We help IT Professionals succeed at work.

INTER FOREST TRUST, STRANGE FLOW FOR AUTHENTICATION

24 Views
Last Modified: 2020-05-03
Hi all
i try to explain our scenario
i have two SITE, SITE "A" and SITE "B" connected in vpn.


On the first SITE "A"
- DOMAIN SERVER MICROSOFT AD "domainRED" with FSMO
- DOMAIN SERVER MICROSOFT AD " domainRED" secondary
- DOMAIN SERVER MICROSOFT AD "domainGREEN" with FSMO

On the second SITE "B"
- DOMAIN SERVER MICROSOFT AD "domainRED" read only domain controller
- DOMAIN SERVER MICROSOFT AD "domainRED" with a second read only domain controller (for redundancy)
- DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary
- ERP SERVER with client server application on "domainGREEN"
- Pc client (about 20) on "domainRED" with client of ERP SERVER

NOTE1
beetwen "domainRED" and "domainGREEN" there is an UNIDIRECTIONAL INTER FOREST TRUST
"domainGREEN" outbound trust on "domainRED"
"domainRED" inbound trust on "domainGREEN"
This configuration is made in order to say :
USER JOHN.domainRED can open ERPFOLDER on ERPSERVER.domainGREEN
and it works


PROBLEM IS:
if we have vpn problem, pc client on SITE "B" failed to open ERP SERVER application on the same SITE
Seems request surf from SITE "B" to SITE "A"!
Seems an authentication problem, but on SITE B we have these 3 server:

- DOMAIN SERVER MICROSOFT AD "domainRED" read only domain controller
- DOMAIN SERVER MICROSOFT AD "domainRED" with a second read only domain controller (for redundancy)
- DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary

just to avoid network request in VPN!
we thought that flow should be:
1) PCCLIENT on SITE "B" launch application ->
 2)read only domain controller on SITE"B" ask for trust  DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B"
3) DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B" replies OK
4) PC CLIENT can start application

Maybe porblem is read controller domain of domainRED ? (better a traditional secondaary domain with global catalogue and so on...?)
or problem can be DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B" is not primary with FSMO?

How can i troubleshoot?
really thanks, sorry for my english, ask me for details
M


-
Comment
Watch Question

Author

Commented:
just founded this

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754218(v=ws.10)?redirectedfrom=MSDN#BKMK_XDomAuthN

so RODC seems to be limited in cross domain request

but strange behavoiur is this:
from client i double click .exe link on ERP SERVER. i have error attached
but if i make \\ERPSERVER i can browse the folder containing Exe!

M

Author

Commented:
sorry i'll paste here the attachment for error doubleclicking exe link
and sorry, this is in italian

############

Nome registro: Application
Origine:       Application Error
Data:          10/01/2020 17:33:00
ID evento:     1005
Categoria attività:(100)
Livello:       Errore
Parole chiave: Classico
Utente:        N/D
Computer:      PCCLIENT.domainRED.local
Descrizione:
Impossibile accedere al file  per uno dei motivi seguenti:  Si è verificato un problema relativo alla connessione di rete, al disco in cui è archiviato il file o ai driver di archiviazione installati nel computer oppure il disco è assente. Il programma wlab3.exe è stato chiuso a causa dell'errore.

Programma: wlab3.exe
File:

Il valore dell'errore è indicato nella sezione Dati aggiuntivi.
Azione utente
1. Aprire nuovamente il file. Potrebbe trattarsi di un problema temporaneo che si risolverà automaticamente rieseguendo il programma.
2. Se il file risulta comunque non accessibile e:
      - Si trova in rete, è necessario che l'amministratore della rete verifichi la presenza di eventuali problemi di rete e che sia possibile contattare il server.
      - Si trova in un disco rimovibile, ad esempio un disco floppy o un CD, verificare che il disco sia inserito correttamente nel computer.
3. Controllare e ripristinare il file system eseguendo CHKDSK. Per eseguire CHKDSK, fare clic sul pulsante Start, scegliere Esegui, digitare CMD, quindi scegliere OK. Al prompt dei comandi, digitare CHKDSK /F, quindi premere INVIO.
4. Se il problema persiste, ripristinare il file da una copia di backup.
5. Determinare se è possibile aprire altri file nello stesso disco. Se non è possibile, il disco potrebbe essere danneggiato. Se si tratta di un disco rigido, contattare l'amministratore o il fornitore dell'hardware del computer per ottenere assistenza.

Dati aggiuntivi
Valore errore: C00000C4
Tipo disco: 0
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="49152">1005</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-01-10T16:33:00.843493500Z" />
    <EventRecordID>5925</EventRecordID>
    <Channel>Application</Channel>
    <Computer>PCCLIENT.domainRED.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>wlab3.exe</Data>
    <Data>C00000C4</Data>
    <Data>0</Data>
  </EventData>
</Event>

############
Hemil AquinoNetwork Security Engineer
Distinguished Expert 2018

Commented:
Here are some tips for you.

1- VPN should not be the problem, as you know VPN does routing btw one network to another. (try pinging the server from the other end and see if you get a drop.

2- In my experience, I do not recommend RODC. Read-Only Domain Controller can bring buggy issues. If what you are trying to archive is a second domain as a (backup), and by the way, there's no such thing as "backup domain" anymore. What you are doing is adding another domain within the same forest and thus have another server for the catalog replication, as well as objects.

3- Check the logs, windows Event Viewer is your friend. find out why you are getting rejected while trying to authenticate.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.