication between the server1.CustProj.corp and the Company.corp domain controllers and I was able to login and saw only traffic coming from the CustProj.corp DC to the Corp DC.
Thanks for your tips, they really helped. Eric On Thu, Dec 8, 2016 at 4:26 PM, Christopher Bodnar < [email protected]> wrote: > You should be able to limit the traffic to only domain controllers talking > back and forth. My guess is that you have the Corpcompany.corp users being > directly added to the ACLs on the resources in server1. > > > > Try this: > > > > Create a Corpcompany.corp global group and add users to it > > Create a CustProj.corp domain local group and add the a Corpcompany.corp > global group to it > > Assign the CustProj.corp domain local group to the resources on server1. > > > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Eric Wittersheim > *Sent:* Thursday, December 08, 2016 11:36 AM > *To:* [email protected] > *Subject:* [NTSysADM] External trust issue > > > > I have a interesting project that I'm working on and I believe I have hit > a snag that is going to throw a big monkey wrench in the deal. > > > > Here is what I have to work with. > > > > 2 domains in separate forests. > > > > Company.corp > > CustProj.corp > > > > I have created a one way trust that allows users from Company.corp to > authenticate to users in CustProj.corp. Inside of CustProj.corp there are > a number of servers that users can authenticate using Company.corp > credentials. The rub is when a user is logging into server1.CustProj.corp > using Company.corp credentials the authentication request goes to a DC in > Company.corp. This I believe is by design from Microsoft but requirements > for this project dictate that there cannot be authentication requests from > [servers].CustProj.corp to any DCs at Company.corp. The hope was to have > the DC at CustProj.corp relay the auth requests on behalf of the client. > Is there anyway to force this? Am I missing something that I can set this? > Any ideas or third party products that might help? > > > > Eric > > > > > > ------------------------------ > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > >
