Group policy failing to apply in DMZ with one way trust

Conor Lynch 1 Reputation point
2020-11-30T12:41:34.563+00:00

Hi All,
I'm trying to avoid having to put an RODC in our perimeter network, and don't want to open RPC ports from our application servers in the DMZ to DCs in our internal network either.
Users on our internal domain, let's call this internal.com, need to log into servers in our DMZ domain, dmz.com. We have a one-way trust in place where dmz.com trusts internal.com. The users authenticate okay as we have followed the standard firewall rules between the DCs in dmz.com and DCs in internal.com.
The problem is, group policies from intenal.com are not applying to internal.com users when they log into the application servers in dmz.com. I can see fro the logs RPC is failing and on the firewall I can see RPC is blocked from the application servers to DCs in internal.com. All traffic from the DCs in either domain is working okay.
Is there a way to make the servers in the DMZ get the group policies for internal.com through the DCs in the DMZ? I'm trying to avoid putting a RODC on the perimeter network, a copy of AD in the perimeter network is never a good idea, and opening RPC port 135 between servers in the DMZ and DCs on the internal network can't be good either.

Will it be a matter of picking the lesser of 2 evils?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,547 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,336 Reputation points Microsoft Vendor
    2020-12-01T02:33:34.66+00:00

    Hi,

    Based on my research:
    When apply the user policy , users need LDAP queries to the domain in the remote forest and reading the sysvol share from the DC in user's domain.
    So the user policy from internal.com can't be applied only through the DCs in the DMZ.
    When apply policy across forest , we also need to Enable the "Allow cross-forest User Policy and Roaming User Profiles" policy setting in the trusting domain.

    Best Regards,

    0 comments No comments

  2. Thameur-BOURBITA 32,986 Reputation points
    2020-12-01T02:54:15.207+00:00

    Hi,

    You can create a GPO with the same GPO settings on internal domain if the network flow are blocked and there is no DC in DMZ zone.

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.