-1

I have two Active Directory domains, A and B.

I have a Windows Server ws1 and a windows server ws2, both of which act as domain controllers of their respective domains (A and B).

I have a third Windows server ws3 on which a Powershell script must be run periodically to perform reading operations on domain controller ws1 of A, processing the data obtained from ws1 of A, to perform writing operations on ws2 of B.

NB: Domain A and domain B do not have any type of Trust (not even one-way). They are two domains kept specially segregated. The ws3 machine has visibility towards these machines but it is not part of neither domain A nor domain B.

Is there an easy way to do it?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
jfranz
  • 13
  • 3
  • How about inverting the process? Create a local account to ws3 and a shared directory. Make ws1 and ws2 write there using ws3's local account credentials to access the share. – vonPryz Dec 04 '20 at 20:43
  • @vonPryz Yes, I thought about it but it is not what I was asked for. This server ws3 must act as a machine that serves to synchronize these two domain controllers going to read the users of certain groups present in the ws1 DC to write them in the ws2 DC, then it needs to be able to query ldap / ldaps to both DCs – jfranz Dec 05 '20 at 09:35
  • Any suggestion? – jfranz Dec 07 '20 at 21:13

1 Answers1

0

Depends on what you want to read -- file system or directory data.

File system: You can map a drive with "net use", process the data in the directory, then unmap the drive. You can supply a domain in the credentials -- e.g. net use x: \\ws1\share user:DomainA\user /pass:S0m3th1ng and, when done, net use x: /d to unmap. Then net use x: \\ws2\share user:DomainB\user /pass:S0m3th1ngE15e and net use x: /d ... I'd use a securestring to stash the password for a real implementation.

Directory Data: Most of the powrshell commands accept -server and -credential as options. As an example:

Get-ADGroupMember <groupname> -server ws1.example.com -credential (get-credential)
LisaJ
  • 1,666
  • 1
  • 12
  • 18
  • Thank you very much for your answer. So theoretically I just need to know the IPs of both Domain Controllers to which I want to connect, and in each of them I need to have a user who has read permissions for the DC I want to read from and write permissions for the DC I want to write to, than I can use the active directory module. Correct? – jfranz Dec 08 '20 at 15:24
  • Yup. I've had batch operation servers have to be out of the domain completely (I don't have to understand the security requirements, just have to follow them!) and used this approach to read/write against the Active Directory domain. I usually do a DNS lookup for the SRV records associated with a specific site instead of hard-coding domain controller hostnames (unless there are firewalls involved and I have to use a specific domain controller). – LisaJ Dec 08 '20 at 21:59
  • Perfect, that's just what I needed to know. I appreciate the advice on using SRV records (I immediately check if the domain controllers have generated them correctly), so as not to use constants in the code. So I guess the last thing I have left to do is create two users, one in the DC I have to read about and one on the DC I have to write to, with the necessary permissions. Thanks – jfranz Dec 09 '20 at 09:32