question

SalMaama-0956 avatar image
0 Votes"
SalMaama-0956 asked FanFan-MSFT commented

DMZ Member Servers unable to return or authenticate internal domain accounts

I have DC in a DMZ where I can easily look up domain accounts from our internal domain under the NTFS permission if I tried to add users/groups to folder NTFS permission whiles logged in to the DMZ DC. However, member servers in the same DMZ are unable to return any internal domain accounts when I clicked "Check Names" on NTFS folder permissions. I have done all the troubleshooting I can think of: ping is ok, port query from DMZ servers (both DMZ DC and members servers) return same open ports. At this point I'm not entirely sure where and why the member servers aren't returning any internal domain account whiles the DMZ DC does. Is there a group policy I should be looking at ? where ? on the internal domain DC or DMZ DC? Any ideas and thought are welcome. I ruled out trust issues because DMZ DC seems fine.

windows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Since not clear with your perimeter network environment, it is different to guess what happened.
In this situation , i would suggest you use the network monitor tool to get more details when you check the names on the member server.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SalMaama-0956 avatar image
0 Votes"
SalMaama-0956 answered FanFan-MSFT commented

@FanFan-MSFT - I run Microsoft Network Monitor3.4 on the DMZ member server, unfortunately it does not captured any traffic related to the clicking of the Check names. I guess it isn't treating it as network related traffic. Anything I'm doing wrong ?

Thinking about it, we have 2 domain forest - primary domain (D1) and the DMZ domain (D2). We have outgoing trust from the DMZ domain (D2) to primary domain (D1) which implies DMZ trust our primary domain and not the other way round. I think from the security perspective this is how it is supposed to be set up. My understanding is that domain Users in D1 can have access to the resources in D2(DMZ) and not vice versa. If my understanding is correct, then it explains why D2 server cannot resolve any D1 domain account. But why is DC in the DMZ (D2) able to see D1 domain account ? Based on the way we have the TRUST set up, ideally the DC in the DMZ should be restricted from having access to the D1 domain, correct? Is there a special configuration to allow only DC in the DMZ to have access to the resources in the D1 domain and not any other member server in the DMZ...just been thinking about it

Just FYI - We have Forest-wide authentication and not selective authentication

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If it is a one way trust from DMZ domain to Primary Domain, users in Primary domain should have access to resource in DMZ domain.
I think you understand correctly.
Can the user logon to the member server in DMZ?
Based on my understanding , when you try to edit the permission for users in Primary domain on the resource in DMZ domain, the user name can't be resolved ,right?
What's the error message?
Any possible , the name resolution have issues?
How did you configure the dns to create the trust?

Best Regards,

0 Votes 0 ·

Hi,
 

If there are any updates, welcome to share here!
Please feel free to let us know if you have any questions further.

Best Regards,

0 Votes 0 ·