Hi, We have a single forest, multiple domains(say australia.com, asia.com, europe.com and global.com) and mulitple AD sites. We recently setup a new site in Singapore and for that we setup two DCs each for asia.com and global.com. A new AD site was created and also a new subnet. All our domains have two way trusts. We have setup the firewall at our new site such that only DCs can communicate with DCs at our other sites. Now, if our support staff in europe.com try to logon to any computer in Singapore, they are unable to logon and get a message that domain does not exist or is unavailable. I believe with trusts in place, the AD pass through authentication should enable the users in europe.com to logon to the machines in Singapore. I understand that with AD pass through authentication, when a user in europe.com tries to logon to a machine in global.com in Singapore, a local DC at Singapore should pass that request to a DC in europe.com, a DC in eupore.com then authenticates the user and passes the request back to the local DC in Singapore which then allows the users to logon. I understand this from https://msdn.microsoft.com/en-us/library/cc237016.aspx. However this is not what is happening. The users from europe.com are able to logon only when the target machines to which they are connecting are allowed to communicate with DCs of their domains at the other sites. Do we really need to allow our machines in Singapore to communicate with the non local DCs to allow users from non local domains to login?
Thanks,
sohfay
