This is a simplification and the names have been changed to protect the innocent.
The assets:
Active Directory Domains
corp.lan
saas.lan
User accounts
user01@corp.lan
user02@corp.lan
Servers
dc.corp.lan (domain controller)
dc.saas.lan (domain controller)
server.saas.lan
A one way trust exists between the domains so user accounts in corp.lan and log into servers in saas.lan
No firewall between dc.corp.lan and dc.saas.lan
server.saas.lan is in a firewalled zone and a set of rules exist so it can talk to dc.saas.lan
I can log into server.saas.lan with user01@corp.lan - But I don't understand how it works. If I watch firewall logs, I see a bunch of login chatter between server.saas.lan and dc.saas.lan
I also see a bunch of DROPPED chatter between server.saas.lan and dc.corp.lan. Presumably, this is because server.saas.lan is trying to authenticate user01@corp.lan But no firewall rule exists that allows communication between these hosts.
However, user01@corp.lan can log in successfully to server.saas.lan - Once logged in, I can "echo %logonserver%" and get \\dc.corp.lan.
So.... I am a little confused how the account actually gets authenticated. Does dc.saas.lan eventually talk to dc.corp.lan after server.saas.lan can't talk to dc.corp.lan?
Just trying to figure out what needs to be changed/fixed/altered.
The assets:
Active Directory Domains
corp.lan
saas.lan
User accounts
user01@corp.lan
user02@corp.lan
Servers
dc.corp.lan (domain controller)
dc.saas.lan (domain controller)
server.saas.lan
A one way trust exists between the domains so user accounts in corp.lan and log into servers in saas.lan
No firewall between dc.corp.lan and dc.saas.lan
server.saas.lan is in a firewalled zone and a set of rules exist so it can talk to dc.saas.lan
I can log into server.saas.lan with user01@corp.lan - But I don't understand how it works. If I watch firewall logs, I see a bunch of login chatter between server.saas.lan and dc.saas.lan
I also see a bunch of DROPPED chatter between server.saas.lan and dc.corp.lan. Presumably, this is because server.saas.lan is trying to authenticate user01@corp.lan But no firewall rule exists that allows communication between these hosts.
However, user01@corp.lan can log in successfully to server.saas.lan - Once logged in, I can "echo %logonserver%" and get \\dc.corp.lan.
So.... I am a little confused how the account actually gets authenticated. Does dc.saas.lan eventually talk to dc.corp.lan after server.saas.lan can't talk to dc.corp.lan?
Just trying to figure out what needs to be changed/fixed/altered.