Start Free TrialLog in
Avatar of Mattia Minervini
Mattia MinerviniFlag for Italy

asked on 

INTER FOREST TRUST, STRANGE FLOW FOR AUTHENTICATION

Hi all
i try to explain our scenario
i have two SITE, SITE "A" and SITE "B" connected in vpn.


On the first SITE "A"
- DOMAIN SERVER MICROSOFT AD "domainRED" with FSMO
- DOMAIN SERVER MICROSOFT AD " domainRED" secondary
- DOMAIN SERVER MICROSOFT AD "domainGREEN" with FSMO

On the second SITE "B"
- DOMAIN SERVER MICROSOFT AD "domainRED" read only domain controller
- DOMAIN SERVER MICROSOFT AD "domainRED" with a second read only domain controller (for redundancy)
- DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary
- ERP SERVER with client server application on "domainGREEN"
- Pc client (about 20) on "domainRED" with client of ERP SERVER

NOTE1
beetwen "domainRED" and "domainGREEN" there is an UNIDIRECTIONAL INTER FOREST TRUST
"domainGREEN" outbound trust on "domainRED"
"domainRED" inbound trust on "domainGREEN"
This configuration is made in order to say :
USER JOHN.domainRED can open ERPFOLDER on ERPSERVER.domainGREEN
and it works


PROBLEM IS:
if we have vpn problem, pc client on SITE "B" failed to open ERP SERVER application on the same SITE
Seems request surf from SITE "B" to SITE "A"!
Seems an authentication problem, but on SITE B we have these 3 server:

- DOMAIN SERVER MICROSOFT AD "domainRED" read only domain controller
- DOMAIN SERVER MICROSOFT AD "domainRED" with a second read only domain controller (for redundancy)
- DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary

just to avoid network request in VPN!
we thought that flow should be:
1) PCCLIENT on SITE "B" launch application ->
 2)read only domain controller on SITE"B" ask for trust  DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B"
3) DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B" replies OK
4) PC CLIENT can start application

Maybe porblem is read controller domain of domainRED ? (better a traditional secondaary domain with global catalogue and so on...?)
or problem can be DOMAIN SERVER MICROSOFT AD " domainGREEN" secondary on SITE"B" is not primary with FSMO?

How can i troubleshoot?
really thanks, sorry for my english, ask me for details
M


-
NetworkingActive DirectoryVPNPC
Avatar of undefined
Last Comment
Mattia Minervini
Avatar of Mattia Minervini
Mattia Minervini
Flag of Italy image

ASKER

just founded this

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754218(v=ws.10)?redirectedfrom=MSDN#BKMK_XDomAuthN

so RODC seems to be limited in cross domain request

but strange behavoiur is this:
from client i double click .exe link on ERP SERVER. i have error attached
but if i make \\ERPSERVER i can browse the folder containing Exe!

M
Avatar of Mattia Minervini
Mattia Minervini
Flag of Italy image

ASKER

sorry i'll paste here the attachment for error doubleclicking exe link
and sorry, this is in italian

############

Nome registro: Application
Origine:       Application Error
Data:          10/01/2020 17:33:00
ID evento:     1005
Categoria attività:(100)
Livello:       Errore
Parole chiave: Classico
Utente:        N/D
Computer:      PCCLIENT.domainRED.local
Descrizione:
Impossibile accedere al file  per uno dei motivi seguenti:  Si è verificato un problema relativo alla connessione di rete, al disco in cui è archiviato il file o ai driver di archiviazione installati nel computer oppure il disco è assente. Il programma wlab3.exe è stato chiuso a causa dell'errore.

Programma: wlab3.exe
File:

Il valore dell'errore è indicato nella sezione Dati aggiuntivi.
Azione utente
1. Aprire nuovamente il file. Potrebbe trattarsi di un problema temporaneo che si risolverà automaticamente rieseguendo il programma.
2. Se il file risulta comunque non accessibile e:
      - Si trova in rete, è necessario che l'amministratore della rete verifichi la presenza di eventuali problemi di rete e che sia possibile contattare il server.
      - Si trova in un disco rimovibile, ad esempio un disco floppy o un CD, verificare che il disco sia inserito correttamente nel computer.
3. Controllare e ripristinare il file system eseguendo CHKDSK. Per eseguire CHKDSK, fare clic sul pulsante Start, scegliere Esegui, digitare CMD, quindi scegliere OK. Al prompt dei comandi, digitare CHKDSK /F, quindi premere INVIO.
4. Se il problema persiste, ripristinare il file da una copia di backup.
5. Determinare se è possibile aprire altri file nello stesso disco. Se non è possibile, il disco potrebbe essere danneggiato. Se si tratta di un disco rigido, contattare l'amministratore o il fornitore dell'hardware del computer per ottenere assistenza.

Dati aggiuntivi
Valore errore: C00000C4
Tipo disco: 0
XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="49152">1005</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-01-10T16:33:00.843493500Z" />
    <EventRecordID>5925</EventRecordID>
    <Channel>Application</Channel>
    <Computer>PCCLIENT.domainRED.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>wlab3.exe</Data>
    <Data>C00000C4</Data>
    <Data>0</Data>
  </EventData>
</Event>

############
Avatar of Hemil Aquino
Hemil Aquino
Flag of United States of America image
Here are some tips for you.

1- VPN should not be the problem, as you know VPN does routing btw one network to another. (try pinging the server from the other end and see if you get a drop.

2- In my experience, I do not recommend RODC. Read-Only Domain Controller can bring buggy issues. If what you are trying to archive is a second domain as a (backup), and by the way, there's no such thing as "backup domain" anymore. What you are doing is adding another domain within the same forest and thus have another server for the catalog replication, as well as objects.

3- Check the logs, windows Event Viewer is your friend. find out why you are getting rejected while trying to authenticate.
ASKER CERTIFIED SOLUTION
Avatar of Mattia Minervini
Mattia Minervini
Flag of Italy image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Networking
Networking

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent