Domain trust: how to pass authorization requests through local domain controller

Question

Hi,

I have created 2 domains: A and B. There is one way trust established, so users from domain B can login to the machines in domain A. We have forward lookup zones created on both domains that pass DNS requests to master servers in the other domain, as described in manuals.
Unfortunately, when logging to machines in domain A using accounts from domain B, machines are trying to directly ask controllers from domain B for authorization, which is not acceptable. How to do it so my machines in domain A will ask own domain controller to pass through their authorization request to domain controllers in domain B?
Basically, I do not want desktops from domain A to have direct access to controllers in domain B.

Answer 1

Hi @Piotr Chmielewski •

How to do it so my machines in domain A will ask own domain controller to pass through their authorization request to domain controllers in domain B?

Unfortunately it's not possible because when you try to logon with user from domainB on computer from domain A , the dclotator process will try automatically to find a closest domain controller in domain B (domain user ).

During the authentication process of user B on computer in domain A , a DNS request will be sent to resolve this SRV record _ldap._tcp.<Computer Site Name>._sites.dc._msdcs.<User Domain>.com in rder to find the closest domain controller in domain B . If the DNS doesn't find any domain controler , client will send another DNS request to resolve this SRV record _ldap._tcp._sites.dc._msdcs.<User Domain>.com and get the list of domain controller in domain B .

To get more details about the DClocator process between trusted domain please read the following article : Domain Locator Across a Forest Trust

Please don't forget to mark helpful answer as accepted