DMZ Member Servers unable to return or authenticate internal domain accounts

Sal Maama 1 Reputation point
2021-02-22T22:58:02.193+00:00

I have DC in a DMZ where I can easily look up domain accounts from our internal domain under the NTFS permission if I tried to add users/groups to folder NTFS permission whiles logged in to the DMZ DC. However, member servers in the same DMZ are unable to return any internal domain accounts when I clicked "Check Names" on NTFS folder permissions. I have done all the troubleshooting I can think of: ping is ok, port query from DMZ servers (both DMZ DC and members servers) return same open ports. At this point I'm not entirely sure where and why the member servers aren't returning any internal domain account whiles the DMZ DC does. Is there a group policy I should be looking at ? where ? on the internal domain DC or DMZ DC? Any ideas and thought are welcome. I ruled out trust issues because DMZ DC seems fine.

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,137 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,321 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,191 Reputation points
    2021-02-23T02:07:39.077+00:00

    Hi,
    Since not clear with your perimeter network environment, it is different to guess what happened.
    In this situation , i would suggest you use the network monitor tool to get more details when you check the names on the member server.

    Best Regards,

    0 comments No comments

  2. Sal Maama 1 Reputation point
    2021-02-23T19:33:41.713+00:00

    @Fan Fan - I run Microsoft Network Monitor3.4 on the DMZ member server, unfortunately it does not captured any traffic related to the clicking of the Check names. I guess it isn't treating it as network related traffic. Anything I'm doing wrong ?

    Thinking about it, we have 2 domain forest - primary domain (D1) and the DMZ domain (D2). We have outgoing trust from the DMZ domain (D2) to primary domain (D1) which implies DMZ trust our primary domain and not the other way round. I think from the security perspective this is how it is supposed to be set up. My understanding is that domain Users in D1 can have access to the resources in D2(DMZ) and not vice versa. If my understanding is correct, then it explains why D2 server cannot resolve any D1 domain account. But why is DC in the DMZ (D2) able to see D1 domain account ? Based on the way we have the TRUST set up, ideally the DC in the DMZ should be restricted from having access to the D1 domain, correct? Is there a special configuration to allow only DC in the DMZ to have access to the resources in the D1 domain and not any other member server in the DMZ...just been thinking about it

    Just FYI - We have Forest-wide authentication and not selective authentication