Hi All,
I'm trying to avoid having to put an RODC in our perimeter network, and don't want to open RPC ports from our application servers in the DMZ to DCs in our internal network either.
Users on our internal domain, let's call this internal.com, need to log into servers in our DMZ domain, dmz.com. We have a one-way trust in place where dmz.com trusts internal.com. The users authenticate okay as we have followed the standard firewall rules between the DCs in dmz.com and DCs in internal.com.
The problem is, group policies from intenal.com are not applying to internal.com users when they log into the application servers in dmz.com. I can see fro the logs RPC is failing and on the firewall I can see RPC is blocked from the application servers to DCs in internal.com. All traffic from the DCs in either domain is working okay.
Is there a way to make the servers in the DMZ get the group policies for internal.com through the DCs in the DMZ? I'm trying to avoid putting a RODC on the perimeter network, a copy of AD in the perimeter network is never a good idea, and opening RPC port 135 between servers in the DMZ and DCs on the internal network can't be good either.
Will it be a matter of picking the lesser of 2 evils?