That is a bit complex to follow :)
Can you elaborate what you mean by this part "I don't understand why
resolving names is different to adding a user, it seems to me the same
authentication path is followed."
Are you saying that you figure because you can logon to the server with
"internal domain" names, you should also be able to resolve names in the
user manager?
Al
From: "Chakravarty, Sakti" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: <ActiveDir@mail.activedir.org>
Subject: [ActiveDir] DMZ domains and IPSec - looking for explanation re
resource access and authentication
Date: Thu, 8 Dec 2005 14:12:14 +1100
Hi all,
I'm looking for an explanation ... this is a bit of a complicated
scenario but I'll try to be succinct. Whilst I have a fair bit of AD
experience, I'm not the AD administrator at my current place of work.
The AD administrators are not forthcoming with information, hence my
post here.
We have a corporate network with a Windows 2003 forest (mixed-mode) with
multiple domains. We also have a DMZ, in which there is a separate
Windows 2003 forest with a single domain.
There is an IPSec policy set up between domain controllers in the DMZ
domain and domain controllers in one of the domains in the corporate
forest (I'll call it the "internal domain").
There is a one-way trust, the DMZ domain trusts the internal domain.
Our aim is to provide access to resources in the DMZ domain, by using
accounts in the internal domain.
My role includes managing Member Servers. We built a server in the
internal domain, added some groups from that domain into the
Administrators group, then physically moved it to the DMZ. Then, the
names in the Administrators group would no longer resolve (since it is
still a member of the internal domain, but physically disconnected from
it). Next, we made the server a member of the DMZ domain, and the names
now resolve. So, it seems the Member Server is talking to the DMZ DC
which is querying the internal DC to resolve the name.
What we cannot do, is log onto the Member Server in the DMZ and add an
account from the internal domain. The reasoning we are given is that
the IPSec policy and trust is between DCs only, and not the Member
Server. If the DMZ Domain Admin logs onto the DMZ DC, then makes a
Computer Management connection to the Member Server, then groups from
the internal domain can be added to the Member Server.
Can anyone explain to me why this is so? I don't understand why
resolving names is different to adding a user, it seems to me the same
authentication path is followed.
Thanks in advance
Sakti
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
