I have DC in a DMZ where I can easily look up domain accounts from our internal domain under the NTFS permission if I tried to add users/groups to folder NTFS permission whiles logged in to the DMZ DC. However, member servers in the same DMZ are unable to return any internal domain accounts when I clicked "Check Names" on NTFS folder permissions. I have done all the troubleshooting I can think of: ping is ok, port query from DMZ servers (both DMZ DC and members servers) return same open ports. At this point I'm not entirely sure where and why the member servers aren't returning any internal domain account whiles the DMZ DC does. Is there a group policy I should be looking at ? where ? on the internal domain DC or DMZ DC? Any ideas and thought are welcome. I ruled out trust issues because DMZ DC seems fine.
Thinking about it, we have 2 domain forest - primary domain (D1) and the DMZ domain (D2). We have outgoing trust from the DMZ domain (D2) to primary domain (D1) which implies DMZ trust our primary domain and not the other way round. I think from the security perspective this is how it is supposed to be set up. My understanding is that domain Users in D1 can have access to the resources in D2(DMZ) and not vice versa. If my understanding is correct, then it explains why D2 server cannot resolve any D1 domain account. But why is DC in the DMZ (D2) able to see D1 domain account ? Based on the way we have the TRUST set up, ideally the DC in the DMZ should be restricted from having access to the D1 domain, correct? Is there a special configuration to allow only DC in the DMZ to have access to the resources in the D1 domain and not any other member server in the DMZ...just been thinking about it
Just FYI - We have Forest-wide authentication and not selective authentication
