none
RDS Authentication and Domain Trust RRS feed

  • Question

  • Hi, I have 2 domains, Domain Cust and Domain Cloud

    Domain cloud has an RDS server, and an AD server. AD has a trust setup with firewall rules to Domain Cust, which is working, Cust and contact Cloud without any problems.

    RDS is in its own area with firewall rules to Cloud. Cloud has some secruity groups which CUST accounts are members of

    RDS has the same security groups with permission to log on

    My understanding was when a CUST user tries to log on, Cloud domain checks if they are a member of a group and then tells RDS good to go, but I am getting an error on RDS saying the domain cannot be contacted, so this suggests to me that RDS servers need to be able to directly authenticate with CUST domain. Is this correct? Do I need to open up firewall rules to allow RDS servers to directly talk to the trusted CUST domain controllers to authenticate users?

    Thanks

    Monday, September 16, 2019 1:25 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    To better understand our question, please confirm the following information:

    1. What trust type do we set up? Two-way trust or one-way trust between two doman?

    2. According to "RDS is in its own area with firewall rules to Cloud. Cloud has some secruity groups which CUST accounts are members of", are these security groups Global Security groups?




    3. According to "RDS has the same security groups with permission to log on", would you please describe it in details?

    4. According to "My understanding was when a CUST user tries to log on", do we mean user in CUST domain logon to machine in CUST domain, search mstsc windows, type IP of RDS server and click connect?




    5. According to "but I am getting an error on RDS saying the domain cannot be contacted", do we mean the domain is CUSt domain or Cloud domain?


    Meanwhile, if we turn off firewall, do we still receive the error message?




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 17, 2019 6:23 AM
    Moderator
  • Hi, It is a one way trust where CUST domain has authority to use CLOUD domain resources

    Its a domain local security group, this is the only type that will let me add users/groups from the trusted domain, the other types of groups dont give me the option to select the other domain

    RDS has the groups allowed so CUST users have permission to log in via RDS

    The CUST users will browse to https://clouddomain.com/RDweb/ with their cust credentials. however the clouddomain.com servers are all in the CLOUD domain, with a trust to CUST domain

    So CLOUD users can log into RDS with no problem using their CLOUD credentials, however if a CUST user tries to log on, we get a message saying unable to contact the domain. but a trust is in place and working as my CUST admin account is able to log into the CLOUD domain controller (if i elevate its permissions to log onto that server)

    The CLOUD domain controller has firewall rules to allow it to connect to the CUST DC, but the RDS servers dont.

    I am trying to get the customer to disable the firewall rules as I am pretty sure it will work, I just wanted to know from the opinions of experts if it SHOULD work like that.

    Thanks

    Tuesday, September 17, 2019 7:27 AM
  • Hi,

    With one-way forest trust or external trust, I can not add users in the other domain to any type of group in this domain.

    On the DC in domain called a.com, we can see:






    On the DC in domain called fabrikam.com, we can see:




    Only with two-way trust, I can add users in the other domain to Domain local group in this domain.


    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 19, 2019 6:11 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 10:15 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 25, 2019 3:50 AM
    Moderator