@Fan Fan - I run Microsoft Network Monitor3.4 on the DMZ member server, unfortunately it does not captured any traffic related to the clicking of the Check names. I guess it isn't treating it as network related traffic. Anything I'm doing wrong ?
Thinking about it, we have 2 domain forest - primary domain (D1) and the DMZ domain (D2). We have outgoing trust from the DMZ domain (D2) to primary domain (D1) which implies DMZ trust our primary domain and not the other way round. I think from the security perspective this is how it is supposed to be set up. My understanding is that domain Users in D1 can have access to the resources in D2(DMZ) and not vice versa. If my understanding is correct, then it explains why D2 server cannot resolve any D1 domain account. But why is DC in the DMZ (D2) able to see D1 domain account ? Based on the way we have the TRUST set up, ideally the DC in the DMZ should be restricted from having access to the D1 domain, correct? Is there a special configuration to allow only DC in the DMZ to have access to the resources in the D1 domain and not any other member server in the DMZ...just been thinking about it
Just FYI - We have Forest-wide authentication and not selective authentication