question

Yankee30 avatar image
0 Votes"
Yankee30 asked Thameur-BOURBITA commented

Cross forest authentication - Can't add users to local administrator group

So we've a cross forest external trust built between Prod & DMZ(this has RODC as well) domain
DMZ domain trusts Prod Domain.

So I login to server which is joined to DMZ domain.
Trying to add users from Prod domain in Local administrators group of the server in DMZ Domain via GUI.
Go to Local Users & Groups -> Administrators Group -> Add -> Change location to Prod(successful) -> Enter object name.
So now when I put in the user id from Prod domain & click check names, it doesn't work says "object cannot be found"


but if I use the command line I can add the same user from Prod domain to the admin group of DMZ server

net localgroup administrators /add prod\userid

The command completed successfully.
This add the user

Can someone tell me why this behavior ?


windows-serverwindows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered Thameur-BOURBITA commented

Hi,

Yes some time the GUI try to contact a unavailable domain controller.
To avoid this behavior:
I recommend you to create a local group in DMZ domain and added it in the local administrators group of DMZ servers. Then create in Prod domain /forest a Global group which will be added as member of local group created on DMZ domain.
When you need add new admin as local administartor on DMZ servers , just added it in this global group in same domain.
This configuration, let you to avoid to contact a domain controller on each addition of new admin in the local administrators group of DMZ zone.

Please don't forget to mark helpful reply as answer

· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yankee30 avatar image Yankee30 ·

Well when I try to run below command from the server in dmz domain

Nltest /dsgetdc:prod.com

It gives me the message

Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Should this return the DC name from Prod domain or is this the expected result when in one way external trust?

0 Votes 0 ·
Thameur-BOURBITA avatar image Thameur-BOURBITA Yankee30 ·

yes it should show the name of one of domain controller. If you get this error that means that there is a problem to contact the Prod domain.

It can be DNS resolution or network flows blocked

Please don't forget to mark helpful reply as answer

0 Votes 0 ·
Yankee30 avatar image Yankee30 Thameur-BOURBITA ·

Will there have to be ports opened between DMZ member servers & Prod DC's ?

Wouldn't the flow happen from DMZ member server to DMZ DC to Prod DC ?

0 Votes 0 ·
Show more comments