Authenticating on internal domain from DMZ

Hey folks,

I need to authenticate users connecting through VPN to our DMZ on our internal AD-Domains. Would it be enough to allow authentication with 1 DC in the top domain?

Shouldnt the TopDomain be able top authenticate for the sub-domains or atleast request and pass on authentication?

Please let me know if anyone of you know :)

/Rene
LVL 1
LamerSmurfAsked:
Who is Participating?
 
JamesDSCommented:
LamerSmurf
If you allow access from the DMZ to only a domain controller in the root domain, then users will not be able to logon fully - without using cached credentials. The reason for this is that things like domain local group memberships are not replicated to all Global Catalogs and therefore are unavailable to Domain Controllers ouside of the users home domain. Without this information the user cannot be logged on, unless cached credentials are available.

The likely message a user will receive is "The user cannot log in because the domain DOMAIN is not available."

you need to allow the DMZ access to at least one domain controller in each domain.

Cheers

JamesDS
0
 
GargantubrainCommented:
Well actually Active Directory domains are two-way transitive trusts. So the whole forest trusts itself. The handshake can take longer without additional short-cut trusts created but it will work.
0
 
GargantubrainCommented:
Now that I think about it, the client on the outside of the VPN may not be able to make all of the kerberos handshakes if it can't contact each domain. I was initially speaking from the standpoint of a client that is in the network.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.