Quick description of the setup -
Internal forest/domain - internal.local
dmz forest/domain - external.local
There's a 1 way trust where external trusts internal. There are also RODC's for internal that sit in the DMZ. There is a site set up that includes the subnets that make up the DMZ and the RODCS are in that site. I have a group policy that adds a group from internal.local to the local administrators group for every server joined to external.local. This works and I can log in with an internal.local account.
The issue is that when I try to manually add a group/account from the internal.local domain to a group on a member server in external.local, it takes a very long time to get the list of domains you can select. Then trying to search internal.local only returns results a small fraction of the time. And even when it returns results, I can never actually add the account. It says the domain can not be contacted.
Running wireshark is showing that the external.local member server is trying to make CLDAP connections to every internal.local domain controller and not going through the RODC. Is there some other configuration I have to make so that it uses the RODC's to search AD?
Thanks,
Rich